Overview

overview

10

Static

static

dd3592f187...e7.exe

windows7-x64

10

dd3592f187...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 21:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe

  • Size

    122KB

  • MD5

    129d8a368f0c4ef256879fe99e84a6d4

  • SHA1

    4bd2f36f72d2121512592bfad48df4ed3dd80e3e

  • SHA256

    dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7

  • SHA512

    cc37d82bae81820e12be79e8cfd0d06ede1cc8b8d917fcb66fb73e1ef89a52b4a484dfaa78abefd918c51d3aaa559b8a4a8a3596366877a7c027496a770e1850

  • SSDEEP

    1536:nyyzF9MFVCujlsQoeQZZ86ukpj0nGGF9v+4DRwS8GX:yyzQVCujl71QZZ4kp4F9Xt+GX

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe
    "C:\Users\Admin\AppData\Local\Temp\dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1812
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4880
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2756
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:736
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:800

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\mrsys.exe
    Filesize

    122KB

    MD5

    e00eb7adfbe789df554d2d373240fdb9

    SHA1

    d07ae2f1a2e35d04cfc444b8a86d820d37aa76d1

    SHA256

    ecdd44649ee357563aacb409455e2739da730733fcd00b6750904728b1ec423e

    SHA512

    8d0d261f0199c16309f76174228a3d9e4f735e6455823c452fc1d2847befe1d24928641062e7a69f13423a4ad49e482fec22db549bc3b67d7c07aeda615cef83

    Download Submit

  • C:\Windows\System\explorer.exe
    Filesize

    122KB

    MD5

    f3b91ce426f4004fb3046d5aa2bb0c9f

    SHA1

    4ae92a41b096f3a68f9ada5977d19a77a1add9a3

    SHA256

    eabd435691cd1341f9257f32ef04b22005be0688f37c8cf775ccd48407ad3682

    SHA512

    74e3f05d2f04390fedada56baaaae7d912dac6d998a8b7b601465f5887f7ff77003db1b10dc48c7dc6431185aba1ebf12df01e336c4e88ccec1a31458e8059c0

    Download Submit

  • C:\Windows\System\spoolsv.exe
    Filesize

    122KB

    MD5

    9809732bbb17671377c324dbcf6d5aee

    SHA1

    4e505c7d8553aadf00a6a5b0e6c5fa51368a950d

    SHA256

    bf63b609dccc56b09c52062289cae79440f40ee262e9fda97d7ea3c4cedc025a

    SHA512

    15231d44be49794d8457e58e5c52ac0ab7005db68af6893e0591839ae5079b00b50e4e1cc2f769f1e2826a2b346c2a5ceacb5f322d9251034b99bf364cce2802

    Download Submit

  • C:\Windows\System\spoolsv.exe
    Filesize

    122KB

    MD5

    9809732bbb17671377c324dbcf6d5aee

    SHA1

    4e505c7d8553aadf00a6a5b0e6c5fa51368a950d

    SHA256

    bf63b609dccc56b09c52062289cae79440f40ee262e9fda97d7ea3c4cedc025a

    SHA512

    15231d44be49794d8457e58e5c52ac0ab7005db68af6893e0591839ae5079b00b50e4e1cc2f769f1e2826a2b346c2a5ceacb5f322d9251034b99bf364cce2802

    Download Submit

  • C:\Windows\System\svchost.exe
    Filesize

    122KB

    MD5

    86b9a8013fd925237625ac8bde581feb

    SHA1

    4a845e8831992bd0946d5a414ee1c1bbf1b5ff75

    SHA256

    0220ae409abfc91a0ad1b970030e58a5d585cac351d13038875dfc492c747353

    SHA512

    5187e3541eb28bfb38ca6680acc6948c21ca6e40b91491df6658bf3de5ae4366b55aee6a3d289f7ea5d25812b310409db28b09685d33bdfd4bec6afd864e8055

    Download Submit

  • \??\c:\windows\system\explorer.exe
    Filesize

    122KB

    MD5

    f3b91ce426f4004fb3046d5aa2bb0c9f

    SHA1

    4ae92a41b096f3a68f9ada5977d19a77a1add9a3

    SHA256

    eabd435691cd1341f9257f32ef04b22005be0688f37c8cf775ccd48407ad3682

    SHA512

    74e3f05d2f04390fedada56baaaae7d912dac6d998a8b7b601465f5887f7ff77003db1b10dc48c7dc6431185aba1ebf12df01e336c4e88ccec1a31458e8059c0

    Download Submit

  • \??\c:\windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    9809732bbb17671377c324dbcf6d5aee

    SHA1

    4e505c7d8553aadf00a6a5b0e6c5fa51368a950d

    SHA256

    bf63b609dccc56b09c52062289cae79440f40ee262e9fda97d7ea3c4cedc025a

    SHA512

    15231d44be49794d8457e58e5c52ac0ab7005db68af6893e0591839ae5079b00b50e4e1cc2f769f1e2826a2b346c2a5ceacb5f322d9251034b99bf364cce2802

    Download Submit

  • \??\c:\windows\system\svchost.exe
    Filesize

    122KB

    MD5

    86b9a8013fd925237625ac8bde581feb

    SHA1

    4a845e8831992bd0946d5a414ee1c1bbf1b5ff75

    SHA256

    0220ae409abfc91a0ad1b970030e58a5d585cac351d13038875dfc492c747353

    SHA512

    5187e3541eb28bfb38ca6680acc6948c21ca6e40b91491df6658bf3de5ae4366b55aee6a3d289f7ea5d25812b310409db28b09685d33bdfd4bec6afd864e8055

    Download Submit