Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
27/09/2024, 22:45
General
-
Target
052092d021e63ed7945cba53b29b12f92d31bfbd1ee2392ec428f5ae0e19534bN.exe
-
Size
45KB
-
MD5
12f274988b3f7843b90d33e5d9515660
-
SHA1
375ca29aa789c32f254072a71bdee702bbfb339f
-
SHA256
052092d021e63ed7945cba53b29b12f92d31bfbd1ee2392ec428f5ae0e19534b
-
SHA512
4d564f89967c4aa26d65865cd9930a1043fe67cce4053496b5f795063f3db0999404026278ec8c96d3fdbf011cc3a68ebd8f3b24122511675289f93537d29f89
-
SSDEEP
768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEo:8AwEmBj3EXHn4x+9ao
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
-
Modifies system executable filetype association 2 TTPs 13 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 4 IoCs
-
Modifies registry class 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\052092d021e63ed7945cba53b29b12f92d31bfbd1ee2392ec428f5ae0e19534bN.exe"C:\Users\Admin\AppData\Local\Temp\052092d021e63ed7945cba53b29b12f92d31bfbd1ee2392ec428f5ae0e19534bN.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5f248ab3b86b3089bbbc419c8e61f42ff
SHA1d74a9c381b9988ab0efe3a74bca281b54182c7cf
SHA256bdc1b9a91bbc029b3a1c567ba5785a754147f24794739e0552dd8ad042a0c2de
SHA5122e503cd63071c347689ba3800a36171cb038ffeb0c5c1bfd15b300726de7d22738e8d39ac26853f5ef214c4af82211ed870a5f547566b91d5ef2cb2543de9fd4
-
Filesize
45KB
MD5a3a63fe0bc9597e778919f0e9de78645
SHA13edff121f2fd636960f223f52111017972b1b916
SHA25698f69e3d7aad8749fbdb76dad0633b45d65aa5150c0f1b26814b58f9c49ddc45
SHA5129aafd6bc3bd98b6a4fe28a390a0112f00115c29de70f96adefe1bfa925e3dc101c4025184879603374d5f008fe5fe16269cb4048ce5cb586d9d6502ab583734a
-
Filesize
45KB
MD597801961fe38b9c2af465fe6ecb4ed70
SHA100e73565c0f13bd084b64a56b2870cc82cbdbc28
SHA2564e4b4f6112ea8f964fc30313643e699311231b57fd7363a26475208da5e8ac7d
SHA512d903e936f024b9fa4c61cda5761213300b01bb154f978b70dcd2654db34bc2e31fce602841e0bdc5f2cef0af5ceb57c6eeac12a7e2c2e8118d24d5e61ec409ea
-
Filesize
45KB
MD59e6b998b0bf8bf9b463f51af58bf8b24
SHA1f24c9a929e064801074ccca1cc625d55746316ae
SHA2561b9652378d4cbd551daf994447ca9c03284360ec96dd3e506317b9ebb9d9c397
SHA5120bf8c745d40ee39ee4e88d2cbc23c24bc601ecf19ff62df891b52d5a998d7c67bfa4156466be75d219baf55af14ff4d558ca5d66a13098e2de682c62d86e147d
-
Filesize
45KB
MD5e972f6046fa8d7c5e99b3e268fcbef8d
SHA133644ee002fdc98d218724f137a4ff81c14d644d
SHA2566dcc9f53180b028360a8ab737c1139762a0ee607ca139d9eee5234247226993b
SHA512b9a0e8db22eb6e763d9258351652b1eca441473ac225ab5a931d015be4ebe8198a5ed8821b86f503381f8989951e144f2ae2227888ea8bf213c66382ca7e6810
-
Filesize
45KB
MD512f274988b3f7843b90d33e5d9515660
SHA1375ca29aa789c32f254072a71bdee702bbfb339f
SHA256052092d021e63ed7945cba53b29b12f92d31bfbd1ee2392ec428f5ae0e19534b
SHA5124d564f89967c4aa26d65865cd9930a1043fe67cce4053496b5f795063f3db0999404026278ec8c96d3fdbf011cc3a68ebd8f3b24122511675289f93537d29f89
-
Filesize
45KB
MD5f8c297340403099fc7be529ecf18da28
SHA1fcecc7703ad0ad02554625f4c85c5c94951b5858
SHA256f8477e07c352872f1f8af0e294347b8abe1723ca56768f8bd28d5ab9a263fccd
SHA512e152262d33b800cd0862d3a836b8c54befe0f8c60dbce13341f721b29aa2c1bf76fb0779eb947e0ac0202aef19ff0a002d3749325180a1888a226c9a22f4b1c5
-
Filesize
45KB
MD5df612342048e1098c66cb8865d47deb2
SHA16510d7d4c97cee380c69d0ba9f17e91183e217c8
SHA256e9253563ea00db5a6b3cbdbc6397ca0c77f4d4f731a343543f0b70afcf7f5a4d
SHA512e2836ae1cde2a7f3d47e703d42ac7003ceabdf46472e712ba333dc4680b55d67d3d3da8187ec7acb91b07c898e331c68c502e7f62a4ee9824b2885ce3dbead64
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB