Overview

overview

10

Static

static

3

fa1b84ec23...dN.exe

windows7-x64

10

fa1b84ec23...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2024 05:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa1b84ec2305b894b74dd4967df44f50279b4fb47ebef3d0defbe1d2edac977dN.exe

  • Size

    45KB

  • MD5

    a8d8f49b36d5e4fab1ffe9da8937adf0

  • SHA1

    d6591d24a1d52ef7578ae94fdbe961c1ac5edbde

  • SHA256

    fa1b84ec2305b894b74dd4967df44f50279b4fb47ebef3d0defbe1d2edac977d

  • SHA512

    618dbf518405c270df3eeebaa6ca477da069afba9929405d02fdcfa026f96131a5cdf5c237df9ebf99a8dfb1dbd6aa39960c6a2ce3663043420d1b3d9478c343

  • SSDEEP

    768:/mFQj8rM9whcqet8Wfb4JzRJwEIHU5U3rf12WmULgJs7DFK+5nEo:1AwEmBT4JzRJwEeUW7f12xULgJzo

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa1b84ec2305b894b74dd4967df44f50279b4fb47ebef3d0defbe1d2edac977dN.exe
    "C:\Users\Admin\AppData\Local\Temp\fa1b84ec2305b894b74dd4967df44f50279b4fb47ebef3d0defbe1d2edac977dN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2996
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5112
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5020
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4336
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1764
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1324
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1008
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    45KB

    MD5

    29cfd98d72366a97d5cca905d54d751a

    SHA1

    4b0abe10324121bf7913bf06f5cc6d332847b098

    SHA256

    f5b4c23b22f7f0cd7f5c4dbbb409223eb168124988d02fc515d05f78141ee402

    SHA512

    0c0370dcf8eba411fb4b6def5d047b18f1fde036b8e0ae35d3b86d31c84b25600358086538c51bad49afb2be3e9ae6cdbaca3a97b87aaae615515c2543d10d3d

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    45KB

    MD5

    d3d6566f74c9fb8bc95aef965daf7e94

    SHA1

    69763fd66e33843868bff76a0bd634c92894f1ab

    SHA256

    a5647450cacbfb8606474cff123d967e47b6dc682ff3dd74e50cc17166beb046

    SHA512

    9eca6906e378010031673ca8e6290f060229ffb187d55bcb66614ee4263bcb152cd8dad37230b6bbe3db0af640649c1d56777bcbf9471e9d160ff7d9d2e2fe2c

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    45KB

    MD5

    6672e44d14060dacba57c515be304d04

    SHA1

    5aeee37655bab8ef60a24cd5352c9823a20231a1

    SHA256

    8c77188ad1012a65fed6e19b65e7a4440a836f76d080282df873a84b3ddd2566

    SHA512

    98cd5197fe175ef4e8a1ba851d7012153ffb195a89638e0610ee6c2c8737c03a7853e537faddaf6deeaae2c7c237c4e7c5a5b0f126b3a63fe30fe327fa0698c4

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    45KB

    MD5

    c513b1f2b47c6c382101e15b60356209

    SHA1

    3508a061ea77cefdab3a94c2fc82242c43b56edd

    SHA256

    2a9bb5c00f4e234611b35559b7b725013d08d2244395a39d7a6155966df642aa

    SHA512

    038170e59f400294f6fc6d9f7543113fe038827610f378baaa509e95ac061a5891f579d523ea9e83f69ccba0191405d9f238daa1a49a611c61d0e82ce916ce1e

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    45KB

    MD5

    039151d4ee76acea55b995bf5f4e6dac

    SHA1

    a78699087d7f4b44196be65971769b641cc885dd

    SHA256

    e263addc669f08a091c1ee942e7640785f09bbfdc9d8b19a162222a3e237e76e

    SHA512

    8cb9ccced06a41c04a4fa54630e3efada5044258a19ce8c27dd4c90def0b01d466efc0ca0aba2cc201565dee353e1375fd6ca6e406c6b404f440f1ddcd650c1b

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    45KB

    MD5

    a8d8f49b36d5e4fab1ffe9da8937adf0

    SHA1

    d6591d24a1d52ef7578ae94fdbe961c1ac5edbde

    SHA256

    fa1b84ec2305b894b74dd4967df44f50279b4fb47ebef3d0defbe1d2edac977d

    SHA512

    618dbf518405c270df3eeebaa6ca477da069afba9929405d02fdcfa026f96131a5cdf5c237df9ebf99a8dfb1dbd6aa39960c6a2ce3663043420d1b3d9478c343

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    45KB

    MD5

    e1c64176835f3e465107f128976c2f32

    SHA1

    dd1ae194051f95d9e9c62b2f50fc4a28510e6627

    SHA256

    471eba31373beac7211648b13197600ae1aed2ea4045dc7f9b7545c841325b86

    SHA512

    d8b4f12c196fe1552cb144dea040e3e25b85a06c6bdaad7c838fd344830b30cdc8c0646bf2418e9185c7b67bfebedd7a98a13f6ae9d1367acdc5e02b8ae80967

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    45KB

    MD5

    70185147e8f480512eeb245fde8e445b

    SHA1

    349b7d9a717e22d11720090873d0ef6af12ffc40

    SHA256

    3ef50bc640099b5249a84e9f7acff43ee875eb72211c54517ce41d526b15824d

    SHA512

    8dfc500933929a6a47ff91f072206babe27f5ee0407317488cfc820ef57f6425f84d7602250b3709d5c43e65045ee363473d64af586957db0e2fd90a6ce7f93d

    Download Submit

  • memory/556-151-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1008-144-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1324-138-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1764-131-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2996-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2996-153-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4336-124-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5020-117-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5112-110-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download