Analysis
-
max time kernel
119s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
-
submitted
20/09/2024, 13:07
General
-
Target
757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
-
Size
347KB
-
MD5
889ce0232dcca264fc7357f0428bc2b0
-
SHA1
8417625f2d111b6f67be17624ec9d8d682383845
-
SHA256
757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278be
-
SHA512
31aac782312ebf21ef21f59966b0c23112df3982cc97ed652a68751c370316099489e8524ea9ab96b435b54fc9b143965c3e8321a24dd0a403154eea3326daf4
-
SSDEEP
6144:UY+32WWluqvHpVmXWEjFJRWci+WUd20rUU5EYCTvaBju4U:/nWwvHpVmXpjJIUd2cUusvalxU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 42 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe"C:\Users\Admin\AppData\Local\Temp\757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\XFM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"C:\Windows\XFM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\XFM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"C:\Windows\XFM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\XFM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"C:\Windows\XFM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\XFM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"C:\Windows\XFM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
347KB
MD5a98b07395c13245f3d91dc2f8eae4ff3
SHA18bbc92da81a93f27179618c59f523610de64d522
SHA25602e72c8b59852011877128ccc5f1265101f36b5964b679a841e1fc5cd795a318
SHA5121b0bf099f54d4c3c2287b04ca21f0180e585824ac93be174a89b5261077414e3ef826d148d70df5fdb2809e602673f37c8036d5206f712c1e18034915102804c
-
Filesize
347KB
MD5d6c351a7e082728bf94ca26495e79095
SHA133c8944c4ddab4343db628648636a66b17ec126a
SHA2562734aa930e473628d2335a94615457a4f98bd223b1e5ea8bd63e5f92fdb12210
SHA512542c12f740860338f8ed9a91939f947780ab0ea4a3ffcd1ffe37ea2d5c2017557958e966f297f1363c3388b8e21c3a763894a6c06d9684a9c74b3e59f9a679a7
-
Filesize
347KB
MD533b8e81246275bf2e10a37d432532589
SHA1cb8cbb6477354caf2a1fe1bb83ed38e646b0d438
SHA2566d77dd2f6adcaaa71b9bd5b22210520e495ed20c607abf03cfd986034ec67255
SHA512a6c0a0845a9b945a785ff41cc9b44165c237c5ea6aa3b7ec216a275725a7765108ace45d65d8cf9ce60a887b88f4e50d74cb7ce6d55469fc54a1883ebc579e34
-
Filesize
347KB
MD5359bf3eb5c59cd00711bc57d572ef001
SHA11c0d708f261380f84057bdfd63dd29ce26a90069
SHA256b9fda9e98af047ce549fd6a5498ada74b45313fa98d5d0aa8431bdb13367510f
SHA5128b2493ded5c935bd53fbfc878c707316ef3c7bf94d3ad6cd3221ddfcc62b8413a4cb85614431acf2736aecb5a28ea4900f074132e67dbd11fff2102b492b1a08
-
Filesize
347KB
MD5aa5c92a9774d4200d40bb0bcfb470f6a
SHA16d58cf0b0e700970da8d5d39a989ee4f34a15b0c
SHA256f94b4f725e056a8293d384f414b7915997dc0e7ad196a9a9532bc315e1e1419b
SHA512a9495307e70c0fdc64df5e74605f464086a62569555f7382ff8d4414dc05d190c2485475765e26190a328016196933668ea339f16944d67c75c3d271228e4441
-
Filesize
347KB
MD5ac64cd56c5b6862ab569ecdd88835684
SHA14734d45d26b25782aa859771129bb8e58cd32eea
SHA25678a4bca7b262d2767c3ca2cf1816f663e9bef06b45c1426064ac721ca034ca1d
SHA512a911f220092f0fde04cf13c853f2ba96c47252ea3e76e111a1775c920a9b3c32c4922cf0dd28ae8a25e67417c141b7d542bebd3ed305da2ee85b0cab75b609eb
-
Filesize
127B
MD56ddb4c8353abf18bc212e17ceb465a84
SHA18fb64e3bfca4fc4f6fbaf6e91da5c455c21c30be
SHA256502d28c4bf9813d1601673069e1e33f5618757bfa014f91c85c4e02823f19110
SHA512710d98727328400380962701eb3bde8fe7b9f865bcfe981d069d7dac4e75704dfab6b78a1abffea6dce4c74539d360c61def6041d5e050087887cf12b7dde3e1
-
Filesize
141B
MD5aa01443085dd05cf9f2d6c0eb2d82298
SHA14db081e994527bcceacb5ed9add75dfb9f35d0ff
SHA2562617a92175fb1b203177f62ddf029ecf4dafd20c6bb97a29421396df2c92ce6c
SHA5127d64e864366f9dc4da4eecffab0801b5098b809813888e185dc24ac988678635a6ccd21f640e1f9d291a94b2b8c2a44eeeb846f766320dd1b867b318f0f38e3f
-
Filesize
347KB
MD5889ce0232dcca264fc7357f0428bc2b0
SHA18417625f2d111b6f67be17624ec9d8d682383845
SHA256757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278be
SHA51231aac782312ebf21ef21f59966b0c23112df3982cc97ed652a68751c370316099489e8524ea9ab96b435b54fc9b143965c3e8321a24dd0a403154eea3326daf4
-
Filesize
347KB
MD5ae5e98b2642fc921a584dd0d135c816c
SHA1e2654478733ee30b7f66c9e31fc7b181e686af44
SHA2567edb6d07aa1bbc4afcbcd700b1afffd5658b74ea952940e554be63fa8b404fb9
SHA5120917d079295399476e04b75eb5046832255c96d6aad04259b752e6e9bc4a651b32d458b04f6d1994f2605e9a45ff792f374d5f1de03607289f9d1e5afe77b580
-
Filesize
347KB
MD5d75824cc54488e1443827440c8078f0b
SHA11d80d51ef07c1ca1b1b5c412cfa72e18fa9730ca
SHA25685b3bd1639b2281db3e8f10fb4e8fcd695f6862d504fe4b9b76297d03d6822f6
SHA51273924bffdb2060a118db53609161b7891fa3c0d2d4a8a21c8b795258e47c1a7893bff9e759f7e92b8f8d56d72c8cbe612e566cdbd69b8fe0e540c58f61752563
-
Filesize
347KB
MD5012ed4cf535a6350e6437aff624b8c0d
SHA1e1f6c0c2ce5b6ca3fa3261f23b35cbe92945999f
SHA256a69972fe2e8fc16e94ce01238f7b43f84fadcd2bdf0c18ffeaffae8573f10008
SHA5123caae90ecec9eed99ba586b2a7a7b54cfcdbb740f4693e742b9ec7b1c08bf581cf8b02317afb9c436198030064304cbe0068bafc6257d7bfbac00c5478a33827
-
Filesize
347KB
MD515edca481136080fed6455654181f44a
SHA147cb5c0685c4d87856c7b161e5b7980e0608d9ba
SHA256986034f05d56ce6502d17860809cee0e24fc888bd76c55ec6b12001cfe769414
SHA51202960e4ce8521f617096643bc75f2fcd53f206f62edafaa16178d2b302bcbf02562b061850f398caa8b10190b206a60af612629ccfffb569082d33296f668697
-
Filesize
347KB
MD586ea8f7e0cf9c98a2d7e8511dd438139
SHA158f6529cea5521d2f4e6220e4bf67dfa4120a0a5
SHA25697e1c743608d2dab3058c0fa19937d1321a023fb1bcbd6e9a3c481907af4f6eb
SHA5122c05736dc568b06ef73644480a023e6af55fabefeb5ba1fad6a3245aa1a0b4fbc691f526776ae74243a4c7d66328966eacc9012cc261afa903c8d1e4169f8e4e
-
Filesize
347KB
MD594ab3d14ca64ec5ebc0c155cc78ca596
SHA1806866798b51453135cad3d5bf0051a33dd233c6
SHA25600723bdc20b4eada77cad09845c0d2917a1222c01747a7b5285e6e03dfefb8de
SHA5128868253ae1ae5eee2e3d28dc937cda13868b5a92215e8841fe8df7fdec2f8feff8886ee1c95f3d830b3b40e446b265ad19a113e2ac15bb2b0fec342b7a827444
-
Filesize
361KB
MD5e311ef4df4009a9926e9d774568ad810
SHA18b546b1b626a28a4b117359065e43d5217cb9cfe
SHA256dba59c4d0417da694c70255a4741b94c92bd6206b932870b4d1b8eefe7fbd9b8
SHA512597399a7c5cb4b34de5ce070ccd2c2684bb601dded6456eb0bbd7a0cd13d0d4cefbbdc3a9a445840f033a49ec2554c46764535e115897623476ab6be64a89452
-
Filesize
361KB
MD50465802f99a2971dbc61fbb19a8ac1fe
SHA1d282f13fa629c144620ec2bfee64347c5d9140ee
SHA256b26b7b79e0c1ddc76a0a245b670b5e9d635abeede20ccf6bc5d883301a888d60
SHA512b9b54f3e1168ba8e966f7747ea440d9d98d9fc66d250c70ebdb3461c372db89d07295f1ad086f9fe51f75f5bf74902da3b13bdfca4affbf4bcd3dd57fbc167c4
-
Filesize
347KB
MD59e9e6ee4404f503eb4f74e2720c59edc
SHA1c4f437b93d6b2e7ff66d28a3e12587a143fbca98
SHA2563ec763ee45ed5347ecb75c12dbc4327140319235f255bac72a151dac27c7b443
SHA51215f401c5e5df05c2610611cd3227739b20799dfff6cb1d9815e63df9198426faee7f2194be759f7b7030e2efc477cf0c6be4b92fb473b057853f7978d2159c67
-
Filesize
347KB
MD5c720cbca37f24381eb7ea4d7a65f7c34
SHA104127eff5f9328b55ddeeb124bb9825220c49c4d
SHA256202756f7a886f84c778167bf23b075c8976f4a45ace83fe28a29d372aea25fe7
SHA5127823a15047096e1d3c1614a86a93ad08ee9283661e984ec01cdc56de47fc9615995855d8da0fc9342f9b12caca1293ecc37101a6dc8395672d232c01e2df162b
-
Filesize
347KB
MD5da9cde5b30079f9f973497982e8e5daf
SHA13072dc2fec0d27beb8c979978be510118cff0fa2
SHA2567e40bb54ac0b01cf0855520aea2de19888d64145fcd5eb14b37097907e595698
SHA512ff5304a111b48377ca0d6cbfbf7b960d49c4579def44c8de8001c9b073a7da2eb69dbeb5250274e76afe6049253bca874234f401804a02e7fbb7da3110cfdd72
-
Filesize
65KB
MD5c55534452c57efa04f4109310f71ccca
SHA1b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61
SHA2564cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc
SHA512ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a
-
Filesize
8KB
MD50e528d000aad58b255c1cf8fd0bb1089
SHA12445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA51289ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116
-
Filesize
1.4MB
MD58d205ffd6d88ed41b19caa91a7aa994c
SHA15ee0cc6ef7ab500ffb99e42323fe5074b52cce91
SHA2567500ef088d9a7f141d896bdcc21fc38675dc4763a301d657107ca9622f74ca99
SHA5128462003ca9aead0737789bdd8a769608e6217e80c82264b439a1d649bc185880220959f9c4b2578cd0467fbca9409bfaeedaf1ab13e70e3a545eb11b239bb68f
-
Filesize
1.4MB
MD5f45f8d9fa3e4b3cec0d13e83ab9efaee
SHA105a098f8a554143aabcdb839afd82d5ca3923b55
SHA256e13fb59a98f3d4bc9f1826c79dd36e53b587b7353823dd952183f0f3502725da
SHA51271c2bf5214e36d1d38726a466b43e8e43319e47ca58483e18ee71d289baa4198f9d6a271e5a9cf66fdfbbdabd3dfc31768e750a262fd008f5bc3fc1eaca3caad
-
Filesize
347KB
MD58fcf97c1f25d5274b73167b10c106466
SHA1f936f0447b940421421a4beb1b47f95c30071494
SHA25689152bd96f840ff8c6b273a60bdfc8338476aba9c82b5e7de1e23575fd3abc71
SHA512ec34d8512b407d05e1398f16cf6b3328c8140fdf78fc6138b578a70d59b35adff4f6a35ce0bfdc2f3207a91ce4e3ad1724f860e3c05d78d0b968332cc61c4b4c
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
468KB
-
Filesize
468KB
-
Filesize
352KB
-
Filesize
352KB