Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 15:04

General

  • Target

    ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe

  • Size

    196KB

  • MD5

    07f35139b8c124c730d8c073b7b9cfc0

  • SHA1

    1bda918d117b2e20ff9543c03a4abaeb799119fa

  • SHA256

    ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47f

  • SHA512

    ee478bbcf7273843d31cc5e77df4612edf12d2dfcc3a19e08e27ed38fa63b004df23265cbc9644bdd1bb3f23fb894b4fc366b25e8afe9fc9b40c50fdc382488f

  • SSDEEP

    3072:ZOgUXoutNNxZVX4/awxfodLJUBv9Bsor1rHjhMU9npQQpmuG:ZFYoSrRARoYlld9n2Qpmx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe
    "C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:804
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2680
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:680
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:596
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1100
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2448
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:604
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1264

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\winlogon.exe

          Filesize

          196KB

          MD5

          07f35139b8c124c730d8c073b7b9cfc0

          SHA1

          1bda918d117b2e20ff9543c03a4abaeb799119fa

          SHA256

          ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47f

          SHA512

          ee478bbcf7273843d31cc5e77df4612edf12d2dfcc3a19e08e27ed38fa63b004df23265cbc9644bdd1bb3f23fb894b4fc366b25e8afe9fc9b40c50fdc382488f

        • C:\Windows\xk.exe

          Filesize

          196KB

          MD5

          a85a1c8b5b2e31fb3c2a6869eebc3f6c

          SHA1

          f5d2e05c4e2e6b26c3e3f62710b746e1245526f8

          SHA256

          150151fd93154ad4479dbf0ed1932b80cd2f5d07abae865e8c5a503dad8e52df

          SHA512

          c4f657ab70eb9e547c32e98188cd3c6a7bbb13e85506c4970e24ca70793958f897c468c1a38fc7553f7323bd00cbaacd49ce1a3522b3de71df775cfcc1baba02

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

          Filesize

          196KB

          MD5

          804863dfff2938bbfc77af1b029fb941

          SHA1

          483411ff35a1513cb0e3beedca4d79c362d15375

          SHA256

          08c2134d947eb73e06f4b2cd60441e1b93bc136ec178fe5aeee43511d045bed4

          SHA512

          b962b7b29589c4feb9458a36b0e035f40e07a2635ecba9f8a9d4e1b42853ab6161e8c65a3a196a6f1d64884572a8e3b1d9e9bbffc409acf6ac690697ab9bc7bf

        • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

          Filesize

          196KB

          MD5

          8c3265d825e5e95ae0f0b7057c727e25

          SHA1

          058ce81182f0889dbf44eecfb9694867549314e3

          SHA256

          22c0da378e488d51a6923cf0bb1b9bce17087a5b9178d9119056d2cadd117eea

          SHA512

          a211eae47e033767b864bd016e2f17d90f7599a3dfbb82f6f1907dc48e25bf8413471259abe77686ba6b747dd25abe8cda12922e7fec095723a852c12041aeeb

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

          Filesize

          196KB

          MD5

          81bbad7845bd1c1d3fff0172fc3785d8

          SHA1

          2a0f419ca218517d8bb3625419d867d61408932b

          SHA256

          a7e502e7567b92375e4c2ddd4f38468cf778d3e19963646f2a41ac92e1963a99

          SHA512

          237713afa574bc22558934d43c95c2826bfe0ee6d6f1c00a56131a2dccd11047218de3c4ffc46d4bbc7cfaa72d00f5cfe1988882acaa43914b383dc5f66f7f00

        • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

          Filesize

          196KB

          MD5

          d197dea8941ca6f8bffbd42f19cf015a

          SHA1

          6cb1c738e83d337123f27d7006db3aa35ac72adc

          SHA256

          7aab2c94d5bf3ecb9e377db728ba9782ea0267439e02f7d70b381b1a797b83b4

          SHA512

          698268dc05a6272a76d486c642cb976bbebf3aed9e03b9d2927cc5599dce7ada55069bbd5ed98cf4ea6f34b1d3ff698184b8ab11a9de12ee89e91f00c455e804

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

          Filesize

          196KB

          MD5

          6d8e869ce04fe543dd6953fd60db37c6

          SHA1

          f119b3fbc988325a5995c86d62d48fcbebf22305

          SHA256

          f28065d36192b6614254734628968436c1d89747190f400c3e672c31bd051578

          SHA512

          41d31ca9dd3dfb1f9960965e58678f578e4db1c5191523e686286f731c441b6929782f9b63c009e2b8dc545b0e61d7fb61c36ded573f3f0e77be501150293d95

        • \Windows\SysWOW64\IExplorer.exe

          Filesize

          196KB

          MD5

          6bdc73ecfa102cd08af218df9c48ae6f

          SHA1

          a60d094c2445948e5ae9198a27ff36de1822b066

          SHA256

          8f9b39b8a75e36c548091e3c8ca65106e5b25f32f359d2ac1fabd12ef9d84d3f

          SHA512

          5de428f3a67cb0d8d3ac866db9954f22213b04d08d154c13bb1939787bfeaf4917bec74d4ecdcb69d7d0ee517fdd8338dbb370c97910f3d399d3a4acf5a3f0df

        • memory/596-135-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/596-138-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/604-168-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/604-172-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/680-127-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/804-111-0x00000000030E0000-0x000000000310F000-memory.dmp

          Filesize

          188KB

        • memory/804-146-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/804-1-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/804-110-0x00000000030E0000-0x000000000310F000-memory.dmp

          Filesize

          188KB

        • memory/804-185-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/1100-149-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/1264-184-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2448-167-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2680-112-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2680-122-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB