Overview

overview

10

Static

static

5

73c6be724a...1N.exe

windows7-x64

10

73c6be724a...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2024, 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73c6be724a6f4e3979f753378d3e1e230f1806affa2a59441099af00b19c6111N.exe

  • Size

    90KB

  • MD5

    a876db93b22ea5a07ae5053661b918c0

  • SHA1

    add010691eaaacb7c0cd693adc3cd70c89b3d7c3

  • SHA256

    73c6be724a6f4e3979f753378d3e1e230f1806affa2a59441099af00b19c6111

  • SHA512

    d7926983d395af1824bcb3513cf9131ca02a9b6c479de0c115f3dcb6f9ce5f271edab6f281fa86a5ad97ac9180d32850ed590e7b19f5b137f912869243510247

  • SSDEEP

    1536:XRsjdLaslqdBXvTUL0Hnouy8Vj8QURsjdLaslqdBXvTUL0Hnouy8Vj9:XOJKqsout9gOJKqsout99

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\73c6be724a6f4e3979f753378d3e1e230f1806affa2a59441099af00b19c6111N.exe
    "C:\Users\Admin\AppData\Local\Temp\73c6be724a6f4e3979f753378d3e1e230f1806affa2a59441099af00b19c6111N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2244
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:216
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1392
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3948
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:8
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2024
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2760
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    90KB

    MD5

    a0315ffbbc1e47103a3d3124f6412d6c

    SHA1

    f469cb1a1cf35a19ad2d0ae06a106ed628122619

    SHA256

    09200619d7fb06bd58c510718a85e58899c76bf702f3e1090de955f889dc67aa

    SHA512

    a3839c92eb40b8175678ca6ab1b3687ce2f3c0cad3029a3d41572c4650340e4309ed0ffecd135f272b09ddafaf08c2ea394d8ca53aa142daa6ac0aa7c8bf9c60

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    90KB

    MD5

    5b6a42e0e2fc9fd39fecd18dbe44d797

    SHA1

    adab3e57c4435f8c3731c785138be151861d3513

    SHA256

    0e384a71f66a03901cf4895c58d8f1e4bae6f88602e152bdafbe20793474aa47

    SHA512

    663dc1bf652683674d98214a5209ea4b26794e269e01be2355059dc72c04d43b3aa7a37e512d92e1e0c6b0a8dc869f0090af4590666c33b543de47f274895668

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    90KB

    MD5

    d70d05eb39af1741f4066995894948bc

    SHA1

    5523a290e66b739439d613546f4590458d5870fc

    SHA256

    6ab0347a3955d5cd39b3d2114fd42e84b159118ea92605cfe521ab15ddce2907

    SHA512

    ae6306fdf7ae9f0dc1bab69ccd17216d200bbc1f792f66d917f046dfa4f364ad80890206212acccc71b9251fe03b786141dd56d735578a763cf34694b45ae608

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    90KB

    MD5

    a876db93b22ea5a07ae5053661b918c0

    SHA1

    add010691eaaacb7c0cd693adc3cd70c89b3d7c3

    SHA256

    73c6be724a6f4e3979f753378d3e1e230f1806affa2a59441099af00b19c6111

    SHA512

    d7926983d395af1824bcb3513cf9131ca02a9b6c479de0c115f3dcb6f9ce5f271edab6f281fa86a5ad97ac9180d32850ed590e7b19f5b137f912869243510247

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    Filesize

    90KB

    MD5

    b86eb6338bd1a85bb1f320cc7da32435

    SHA1

    8aa3f86e6c6951ab03db9e90b67997d54c83582b

    SHA256

    bcd5f2ff8536ede463750d79b056b09ecef9145561d0565841b10cfa0a7ddb65

    SHA512

    eb123e01ef0ce0077b36df0b8fbbbe356417f9f8b4e12cf556d4f17b95a71f5926b340b0d9faccbc9cf3d9b3c2adce1c98699d915e5e76f83fd92e5a7dfb159c

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    Filesize

    90KB

    MD5

    f88eec9df0b5941adff3327a36e0e8c7

    SHA1

    c9e2356da58b83cd872e1bbbd9570d2081e1b140

    SHA256

    da66b5a99e0f9e2ced1bf51609a4f927e1ec17872612368a7bda9534cbbb5298

    SHA512

    4df9771fd90d4f2a5a681282718d1346cf8a17c49ab2d7c40eddbd3f769f1480aa5f18a168b6ab619bd56865ccd9fe5cfc75058e9b81f0641219af1dc17cbeb0

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    90KB

    MD5

    aa836dc12191a2f6fb46aee0f27487ee

    SHA1

    cec0a3672168ceb068d76a6d45d0295ff25f0591

    SHA256

    ced79c3da6fc8a7b2e9a232834426bd2c315f28286c9dbe847f32d4afe61fb75

    SHA512

    71400a5fbcf56088341a6a6d31d8eb2367d60b0ab42de5140c23adc6f63262d2d2ce351e5c8f4888227efa34961541259e224c36724bef29e2d91107398f4cab

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    90KB

    MD5

    ecef7fb6c8dbe71e7196ee75c7dd3be5

    SHA1

    ddd22b6b55a6d50526eadae039e74b2797567c4d

    SHA256

    4f67c5272dd2f3dd79372e05952252857aecb2ff306d2c4d3e90f20429b3c6e7

    SHA512

    ff68ac105c4e3ad550c1aa1e07b03b2684bced3e146296fb80aebb37786d2b7f3a7827497b3bf9cfd1a144030f5c9607adba5ab9c29171dfa160eba127c78b3e

    Download Submit

  • memory/8-134-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/216-113-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/408-152-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1392-120-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2024-138-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2244-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2244-154-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2760-145-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3948-126-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download