Overview

overview

10

Static

static

3

4eb1bd0f8b...a1.exe

windows7-x64

10

4eb1bd0f8b...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 21:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4eb1bd0f8bf8e8577ba98ae9adcdb4adaf37cbc7af1b4c970f6c82bb16c980a1.exe

  • Size

    91KB

  • MD5

    da8f0e03aed232bed71c53dfa106a839

  • SHA1

    a46e7c7a283421202fd8d4e73ec1b3d1211873ef

  • SHA256

    4eb1bd0f8bf8e8577ba98ae9adcdb4adaf37cbc7af1b4c970f6c82bb16c980a1

  • SHA512

    00157b7a045950644acda62ec2f9f6d3974fc778dc4adc431144f279d6d266c69519ceae609aeab255ea62fe0e6e81cc03e01a375e13991c38626cb35f3d9f54

  • SSDEEP

    1536:FAwEmBGz1lNNqDaG0PoxhlzmercgAwEmBGz1lNNqDaG0Poxhlzm/:FGmUXNQDaG0A8erzGmUXNQDaG0A8/

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4eb1bd0f8bf8e8577ba98ae9adcdb4adaf37cbc7af1b4c970f6c82bb16c980a1.exe
    "C:\Users\Admin\AppData\Local\Temp\4eb1bd0f8bf8e8577ba98ae9adcdb4adaf37cbc7af1b4c970f6c82bb16c980a1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2236
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2516
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2744
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1400
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1264
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2284
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2388
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1900

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Defense Evasion

        Hide Artifacts

        2
        T1564

        Hidden Files and Directories

        2
        T1564.001

        Modify Registry

        6
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Inhibit System Recovery

        1
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
          Filesize

          91KB

          MD5

          abe336368c1c860a86b8d5af8cbbf0e5

          SHA1

          e01781bf5860ed34880ac17791e8c8c533e2776a

          SHA256

          b9ac92cc4fd2110ea6e081599f1919bc8846457b8936c69cd4889a1c6babd3da

          SHA512

          4669c6cedb52f0b491be56ea35bab2813df37856fa91330d60f59899d33883dde27a545123dc6e2b6d60dda158801211c5fe07a86edd2394e12cbeaae964b38e

          Download Submit

        • C:\Users\Admin\AppData\Local\winlogon.exe
          Filesize

          91KB

          MD5

          da8f0e03aed232bed71c53dfa106a839

          SHA1

          a46e7c7a283421202fd8d4e73ec1b3d1211873ef

          SHA256

          4eb1bd0f8bf8e8577ba98ae9adcdb4adaf37cbc7af1b4c970f6c82bb16c980a1

          SHA512

          00157b7a045950644acda62ec2f9f6d3974fc778dc4adc431144f279d6d266c69519ceae609aeab255ea62fe0e6e81cc03e01a375e13991c38626cb35f3d9f54

          Download Submit

        • C:\Windows\xk.exe
          Filesize

          91KB

          MD5

          7398c5ac5c3bc2646cc5ce706930490a

          SHA1

          a760a5594bca87e8e9d0d313f4756b77a5c1c9bf

          SHA256

          c0fb07ed5b7cbce48b16bf578d202119123aceb853696a5925f0438f08996df7

          SHA512

          dac4d1dd2b4483ed8e4f9c16e4a074715676407313252174385680e554c48d1838525d9d6edc77e761ae4b7983f6c42f3adadcd5437ace6ca527bb70cd9f4989

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
          Filesize

          91KB

          MD5

          3ab20e763021517375600a20d6a4dd92

          SHA1

          ca859aee0ea4be426b4ef14a711faaa22bc79a26

          SHA256

          9171ec93af8571ddaa7e2d78a3892bdc2a8ab38dbc6ea2d06526038bb2782dfe

          SHA512

          aa904216b201cbb836a2b8952785104700a1dae67738cdc685024aa23c13ffc36df10213a97074f47ee34e2710c58bc94d3a01f6e26e5c67ede662314c8bee79

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
          Filesize

          91KB

          MD5

          38ebb3d332bbb251f34b04887417f3dd

          SHA1

          c072d7b122928e495a308fe3b4fdd63fc1696ad6

          SHA256

          8ebe9202a6bbfc2cf0ed581323391d3a160dd895d0300c289a5d5e50d24f21b6

          SHA512

          28a1a15c37e79c1291790e5b001da9ec02fef8d815e295d695ecc05115b8147b74914f01df716126e6c9b4cc6b506e0de7bb390b7a1c73fa8b70b5728cbdf27e

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
          Filesize

          91KB

          MD5

          223076c7f809b63fe5c9ce17339f4324

          SHA1

          2d68ad021cfb99df65983c495df36a03e12aed8a

          SHA256

          9479d2bda5a3738f6dc9518afe57e8506df2c45e247cbacf8a635efdc175197b

          SHA512

          cd7a07a0de325ee1af4eebff784bca3b88145c53da606c525fdb69564678e813e8d3ab1a8659d301e97a1778a80fbee03a6e212b4725324fe1d185899cc9d5c6

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
          Filesize

          91KB

          MD5

          bc81a7312bb5ece3a562765b637452ca

          SHA1

          9f312ef261179e4ce947ef266cf9343723dd06ad

          SHA256

          10b6a505819395d3473f809f5d663717b3f3eee814b0e40aab29b17e421d9c91

          SHA512

          fa96d1131025d8b1b80df25177fcdd150c35c364a691efaee68760b8fade03cf786786e89fb3a16cdfec76121fcb1e07937082304161fb3c76324d5e946b6891

          Download Submit

        • \Windows\SysWOW64\IExplorer.exe
          Filesize

          91KB

          MD5

          1b14449f93a1e4e19f2b39299072f9c6

          SHA1

          cecc462f66d2da4bf6bce0d0856448f7344ec795

          SHA256

          deca720abe76758de3a79fb7ee6d9375723b2b6c2df150060f8d9469cf667144

          SHA512

          3ad33159a18d96062334cbdb7c36ad65988a477c0fc718f51845a404a4b63976ce216900614f8352ceb9f11e2d355ada25d97ad58adc6cb88c643208fe6be551

          Download Submit

        • memory/1264-155-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1400-142-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1400-138-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1900-190-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2236-185-0x0000000000510000-0x000000000053E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2236-124-0x0000000000510000-0x000000000053E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2236-137-0x0000000000510000-0x000000000053E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2236-191-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2236-173-0x0000000000510000-0x000000000053E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2236-151-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2236-150-0x0000000000510000-0x000000000053E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2236-110-0x0000000000510000-0x000000000053E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2236-111-0x0000000000510000-0x000000000053E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2236-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2284-165-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2388-177-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2516-123-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2516-112-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2744-125-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2744-129-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download