Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 12:47

General

  • Target

    3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe

  • Size

    313KB

  • MD5

    bd372e095c037675ea4171add0520462

  • SHA1

    697a203cb99b4242d067d78860fac36d73644892

  • SHA256

    3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b

  • SHA512

    b2111d5ae527ae91a62aea3f307ed94a81b8af09dacfed1bdb1386b65ab459b8642fb3b93560bd54f87b99a9339c3904c1985368418a14615a40978e54ca5a4a

  • SSDEEP

    6144:ueHwXUU5EYCTvaBjDjWrLJKuKnGML5NjcxV:uyMUusvalag5NjaV

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables use of System Restore points 1 TTPs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 42 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe
    "C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\LRX3Y6M\service.exe
      "C:\Windows\LRX3Y6M\service.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2516
    • C:\Windows\LRX3Y6M\smss.exe
      "C:\Windows\LRX3Y6M\smss.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2668
    • C:\Windows\LRX3Y6M\system.exe
      "C:\Windows\LRX3Y6M\system.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2808
    • C:\Windows\LRX3Y6M\winlogon.exe
      "C:\Windows\LRX3Y6M\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2692
    • C:\Windows\lsass.exe
      "C:\Windows\lsass.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1972

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Pictures\My Pictures.exe

          Filesize

          313KB

          MD5

          4487d18c55215cb3283c1e7a42922553

          SHA1

          c0751e09a543d04380a20968a67b1aae1d719395

          SHA256

          4de8c23e832a45f00a5f09599346bd9d55b2c783ee7d4bceb1c38bf008113862

          SHA512

          c4fc8fdbfb3f6d54accec62d5e6563b3494dd18e81c55177617824fba4437fd93af92cf42e0764a58ae5e1609de6ad910531f6c4a50d5a9bd73dadeba6e865f7

        • C:\Windows\LRX3Y6M\KOK7O5H.com

          Filesize

          313KB

          MD5

          5fb78dc1b8ca953c092ec59cbc0c09c6

          SHA1

          52705bb92ebe0353a42b457c05c0d42fc3f46001

          SHA256

          d90b3f155cd47648083d2d2897ad3f1ac9debc5969628cdfcaf8def1a7cde3cc

          SHA512

          a32a3164d330284b9b12f21336fd4e1d2fb34354de54e2abea98d75b77455ba2a6a0fa3968daae8fd05e76d5b0eb4462675aced7f45f9bd3940885cb42c5ecc6

        • C:\Windows\LRX3Y6M\KOK7O5H.com

          Filesize

          313KB

          MD5

          894883be9122eefe8e34dd77a1ae6976

          SHA1

          9b5708f4cdf49fe23b2d909bd91eea970969251e

          SHA256

          5d4539f31e7d1972bfc10d96d208460954558c87db37c0e4a15e580e16d8b0cf

          SHA512

          044bf18113a3107bb2fa1de92788499e2c7124237011ea8c015a479ca9961558fa4dc22cd30ee50160b13f76ccaf22c3b1e68735cdc3325fb54cbbed4e39621f

        • C:\Windows\LRX3Y6M\UNT6G3M.exe

          Filesize

          313KB

          MD5

          368235db7f39ee8a096397c1bbdc51ac

          SHA1

          2349aaf298e40c9bcee59accd7049e6a05e57d1f

          SHA256

          16ba71a8dc7ae99aac9a4c8a0c0bec44ce306dd035f61f2e0f438a6cd1339c0a

          SHA512

          a9c91269e70612997d4ac0113e056386d94eb9466fdcc7d335f50ac9795997d3ce33a499ed0f1968f12bb75371ba3a6028b615c5c74809cd6f28d44e0277cc8d

        • C:\Windows\LRX3Y6M\regedit.cmd

          Filesize

          313KB

          MD5

          4b1cbe1d39e63d3ce2d24ba4d29bfbbb

          SHA1

          82edf37f3c7bd5017a15fc9f5736fd1860bb6a5f

          SHA256

          57aa273536c28256c2887981c86c2458a54ab7674ce3a4272661818da428bdbd

          SHA512

          af9bd9d3b52d6f00ad8ab19de863b0c618a6f8376317b68af0c70a560e400720233ccd5025dd98001fc8de3fecee478be14269909f65a81d78dfce52cb4602ab

        • C:\Windows\LRX3Y6M\service.exe

          Filesize

          313KB

          MD5

          90072ec618888584c5c87a7054da3992

          SHA1

          0dbeaf7f24915b82e0f30457773c6983c6e09ed7

          SHA256

          a1c8067ed74231868846f0c1640c79050fb10453ba32b24f78d886e310e1a608

          SHA512

          64f319154be1dab81418749ff47573b666b34ea038e4042b60b20ed9ae2440f30c6adce1ec987f6039d9ae4d7b23eca90d2ae3cdf7135824dbdb1917eab4a278

        • C:\Windows\LRX3Y6M\smss.exe

          Filesize

          313KB

          MD5

          75fbc65ea0c44506da070473e447bbb4

          SHA1

          741c036d7cdd737d07cfb8c6dca51960fa338f0a

          SHA256

          547649e6c8c49ef45874ae871edeccdf8c05e7e914baa65eb3bd352ab646a94e

          SHA512

          8172fc9f43dac11f03e5b48a32b3208c188f0aa8076c09ef20008d0c0f2f3069c3517c121e5d1233728f1bf37aa8fa3f90bfdcf5fe77196c998cd1b2d2688d00

        • C:\Windows\LRX3Y6M\winlogon.exe

          Filesize

          313KB

          MD5

          ae5dedb6b5e3daac9a39d19e2812eb1b

          SHA1

          ae1e253523a0f293e5b739aab90ada57abe3eb30

          SHA256

          04cfcf8e451a9b0231c5063ca8507e4bed6489f0fb01367bea2cd3619caf4fd6

          SHA512

          1ff9ba9b7d8eda5425d8d3b21a0164e9afed2e839f6b36856c1dcb5b9225cfe100c0db0e0c64ec272bc2f866450a07fa58ef05e441fdaf705155c72565364666

        • C:\Windows\OQD6L0Q.exe

          Filesize

          313KB

          MD5

          026e7c3c870358292e69bc9b0e142e24

          SHA1

          37d07eb7653ed24af7b52fe7a837f67511da7da5

          SHA256

          c653690639b032162e7c4d402dc257147899ab1b1b805b2e2dd8e6f1d250e416

          SHA512

          cefe102a699adf553add26ac5a0c6e3602f9c59ec1f0b486a32103ad5c6a578caa966719c539228e663df56eebc375a49999e64e4822bb416ec3646ed785141e

        • C:\Windows\OQD6L0Q.exe

          Filesize

          313KB

          MD5

          3b90ef6d1b1efc0ee0df0dff37ebad38

          SHA1

          215fdb06ddf8123ad1d9626f0bd9ed6e9ca514e7

          SHA256

          17541ff72f845a86cf09a0a780907541a31e435d5fa8d7265daff19c4727c355

          SHA512

          04700d5090133ec689ac46b29728781a97bd20d51ce68ebbad763eb997c0ece346b0d7dfb582f3187d7c8970dece49774fef86114636095d620addb190ea7b16

        • C:\Windows\OQD6L0Q.exe

          Filesize

          313KB

          MD5

          8e42cccf0e20cd52109e924af79dcfe6

          SHA1

          83dbae88ea6cecdfdaf60dd4968cd150a072e55e

          SHA256

          daa6646a4177d8a23a245e93be53215e72e0b2a8176f4e0c19903d136bdb0622

          SHA512

          c77aab6f2880745e754fa93b12de94188f6556b15c946e4d614558727678980a23747f1d49ba6b7d9447e0fa370f8023db7fec513450b24882761471655b7c07

        • C:\Windows\SysWOW64\GFI7N5Y.exe

          Filesize

          313KB

          MD5

          7f64cf01611c4309604eae7c019b2153

          SHA1

          5d1d7519fb13bdc211d155b67ffdc75620ba60e3

          SHA256

          b48c993cfcaa285c3f42b36ab1f818b739077510caa41131410150eb668aa247

          SHA512

          d66ce29b5bca9b5ce025e64b6117518047c0d45613c9253d9564b3b3846995e3e33d40bae48a6d1b8cfb3811cc74e36fc6f4d8f8ce282f4442fcd35072b1f708

        • C:\Windows\SysWOW64\GFI7N5Y.exe

          Filesize

          313KB

          MD5

          57e1f3ae7b7f2c75090a030c18218040

          SHA1

          99e899f66ba91819b89fb7cf72298ae957fae5a1

          SHA256

          52d891a83ca71ea90f590922af372b9e9790b940efd73fb20e2af55672a341a1

          SHA512

          9214fef6efbd66e9feec6117357d677a01829d9e10afc25d1dfbceca7751140428c51298a200c3ceda5bbb21a042ad08b807ec8279ed4b40e3d94d288a0f960b

        • C:\Windows\SysWOW64\GFI7N5Y.exe

          Filesize

          313KB

          MD5

          bd372e095c037675ea4171add0520462

          SHA1

          697a203cb99b4242d067d78860fac36d73644892

          SHA256

          3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b

          SHA512

          b2111d5ae527ae91a62aea3f307ed94a81b8af09dacfed1bdb1386b65ab459b8642fb3b93560bd54f87b99a9339c3904c1985368418a14615a40978e54ca5a4a

        • C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd

          Filesize

          313KB

          MD5

          0102f0f1e9677f4b385178e20b84ef50

          SHA1

          98dcfe2b9eb3de89411603a22c4608b4b2281cbc

          SHA256

          5ca35fffc029e5af81cb09c3b8c9dc371583682b000f7b7c9f061b72df53b1ac

          SHA512

          680484a66648f8117a76b7ba356d2ac17fdad6fed2350fd9eef34496ffc7d37e4938cc96275e550fb1b0447eddc18b9f6b473411070704f54b327db69577eb0f

        • C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe

          Filesize

          313KB

          MD5

          9c779d1d362a96d569ad44607284a1f4

          SHA1

          30d9af11e4fef2b199a3ad521de718f1cf158224

          SHA256

          2b538620d691745805591295b469866a63c35c5a6b581a5a0f976884c8bbde4d

          SHA512

          979ad6e2c3a1080cf63c8a50e7ce410147da0c5f4b2a3c5c302767bc870a560f595a52d66197e9c501017eefd96f0e2650bef1271ef51081a2aa978ba2c2df0b

        • C:\Windows\SysWOW64\systear.dll

          Filesize

          141B

          MD5

          d1b06c1feba95fece35fd91d705f778f

          SHA1

          8a0d51016931fadb4cd65610ad2f82b122f899bc

          SHA256

          ce790862a1ee0cf67f6c548e6363314fe51dcb825a907bfeecc85dc2fc4d3caa

          SHA512

          56f67dc9ac44282fc5c3f460311533dab2931a89ae3d448fdd743d21b42a069315152a420fedfa698a966416e3067959d2229dee9e33f75861b20b73b96472e3

        • C:\Windows\cypreg.dll

          Filesize

          417KB

          MD5

          d98c8e75e0b733b355221719abeb71e4

          SHA1

          e83c3d1bb4a5e346e8cd2582112ad8c44e18da2a

          SHA256

          4128459a5e29bc260f774480f81d2a1b558c7b5adb4bfb0c2bcce1d939b497f5

          SHA512

          312bfb82a0aa07e508fdeccade049f6edf434705ea6feefc5f24512283b2141700feb60d543523bc765be0b53bd6e95a533a6bad2a467abf0437228b2edcd7fe

        • C:\Windows\cypreg.dll

          Filesize

          417KB

          MD5

          a18f4968b8f8fe9082185bcf1ae2d131

          SHA1

          992f97e5491a3336c19f8a8fa42f57eaf6f7646a

          SHA256

          a8a3f3cab149177fc8d736329368b84ef92ddd3133fc62c6a26586560a51c3df

          SHA512

          a5542b365a2c5cd1779ef6b173b44863acb279d0614d501c7217e6598bba174139580ad96649baebda8cdb51c8bcced497717bc6a3fe83a181f03656e8ec3d16

        • C:\Windows\lsass.exe

          Filesize

          313KB

          MD5

          06b5ea9ddc5503d52137fb909cc0210f

          SHA1

          d8bf80712eff604ab2843b9627c5f2e5cdae38d3

          SHA256

          c0166599756f9d522f65183cf57b98aa999633641b361bf7938b7bb609283c9d

          SHA512

          2b2956b890b0d87ee7aeffbc85eb8077c893763c29ea78a0db3bb76f3025b4013986b70a4e6e0030771b4823032a01a11f3da5bbc0fd72daffb4bb91fd78ab50

        • C:\Windows\moonlight.dll

          Filesize

          65KB

          MD5

          8e6e31f8df128a746ff9a3a38f8f78c0

          SHA1

          e4da9aa336eb7e254592e585b29d8b4e23f3e4bd

          SHA256

          dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7

          SHA512

          eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6

        • C:\Windows\onceinabluemoon.mid

          Filesize

          8KB

          MD5

          0e528d000aad58b255c1cf8fd0bb1089

          SHA1

          2445d2cc0921aea9ae53b8920d048d6537940ec6

          SHA256

          c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

          SHA512

          89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

        • C:\Windows\system\msvbvm60.dll

          Filesize

          1.3MB

          MD5

          0b56afade202c406eacbf7cdc87152e0

          SHA1

          6781240f65be24dd3d171f9b9d950b61349c565a

          SHA256

          494797cd029292876cea51dd6ef96e361416fc35682d2503dcb7ee989e77a98a

          SHA512

          5e2792f2ae7473218e92e7e40c39d0f46d31252205ec2fc4433f438797b3bb0d056847f882912ec2e4039c8229edc17e2e9e5b0f134bfab1e674b8273215ecb5

        • \Windows\LRX3Y6M\system.exe

          Filesize

          313KB

          MD5

          b579b43ef4283d244650f6d6d0e175db

          SHA1

          eed7fe8498b16b6654f358f0e7791c47f29abead

          SHA256

          ad4c3edcaa5ee5e8b3b2a2907d791bba6b546c854b7497fb686366ded9d94767

          SHA512

          8c4ed83e844dff49c33f4375f8f60bd33678b4a21e735f8759b433dbbfa4bb87408fab71275ea57b5304b5700a3832e77f5175fd50260b4e7d29dad1bb92c78b

        • memory/1200-214-0x0000000003500000-0x0000000003510000-memory.dmp

          Filesize

          64KB

        • memory/1200-0-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

        • memory/1200-215-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

        • memory/1200-210-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

        • memory/1200-56-0x0000000003500000-0x000000000355D000-memory.dmp

          Filesize

          372KB

        • memory/1200-57-0x0000000003500000-0x000000000355D000-memory.dmp

          Filesize

          372KB

        • memory/1200-89-0x0000000003510000-0x000000000356D000-memory.dmp

          Filesize

          372KB

        • memory/1200-73-0x0000000003510000-0x000000000356D000-memory.dmp

          Filesize

          372KB

        • memory/1200-47-0x0000000003500000-0x0000000003510000-memory.dmp

          Filesize

          64KB

        • memory/1972-213-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

        • memory/1972-243-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

        • memory/2516-236-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

        • memory/2516-58-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

        • memory/2668-68-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

        • memory/2668-240-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

        • memory/2692-90-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

        • memory/2692-241-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

        • memory/2808-242-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

        • memory/2808-246-0x0000000010000000-0x0000000010075000-memory.dmp

          Filesize

          468KB

        • memory/2808-250-0x0000000010000000-0x0000000010075000-memory.dmp

          Filesize

          468KB

        • memory/2808-251-0x0000000010000000-0x0000000010075000-memory.dmp

          Filesize

          468KB

        • memory/2808-252-0x0000000010000000-0x0000000010075000-memory.dmp

          Filesize

          468KB

        • memory/2808-253-0x0000000010000000-0x0000000010075000-memory.dmp

          Filesize

          468KB

        • memory/2808-254-0x0000000010000000-0x0000000010075000-memory.dmp

          Filesize

          468KB

        • memory/2808-255-0x0000000010000000-0x0000000010075000-memory.dmp

          Filesize

          468KB