Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-10-2024 05:29

General

  • Target

    afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

  • Size

    91KB

  • MD5

    b0fa0a9b8123ddaebdfbccaa15c812f0

  • SHA1

    4ecd5296b548cc2c03893bb59651ef39c9d5cae4

  • SHA256

    afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26

  • SHA512

    53f28afaf51b48158d045d4878144351d54d15978233f13b24aa69e29a6da09bd6e024fed4871d7a2182500e1dc3c5919f0ff811e7d5a60f868a46b834dbf03e

  • SSDEEP

    1536:XJRtlEnBHHIgabuYotV/JbJCX5SBinJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQInvtYxOuYotvYQIE

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
    "C:\Users\Admin\AppData\Local\Temp\afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1364
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2492
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2592
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2468
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3032
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:872
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1732
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    5d5ad67ffe9db3690c9786d6a833d697

    SHA1

    ef8cc5b452e0a2f5274e9fa39de86f8187cc3f29

    SHA256

    43c7514c59bb58fbd514332557c32a3f950a7241dd4abdfc50853065bac7ddb7

    SHA512

    398b9ff8899b1e43a3f1553255c0df094e98a5b4b87812e7b952d425d8a7597696571301b3a8569b12c962b29d78ce238e0ea2bd098e62fe9f1cdc0152e2f381

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    eca7269b264b2baf59f75402d72beb55

    SHA1

    4af9513cf1caf086becc59ad005e28bb110a0115

    SHA256

    d1860cc3e29855c0ed65d802df8b308a2e98fba98b05d546d51abce5c2697b12

    SHA512

    73c85cf1597799a5d3f95f3e1facd8ab89e81700973550e5f408bb3a15cd87f6e94ec2e302a0fa6460f7a847fb161cbb236583e3f64b29411d24d7193e468853

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    b0fa0a9b8123ddaebdfbccaa15c812f0

    SHA1

    4ecd5296b548cc2c03893bb59651ef39c9d5cae4

    SHA256

    afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26

    SHA512

    53f28afaf51b48158d045d4878144351d54d15978233f13b24aa69e29a6da09bd6e024fed4871d7a2182500e1dc3c5919f0ff811e7d5a60f868a46b834dbf03e

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    83a0211a1eeff51ab8099dd526400f53

    SHA1

    56ad4d1bf3d6e01dd17b9f43bd5e8935d719717e

    SHA256

    daf90f1a43b9f06c2a3154bb14013e03e307115416e2ec02640ec68930bdfc63

    SHA512

    9341dab28f7b41a828aafe376df706d8d1ca215964131d3abec9d5a035f5173f8bfad1558107e99d8af6426d37bbdc1d088dde4ce86d536ffc2f2b80693965f5

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    a229d8bd0831a7449d1a8c586f4de71e

    SHA1

    1f7995294126e9703570b6fee14494ead76bbfa4

    SHA256

    998de07d9bc119b85b673e558d656e836853fd0c5bc0a2a20eb472b39e19d7e8

    SHA512

    af52c1efc0d3a8e1da816b3aac59f7ee2f536cfe9363a49ccaddf2a80b7f0d9a78e799c8d040bbdb637532f08e7aea9aa95b61f21ceaed759fae1590d7b4419a

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    d83f3222092568b8020be5198393b884

    SHA1

    955f692738a6bb83a062e473e8084369926614a4

    SHA256

    0f33ab6ffc4ba1df64ac47d5c0aab86f92cd60fdf2886b89201a0623f55feae0

    SHA512

    ea97db3dcb04b7090f46f8b82d7ca63b7582c5fa446a832be76d5a5efcec41b0e251a03ff2c95b2bc3bf717bf480858c945b7b03133682e001dbef632bc89e0e

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    4857c714b4b88fabc33f62159e9216c6

    SHA1

    181333f3e54904a0a0fec48efcd26e62bac01d4c

    SHA256

    932dbb74aeb82c0b290934642c92fe899cae42d74650b8d1a61a0d4727d87757

    SHA512

    1020796973f1ea4b1c110d4e8f39b03406144b9b132cf1cafaa55ebe737595f36984bd58fd5706f9d057e5f1fa5863034741d0c30d649ee410416d7a634f2856

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    d6cf6e8d8e3b3841abd13db26165d334

    SHA1

    e10fcf5152ab9a4d53a00c536dbb512033f1f8c6

    SHA256

    babbd92cf650122253e0315d418e904c42ad2d9c671eea9084f234d61da78ab8

    SHA512

    5403a31ab34c4a7c999afd120f60e4d049defc6805d8d325eb1e6ffc14faf06fb84c074621e25df1fdb6d4b597e698aa82206be878d47957c9b4c02ec01365d0

  • memory/872-171-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1364-147-0x0000000000570000-0x000000000059F000-memory.dmp

    Filesize

    188KB

  • memory/1364-160-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1364-192-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1364-185-0x0000000000570000-0x000000000059F000-memory.dmp

    Filesize

    188KB

  • memory/1364-148-0x0000000000570000-0x000000000059F000-memory.dmp

    Filesize

    188KB

  • memory/1364-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1364-155-0x0000000000570000-0x000000000059F000-memory.dmp

    Filesize

    188KB

  • memory/1364-180-0x0000000000570000-0x000000000059F000-memory.dmp

    Filesize

    188KB

  • memory/1364-111-0x0000000000570000-0x000000000059F000-memory.dmp

    Filesize

    188KB

  • memory/1364-135-0x0000000000570000-0x000000000059F000-memory.dmp

    Filesize

    188KB

  • memory/1364-173-0x0000000000570000-0x000000000059F000-memory.dmp

    Filesize

    188KB

  • memory/1364-110-0x0000000000570000-0x000000000059F000-memory.dmp

    Filesize

    188KB

  • memory/1628-191-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1732-177-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2468-141-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2492-112-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2492-122-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2592-127-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3032-152-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB