Overview

overview

10

Static

static

3

95f074c003...fN.exe

windows7-x64

10

95f074c003...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 10:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ffN.exe

  • Size

    91KB

  • MD5

    26c2701dd9f51b47452eef3c5c9b3b60

  • SHA1

    a925fa09e6f938f7ddd90227253b4765cc6d4dd6

  • SHA256

    95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ff

  • SHA512

    6c7364f682cf762a8e792447d93586d98df9d4200cb2e5c46b66f0f55ec57f419a33f9454e643fd5902d8d4be862ff97009d401388a6a5f25d74fbfd9fab89a6

  • SSDEEP

    1536:8AwEmBj3EXHn4x+9aa3AwEmBj3EXHn4x+9aR:8GmF3onW+Ma3GmF3onW+MR

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ffN.exe
    "C:\Users\Admin\AppData\Local\Temp\95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ffN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2388
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:484
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1892
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2408
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1296
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1164
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:288
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    26c2701dd9f51b47452eef3c5c9b3b60

    SHA1

    a925fa09e6f938f7ddd90227253b4765cc6d4dd6

    SHA256

    95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ff

    SHA512

    6c7364f682cf762a8e792447d93586d98df9d4200cb2e5c46b66f0f55ec57f419a33f9454e643fd5902d8d4be862ff97009d401388a6a5f25d74fbfd9fab89a6

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    c08b24ce9ca4ba050c264d475abd32ec

    SHA1

    5f28dd9d1a3d2921a88ddf8fefd30b9f0bfb80da

    SHA256

    6ea85edbe540c5ec4328eebe7743cf0dafc35e45d40abd9e053a6369d9ec0c77

    SHA512

    6a708b56cbe6481f243e09bfb6e9b273c4295dcbff9fff8f757110e1f3ac6d0e1a811310a73d8469846683a04e941590fd11c7f18a4b6087f5f23e29f71da9b7

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    3799ad1a58abd9ad7234509fba67d4a5

    SHA1

    c426abf1c5ed7c2677e7f71c08be68d7df3a1fa4

    SHA256

    9a49526df7918df5a8d59f528ecc0dcd915a94822d792648be2dba649767c43b

    SHA512

    62532f988e4ac6802775f1974827c27adbc8025851fbb5e9eba3062da895ecbe56d48657d224760165740344089a9aba7f3a452712a062d9383b8f8d1839ca91

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    eeeb958e139039028ebd4681e1a67ccd

    SHA1

    cca41a5319e69b4a5e45c377fde14ef0d6165bee

    SHA256

    60970163ef7350d53a8387b0775488e5ae77eba88cb54e00d656ca09527508b4

    SHA512

    0c16fa236dea1769173724d6ec34de4cd72e72d5ccefcebbc82d3ca7266a982165101a559a1b53534d3cd4569d42afebd11fd87234ec6f3898f6b33e6edb74d9

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    05806f8f9ffd00e498c6074a5f2f93f4

    SHA1

    e2330b2047dac76e67094618ce2c4b2422ed6011

    SHA256

    ac6fdd137bd0cdb12f1ea7ec6ca147eee8a36245abcc30d3526ff4575da73614

    SHA512

    70eb8be603c922028bdd1696de1c96f590dffc17a1233939fce723b263040b9e8360cf39cec7e729b2af4183fe498f248bde6aa315a7561f875b86d91055551b

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    99e2b1bc42b7df84dc3f087c6a46c30d

    SHA1

    e0679c34015e224e035aa851d2a4698b124fd63e

    SHA256

    aa90c7d0b8fc23f600452a1c3376bfee9d2e3a60e16312ce3423cd0178386e29

    SHA512

    dc72dc86ccb35fdcff9b52b0b35f26ed063adb5b0ce187416800ba19e1912b4c456e5c03ad471884faef076cbc8399e8b265d1ac037a3398210f44b9395a3aa1

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    0bfd5147c13b63299f13d0261700076a

    SHA1

    74dd1f72fb2a2a6aeed64cc39d0f2ed976156859

    SHA256

    809a42885b3e7371e8c8b7d8153cb796731c4f6308822856696d9e6945fbd105

    SHA512

    8883bba21b400b35bbf450fdd70fed98e3b48f51fae048fc21d809703fbd01a8a7d2bb304680fa0bb6bd71afda6c6a7fa56896fccd24c638b27b127d0237eb29

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    f7a896337ab218cf78ef3ee71b59def7

    SHA1

    3c5fd73005d8506e5b17a7a864dc90abe4688c4b

    SHA256

    8c9925d957b1f735f4ea5cabf17d7d43f3dc45deae3852948a9f27a849dec8fe

    SHA512

    5bc4a692d0375f7dd1541d273b9d10ccd123afc85c40cdbdedafb8457214d3ab9788fc2d6ff600b8918864be818d4f4907a3d26fe512b83d5d1ab5a5650f2200

    Download Submit

  • memory/288-177-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/484-116-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/484-111-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1164-162-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1296-151-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1892-126-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2388-122-0x0000000002580000-0x00000000025AE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2388-142-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2388-158-0x0000000002580000-0x00000000025AE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2388-133-0x0000000002580000-0x00000000025AE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2388-171-0x0000000002580000-0x00000000025AE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2388-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2388-109-0x0000000002580000-0x00000000025AE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2388-188-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2408-135-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2408-139-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2800-186-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.