Analysis

  • max time kernel
    102s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 10:36 UTC

General

  • Target

    95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ffN.exe

  • Size

    91KB

  • MD5

    26c2701dd9f51b47452eef3c5c9b3b60

  • SHA1

    a925fa09e6f938f7ddd90227253b4765cc6d4dd6

  • SHA256

    95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ff

  • SHA512

    6c7364f682cf762a8e792447d93586d98df9d4200cb2e5c46b66f0f55ec57f419a33f9454e643fd5902d8d4be862ff97009d401388a6a5f25d74fbfd9fab89a6

  • SSDEEP

    1536:8AwEmBj3EXHn4x+9aa3AwEmBj3EXHn4x+9aR:8GmF3onW+Ma3GmF3onW+MR

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ffN.exe
    "C:\Users\Admin\AppData\Local\Temp\95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ffN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2388
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:484
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1892
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2408
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1296
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1164
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:288
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    26c2701dd9f51b47452eef3c5c9b3b60

    SHA1

    a925fa09e6f938f7ddd90227253b4765cc6d4dd6

    SHA256

    95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ff

    SHA512

    6c7364f682cf762a8e792447d93586d98df9d4200cb2e5c46b66f0f55ec57f419a33f9454e643fd5902d8d4be862ff97009d401388a6a5f25d74fbfd9fab89a6

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    c08b24ce9ca4ba050c264d475abd32ec

    SHA1

    5f28dd9d1a3d2921a88ddf8fefd30b9f0bfb80da

    SHA256

    6ea85edbe540c5ec4328eebe7743cf0dafc35e45d40abd9e053a6369d9ec0c77

    SHA512

    6a708b56cbe6481f243e09bfb6e9b273c4295dcbff9fff8f757110e1f3ac6d0e1a811310a73d8469846683a04e941590fd11c7f18a4b6087f5f23e29f71da9b7

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    3799ad1a58abd9ad7234509fba67d4a5

    SHA1

    c426abf1c5ed7c2677e7f71c08be68d7df3a1fa4

    SHA256

    9a49526df7918df5a8d59f528ecc0dcd915a94822d792648be2dba649767c43b

    SHA512

    62532f988e4ac6802775f1974827c27adbc8025851fbb5e9eba3062da895ecbe56d48657d224760165740344089a9aba7f3a452712a062d9383b8f8d1839ca91

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    eeeb958e139039028ebd4681e1a67ccd

    SHA1

    cca41a5319e69b4a5e45c377fde14ef0d6165bee

    SHA256

    60970163ef7350d53a8387b0775488e5ae77eba88cb54e00d656ca09527508b4

    SHA512

    0c16fa236dea1769173724d6ec34de4cd72e72d5ccefcebbc82d3ca7266a982165101a559a1b53534d3cd4569d42afebd11fd87234ec6f3898f6b33e6edb74d9

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    05806f8f9ffd00e498c6074a5f2f93f4

    SHA1

    e2330b2047dac76e67094618ce2c4b2422ed6011

    SHA256

    ac6fdd137bd0cdb12f1ea7ec6ca147eee8a36245abcc30d3526ff4575da73614

    SHA512

    70eb8be603c922028bdd1696de1c96f590dffc17a1233939fce723b263040b9e8360cf39cec7e729b2af4183fe498f248bde6aa315a7561f875b86d91055551b

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    99e2b1bc42b7df84dc3f087c6a46c30d

    SHA1

    e0679c34015e224e035aa851d2a4698b124fd63e

    SHA256

    aa90c7d0b8fc23f600452a1c3376bfee9d2e3a60e16312ce3423cd0178386e29

    SHA512

    dc72dc86ccb35fdcff9b52b0b35f26ed063adb5b0ce187416800ba19e1912b4c456e5c03ad471884faef076cbc8399e8b265d1ac037a3398210f44b9395a3aa1

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    0bfd5147c13b63299f13d0261700076a

    SHA1

    74dd1f72fb2a2a6aeed64cc39d0f2ed976156859

    SHA256

    809a42885b3e7371e8c8b7d8153cb796731c4f6308822856696d9e6945fbd105

    SHA512

    8883bba21b400b35bbf450fdd70fed98e3b48f51fae048fc21d809703fbd01a8a7d2bb304680fa0bb6bd71afda6c6a7fa56896fccd24c638b27b127d0237eb29

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    f7a896337ab218cf78ef3ee71b59def7

    SHA1

    3c5fd73005d8506e5b17a7a864dc90abe4688c4b

    SHA256

    8c9925d957b1f735f4ea5cabf17d7d43f3dc45deae3852948a9f27a849dec8fe

    SHA512

    5bc4a692d0375f7dd1541d273b9d10ccd123afc85c40cdbdedafb8457214d3ab9788fc2d6ff600b8918864be818d4f4907a3d26fe512b83d5d1ab5a5650f2200

  • memory/288-177-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/484-116-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/484-111-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1164-162-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1296-151-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1892-126-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2388-122-0x0000000002580000-0x00000000025AE000-memory.dmp

    Filesize

    184KB

  • memory/2388-142-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2388-158-0x0000000002580000-0x00000000025AE000-memory.dmp

    Filesize

    184KB

  • memory/2388-133-0x0000000002580000-0x00000000025AE000-memory.dmp

    Filesize

    184KB

  • memory/2388-171-0x0000000002580000-0x00000000025AE000-memory.dmp

    Filesize

    184KB

  • memory/2388-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2388-109-0x0000000002580000-0x00000000025AE000-memory.dmp

    Filesize

    184KB

  • memory/2388-188-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2408-135-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2408-139-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2800-186-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.