Overview

overview

10

Static

static

3

587c2cf1bf...3N.exe

windows7-x64

10

587c2cf1bf...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2024, 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    587c2cf1bfa4e84166957c8fd1a7d9a0aed0fdcb64e5fbf54bd35713ff35c0d3N.exe

  • Size

    91KB

  • MD5

    6c910197a009b83e313e0c358b4371a0

  • SHA1

    4d7edfcfea9441634d41a96c36f63c586d835eae

  • SHA256

    587c2cf1bfa4e84166957c8fd1a7d9a0aed0fdcb64e5fbf54bd35713ff35c0d3

  • SHA512

    87c0e579be770a4d92ddfea2cc15189bbc8437eb4728cf50ad9caf3ab857910601784a58301a87d9aefbaf573d2aa948b652860afc7918e156d889c57eed55d0

  • SSDEEP

    1536:zAwEmBZ04faWmtN4nic+6GuAwEmBZ04faWmtN4nic+6GG:zGms4Eton0uGms4Eton0G

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\587c2cf1bfa4e84166957c8fd1a7d9a0aed0fdcb64e5fbf54bd35713ff35c0d3N.exe
    "C:\Users\Admin\AppData\Local\Temp\587c2cf1bfa4e84166957c8fd1a7d9a0aed0fdcb64e5fbf54bd35713ff35c0d3N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:980
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2172
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1460
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3164
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3980
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5060
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4632
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    10b472f7a0e1bdc73071e34de5c7db1a

    SHA1

    8a661fefbaa05835370bb63a0f646cea9c040a78

    SHA256

    bbb075b09aeeb9c69ea17d661781c0b08c6a5bdc9c268d9e11d7282dd36f39fa

    SHA512

    2ca8534da16f5efca061acfde04521310352696c6253cee353d06f0720c1f717758dd0ad3318402fbc7ed394efc70f5103882d0b100a28f9e2eadbae7bb5fdfc

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    497ad7bfae94b8478a581d56f73ece0d

    SHA1

    83d751c5e1ba841eb17cdc2b89bd3896aa191900

    SHA256

    377db37d4839b039cc13142527a7b377cd56c5b99fce86c94ac87f838a66a559

    SHA512

    c8a2257c6883b9cc5a56346063b8741138023cd00bd8be4c2749354fbb9ad0b5741d58cf9872379a09c306b335417f8c574d537b4d07c1c6b577db593d246236

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    bb19f38c986330b609befa2b5e2fdde3

    SHA1

    9892bbbc6ff6a2d01095fa5a5740aee9f7869d34

    SHA256

    5982e4cd505cb683ab0c9fb30587953c0b86022c0936e86185ad8805cd26bbf2

    SHA512

    eb7e499840708d4f99e2f52218a4fdca5c21f9daf9a47c8e2b70389078e8517d2a43336ccc983443a1f9e15376412228eff9dbddd5f901e4fad228b48c5feab3

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    340a31662479dc8ddd789eb02036ebaf

    SHA1

    664c706da7ec07f85987b59532ad4e2c7ecc4c85

    SHA256

    7faf017c88c4236ac5fcc770201a5a64dfd3c3ff6a5ce02b0f7b41bf4b0f0f75

    SHA512

    e543417783f37646a5fcd6d16b0a664378635303e6f2d12637ddf1afa9c74fa91ed202cacc374da83e51c987b4cf8c6a0155c5a4b14019ff3606c722ff44351b

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    7ad2c28faa1b90093e10f560101fdf4e

    SHA1

    cadb85b02c5f5a273c39279dd0935bdcac51b9a7

    SHA256

    aeadbeff25e1657a5474bc6dd8ecafeffc1129709a9e47a32440d5bb55884cba

    SHA512

    fa1cde4fdb47c4ba5e3fe80f6fd55f95693a0145b5c02dda75fad9526beb9af2767e97256b848fc5ab1310f55c01bf8a60ab23894888b854fccbf518c744418f

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    6c910197a009b83e313e0c358b4371a0

    SHA1

    4d7edfcfea9441634d41a96c36f63c586d835eae

    SHA256

    587c2cf1bfa4e84166957c8fd1a7d9a0aed0fdcb64e5fbf54bd35713ff35c0d3

    SHA512

    87c0e579be770a4d92ddfea2cc15189bbc8437eb4728cf50ad9caf3ab857910601784a58301a87d9aefbaf573d2aa948b652860afc7918e156d889c57eed55d0

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    5cd0d42a6f49a4158d58a0e41615cac1

    SHA1

    abdae9a95380e027ac8ea4eb037a9eb3801d405c

    SHA256

    7b1d78066296bc993c87b9397b783d1321fc5a862fd0f88935482afbff2f02c8

    SHA512

    2939dbf8ab17fdef9b496358e1ea5df2ae04728df1ad2732f4c80dda65b4144d6362ae94e7693f20990317f07c4125abb23c2760a7c77777ed08f3495231bf66

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    722a25cf1560268124a095085968e063

    SHA1

    44e953742936b9fb9cd36c21c5eb3e7894a1704b

    SHA256

    ff2a38982d9a537c891bf1143a53d6d62fb94e4a19da06baeed35634f44b167c

    SHA512

    7f0ec819d45bb425e6c1bbcb96b3ca98c84814aa7ce2def7e958f1e6a30ec2db77ae79191f1369df7280812ba61a5c62ce596bc2520e26f85bfa03ab3a587305

    Download Submit

  • memory/980-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/980-153-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1460-116-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2172-112-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3164-123-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3980-130-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4632-146-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4744-151-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5060-140-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download