Overview

overview

10

Static

static

3

95f074c003...fN.exe

windows7-x64

10

95f074c003...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 10:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ffN.exe

  • Size

    91KB

  • MD5

    26c2701dd9f51b47452eef3c5c9b3b60

  • SHA1

    a925fa09e6f938f7ddd90227253b4765cc6d4dd6

  • SHA256

    95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ff

  • SHA512

    6c7364f682cf762a8e792447d93586d98df9d4200cb2e5c46b66f0f55ec57f419a33f9454e643fd5902d8d4be862ff97009d401388a6a5f25d74fbfd9fab89a6

  • SSDEEP

    1536:8AwEmBj3EXHn4x+9aa3AwEmBj3EXHn4x+9aR:8GmF3onW+Ma3GmF3onW+MR

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ffN.exe
    "C:\Users\Admin\AppData\Local\Temp\95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ffN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2388
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:484
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1892
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2408
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1296
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1164
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:288
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2800

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Defense Evasion

        Hide Artifacts

        2
        T1564

        Hidden Files and Directories

        2
        T1564.001

        Modify Registry

        6
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Inhibit System Recovery

        1
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\winlogon.exe
          Filesize

          91KB

          MD5

          26c2701dd9f51b47452eef3c5c9b3b60

          SHA1

          a925fa09e6f938f7ddd90227253b4765cc6d4dd6

          SHA256

          95f074c0032b153e2cfff58cf8d4f5e4d1894df272692fb3cd65527cc84033ff

          SHA512

          6c7364f682cf762a8e792447d93586d98df9d4200cb2e5c46b66f0f55ec57f419a33f9454e643fd5902d8d4be862ff97009d401388a6a5f25d74fbfd9fab89a6

          Download Submit

        • C:\Windows\SysWOW64\IExplorer.exe
          Filesize

          91KB

          MD5

          c08b24ce9ca4ba050c264d475abd32ec

          SHA1

          5f28dd9d1a3d2921a88ddf8fefd30b9f0bfb80da

          SHA256

          6ea85edbe540c5ec4328eebe7743cf0dafc35e45d40abd9e053a6369d9ec0c77

          SHA512

          6a708b56cbe6481f243e09bfb6e9b273c4295dcbff9fff8f757110e1f3ac6d0e1a811310a73d8469846683a04e941590fd11c7f18a4b6087f5f23e29f71da9b7

          Download Submit

        • C:\Windows\xk.exe
          Filesize

          91KB

          MD5

          3799ad1a58abd9ad7234509fba67d4a5

          SHA1

          c426abf1c5ed7c2677e7f71c08be68d7df3a1fa4

          SHA256

          9a49526df7918df5a8d59f528ecc0dcd915a94822d792648be2dba649767c43b

          SHA512

          62532f988e4ac6802775f1974827c27adbc8025851fbb5e9eba3062da895ecbe56d48657d224760165740344089a9aba7f3a452712a062d9383b8f8d1839ca91

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
          Filesize

          91KB

          MD5

          eeeb958e139039028ebd4681e1a67ccd

          SHA1

          cca41a5319e69b4a5e45c377fde14ef0d6165bee

          SHA256

          60970163ef7350d53a8387b0775488e5ae77eba88cb54e00d656ca09527508b4

          SHA512

          0c16fa236dea1769173724d6ec34de4cd72e72d5ccefcebbc82d3ca7266a982165101a559a1b53534d3cd4569d42afebd11fd87234ec6f3898f6b33e6edb74d9

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
          Filesize

          91KB

          MD5

          05806f8f9ffd00e498c6074a5f2f93f4

          SHA1

          e2330b2047dac76e67094618ce2c4b2422ed6011

          SHA256

          ac6fdd137bd0cdb12f1ea7ec6ca147eee8a36245abcc30d3526ff4575da73614

          SHA512

          70eb8be603c922028bdd1696de1c96f590dffc17a1233939fce723b263040b9e8360cf39cec7e729b2af4183fe498f248bde6aa315a7561f875b86d91055551b

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
          Filesize

          91KB

          MD5

          99e2b1bc42b7df84dc3f087c6a46c30d

          SHA1

          e0679c34015e224e035aa851d2a4698b124fd63e

          SHA256

          aa90c7d0b8fc23f600452a1c3376bfee9d2e3a60e16312ce3423cd0178386e29

          SHA512

          dc72dc86ccb35fdcff9b52b0b35f26ed063adb5b0ce187416800ba19e1912b4c456e5c03ad471884faef076cbc8399e8b265d1ac037a3398210f44b9395a3aa1

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
          Filesize

          91KB

          MD5

          0bfd5147c13b63299f13d0261700076a

          SHA1

          74dd1f72fb2a2a6aeed64cc39d0f2ed976156859

          SHA256

          809a42885b3e7371e8c8b7d8153cb796731c4f6308822856696d9e6945fbd105

          SHA512

          8883bba21b400b35bbf450fdd70fed98e3b48f51fae048fc21d809703fbd01a8a7d2bb304680fa0bb6bd71afda6c6a7fa56896fccd24c638b27b127d0237eb29

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
          Filesize

          91KB

          MD5

          f7a896337ab218cf78ef3ee71b59def7

          SHA1

          3c5fd73005d8506e5b17a7a864dc90abe4688c4b

          SHA256

          8c9925d957b1f735f4ea5cabf17d7d43f3dc45deae3852948a9f27a849dec8fe

          SHA512

          5bc4a692d0375f7dd1541d273b9d10ccd123afc85c40cdbdedafb8457214d3ab9788fc2d6ff600b8918864be818d4f4907a3d26fe512b83d5d1ab5a5650f2200

          Download Submit

        • memory/288-177-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/484-116-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/484-111-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1164-162-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1296-151-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1892-126-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2388-122-0x0000000002580000-0x00000000025AE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2388-142-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2388-158-0x0000000002580000-0x00000000025AE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2388-133-0x0000000002580000-0x00000000025AE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2388-171-0x0000000002580000-0x00000000025AE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2388-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2388-109-0x0000000002580000-0x00000000025AE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2388-188-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2408-135-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2408-139-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2800-186-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download