Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2024, 06:12

General

  • Target

    0272e98cc549adba886227693bfcf9afb68d7c7bf69a143fa1394f457814e98cN.exe

  • Size

    91KB

  • MD5

    775908ee88e4a87c52816ee1895ae190

  • SHA1

    36798271f1db471d444fd706eaa43cade5bcc69c

  • SHA256

    0272e98cc549adba886227693bfcf9afb68d7c7bf69a143fa1394f457814e98c

  • SHA512

    0d5db9f5ab56aa163e136c62cf2dbe96f613ae6780f23812a849414caeac355b3025008d5f5cd77386682fa5abde495952349f33ce0fa45b8c26073885af84f6

  • SSDEEP

    1536:XRsjdLaslqdBXvTUL0Hnouy8Vj+RsjdLaslqdBXvTUL0Hnouy8Vjn:XOJKqsout9+OJKqsout9n

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0272e98cc549adba886227693bfcf9afb68d7c7bf69a143fa1394f457814e98cN.exe
    "C:\Users\Admin\AppData\Local\Temp\0272e98cc549adba886227693bfcf9afb68d7c7bf69a143fa1394f457814e98cN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4780
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2636
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4812
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3512
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2432
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1792
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2520
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:216

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

          Filesize

          91KB

          MD5

          245fc5fdf54427358955f12f7b247add

          SHA1

          a79811e403a47c929d32bf3f8adf9f928945b5fd

          SHA256

          f2bb0faca75215f52c76ed9dbcb66bd4fc1857cc9b672a0c18d0bc271a7b705e

          SHA512

          396ca6568c22b6e157dc6c29f04e1cc0f1990d40d7a21627be41980d4327da1d168103fbda1c6a3da65d213ab772b97ff47f8fc0af60f45fe78506f33f5a988e

        • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

          Filesize

          91KB

          MD5

          87d1c120c714fd0308dea2672088b560

          SHA1

          67ddd5b4e21212280c0cfbee79b9e628ce64dc39

          SHA256

          4098362a3cf6ae2ee980196da57446042b1e837cb1ae48ffdfae046387d44e38

          SHA512

          1ecc21b35479fcecd6fb1b1e10de5a631c3ba987c324470027e324c5a2147bc4c70f49fa5575d78db1cbbc2f45f6b94e9e79928201fbb4ce5858f23fc5c2f5ff

        • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

          Filesize

          91KB

          MD5

          1b66becdc8d834a8e82ff8a1e1ebcecf

          SHA1

          5e05d8bbcf4d2f6a269b180d5fbe7d79db2d88d8

          SHA256

          7ea4e36821400b89981e71a567b868c08c1683deafbeb29d67e8c79dd486ca9f

          SHA512

          882a6b615571908b1c67063eb21a815ae3ba306f6ae2d54ff471afae398a73adbfd1e19a7542c8b7ab9bc733b83c5b924474d872c3c890f5bafcd250e374d269

        • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

          Filesize

          91KB

          MD5

          449d84206dec9bb645a3c83a11b66c3c

          SHA1

          8acdbcb6252d4adf1bd117a71f0af8bb17046db0

          SHA256

          1e0a0f41d7d57b6a5dad62bb33f16cfd86a575a960116243a7c4099f6b801e3b

          SHA512

          be8f6ce498484d967bac1a008819c97222f9e6fa982c9a915375e95ff0f392b0bc80bee25c499fa315df4ca18112587d32a0ce83d8c2cf8fd9801161aa5af648

        • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

          Filesize

          91KB

          MD5

          21b4ced7c6e4aaab927eaaaba62c9262

          SHA1

          07435c5f92c78c5f0dd6bd9f8e91dd61044f5d52

          SHA256

          ff9d9aad1226fd34e9444368da4e5d788f4b14cae9c55fb2ebd4fbae5a3cf7b6

          SHA512

          aafbd12af9770766a8277fde7801a77fe740635f93565e2a9137a22b209ebac74adef3a326005f7eb3a910cdcb62dbb914e6b934a6d69c5f7362c5960efeebcc

        • C:\Users\Admin\AppData\Local\winlogon.exe

          Filesize

          91KB

          MD5

          775908ee88e4a87c52816ee1895ae190

          SHA1

          36798271f1db471d444fd706eaa43cade5bcc69c

          SHA256

          0272e98cc549adba886227693bfcf9afb68d7c7bf69a143fa1394f457814e98c

          SHA512

          0d5db9f5ab56aa163e136c62cf2dbe96f613ae6780f23812a849414caeac355b3025008d5f5cd77386682fa5abde495952349f33ce0fa45b8c26073885af84f6

        • C:\Windows\SysWOW64\IExplorer.exe

          Filesize

          91KB

          MD5

          a42a9e43017d5d3b89442c49467ad6e1

          SHA1

          4063282b8da284d82c82b83340720f261297aa37

          SHA256

          92cdbbb7ad5784e91aed0a6b344dcdf54cd750009611426375a311e2aafb7562

          SHA512

          91801b965a25a15152239810d7406efaf60c475020d37217bf836c5f5f207afcc0b33c10319197204a17aed7a65fe28c918ecf72feb90eef8a5f4fa1f65b915b

        • C:\Windows\xk.exe

          Filesize

          91KB

          MD5

          2942186e047500ad94fcfe91151fa967

          SHA1

          2a037a3f58785b62f864ff57d521300a51c5e086

          SHA256

          565e60e57287a66068c2bc7452f1162366279f77a4ba656250914547fee57a31

          SHA512

          b84d85fdfc89fbb78fc3678617324dc79926c75804daccd0bfb1c08d8a2befd799422a0bc5ac083e2656356d4f0d829baa3e01e8bfc6630d2dbff1e982c3bfe4

        • memory/216-151-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/1792-138-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/1792-135-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2432-131-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2520-145-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2636-112-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/3512-124-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/4780-0-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/4780-153-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/4812-117-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB