Overview

overview

10

Static

static

b3c4cd794c...0b.exe

windows7-x64

10

b3c4cd794c...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 21:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3c4cd794c34cd836c16c00133410c846476bbbf48761a40b72ceb5ae65b460b.exe

  • Size

    122KB

  • MD5

    6900a40663f94842ec2546855cd4ccc7

  • SHA1

    3a2f6b5ac454dbd8ecc5abe3c5bfabebb72d756c

  • SHA256

    b3c4cd794c34cd836c16c00133410c846476bbbf48761a40b72ceb5ae65b460b

  • SHA512

    f7d6f9902b4896f76fc6550d8c49eb295f79acc3c2ab7f58fc0507037c0941513d00f7f6d02ee370c37803246ba87106e9a550de4b914e854899a895869e02f9

  • SSDEEP

    1536:nFyzF9MFVCujlsQoeQZZ86ukpj0nGGF9v+4DR18hW:FyzQVCujl71QZZ4kp4F9Xt6hW

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3c4cd794c34cd836c16c00133410c846476bbbf48761a40b72ceb5ae65b460b.exe
    "C:\Users\Admin\AppData\Local\Temp\b3c4cd794c34cd836c16c00133410c846476bbbf48761a40b72ceb5ae65b460b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1028
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1052
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1240
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:972
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1164

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\mrsys.exe
    Filesize

    122KB

    MD5

    4a86d5d2e1610ccaa86c830beaf6054c

    SHA1

    075ce9843dd7edb70eb30f3d685f274adbdcaa1b

    SHA256

    6f4c1141fd5c8ae861e3715cf23cd675a8f4a45079299bfd09a297758e38df32

    SHA512

    3ca526cdca40ed0d848fc2d5f67bf01ed56607570532363a56f2f970b6106ae53319821c2d27cb1e7a9f9d02a292690d128ea0251f93422deeaa8e4a8e57f18f

    Download Submit

  • C:\Windows\system\explorer.exe
    Filesize

    122KB

    MD5

    e668825fac0bb8fc979bf1b2ffea00f5

    SHA1

    96c9a15d54faa3805a2795c50f39c25826b059e9

    SHA256

    1521aed286ea8358cf9a647b78679b66dc82b0ce7e1e5bd68e7e102969d2f335

    SHA512

    12001ac959b497bdc18c876375f22d882fabce19a956ea10551fa8f04874120065bf00591afb88367ef3b215637d9811f73917369639a2b9336ad6a2e02af49f

    Download Submit

  • C:\Windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    06f8de3a795a792120781079a9f8b93c

    SHA1

    401d92e5c56438cc885b4eb5ba5d64d76bdb8bb2

    SHA256

    4300eaaff53b45429cdb0ec01955f322a4c2ab18cc7aa0c93c3d047a210dfc00

    SHA512

    ec988b6bebaee83a5a45671ad19440f7681d3cf241c1834749e7d426e1a740bbdcce18d240f3a9ecd524f9d86a7ad76eefddb254a7f7a379d57532072d6834a5

    Download Submit

  • C:\Windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    06f8de3a795a792120781079a9f8b93c

    SHA1

    401d92e5c56438cc885b4eb5ba5d64d76bdb8bb2

    SHA256

    4300eaaff53b45429cdb0ec01955f322a4c2ab18cc7aa0c93c3d047a210dfc00

    SHA512

    ec988b6bebaee83a5a45671ad19440f7681d3cf241c1834749e7d426e1a740bbdcce18d240f3a9ecd524f9d86a7ad76eefddb254a7f7a379d57532072d6834a5

    Download Submit

  • C:\Windows\system\svchost.exe
    Filesize

    122KB

    MD5

    4a82baf68c0a91565cd5dff6a51b9cc2

    SHA1

    b0c41e973b16e0c3f773bf6ec17df96aa857d3d7

    SHA256

    6737e220506b6a9ff49901f24ce381a23059317f81d4b42383d6a83fa167989c

    SHA512

    681910576c8c5a5cc2b876210615cf657da470086c817d54c50115099293cf41c9c77fcfc8190ae1495c735095321adcfb899a47ed0a5bb6a650c2eff0363fd5

    Download Submit

  • \??\c:\windows\system\explorer.exe
    Filesize

    122KB

    MD5

    e668825fac0bb8fc979bf1b2ffea00f5

    SHA1

    96c9a15d54faa3805a2795c50f39c25826b059e9

    SHA256

    1521aed286ea8358cf9a647b78679b66dc82b0ce7e1e5bd68e7e102969d2f335

    SHA512

    12001ac959b497bdc18c876375f22d882fabce19a956ea10551fa8f04874120065bf00591afb88367ef3b215637d9811f73917369639a2b9336ad6a2e02af49f

    Download Submit

  • \??\c:\windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    06f8de3a795a792120781079a9f8b93c

    SHA1

    401d92e5c56438cc885b4eb5ba5d64d76bdb8bb2

    SHA256

    4300eaaff53b45429cdb0ec01955f322a4c2ab18cc7aa0c93c3d047a210dfc00

    SHA512

    ec988b6bebaee83a5a45671ad19440f7681d3cf241c1834749e7d426e1a740bbdcce18d240f3a9ecd524f9d86a7ad76eefddb254a7f7a379d57532072d6834a5

    Download Submit

  • \??\c:\windows\system\svchost.exe
    Filesize

    122KB

    MD5

    4a82baf68c0a91565cd5dff6a51b9cc2

    SHA1

    b0c41e973b16e0c3f773bf6ec17df96aa857d3d7

    SHA256

    6737e220506b6a9ff49901f24ce381a23059317f81d4b42383d6a83fa167989c

    SHA512

    681910576c8c5a5cc2b876210615cf657da470086c817d54c50115099293cf41c9c77fcfc8190ae1495c735095321adcfb899a47ed0a5bb6a650c2eff0363fd5

    Download Submit

  • \Windows\system\explorer.exe
    Filesize

    122KB

    MD5

    e668825fac0bb8fc979bf1b2ffea00f5

    SHA1

    96c9a15d54faa3805a2795c50f39c25826b059e9

    SHA256

    1521aed286ea8358cf9a647b78679b66dc82b0ce7e1e5bd68e7e102969d2f335

    SHA512

    12001ac959b497bdc18c876375f22d882fabce19a956ea10551fa8f04874120065bf00591afb88367ef3b215637d9811f73917369639a2b9336ad6a2e02af49f

    Download Submit

  • \Windows\system\explorer.exe
    Filesize

    122KB

    MD5

    e668825fac0bb8fc979bf1b2ffea00f5

    SHA1

    96c9a15d54faa3805a2795c50f39c25826b059e9

    SHA256

    1521aed286ea8358cf9a647b78679b66dc82b0ce7e1e5bd68e7e102969d2f335

    SHA512

    12001ac959b497bdc18c876375f22d882fabce19a956ea10551fa8f04874120065bf00591afb88367ef3b215637d9811f73917369639a2b9336ad6a2e02af49f

    Download Submit

  • \Windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    06f8de3a795a792120781079a9f8b93c

    SHA1

    401d92e5c56438cc885b4eb5ba5d64d76bdb8bb2

    SHA256

    4300eaaff53b45429cdb0ec01955f322a4c2ab18cc7aa0c93c3d047a210dfc00

    SHA512

    ec988b6bebaee83a5a45671ad19440f7681d3cf241c1834749e7d426e1a740bbdcce18d240f3a9ecd524f9d86a7ad76eefddb254a7f7a379d57532072d6834a5

    Download Submit

  • \Windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    06f8de3a795a792120781079a9f8b93c

    SHA1

    401d92e5c56438cc885b4eb5ba5d64d76bdb8bb2

    SHA256

    4300eaaff53b45429cdb0ec01955f322a4c2ab18cc7aa0c93c3d047a210dfc00

    SHA512

    ec988b6bebaee83a5a45671ad19440f7681d3cf241c1834749e7d426e1a740bbdcce18d240f3a9ecd524f9d86a7ad76eefddb254a7f7a379d57532072d6834a5

    Download Submit

  • \Windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    06f8de3a795a792120781079a9f8b93c

    SHA1

    401d92e5c56438cc885b4eb5ba5d64d76bdb8bb2

    SHA256

    4300eaaff53b45429cdb0ec01955f322a4c2ab18cc7aa0c93c3d047a210dfc00

    SHA512

    ec988b6bebaee83a5a45671ad19440f7681d3cf241c1834749e7d426e1a740bbdcce18d240f3a9ecd524f9d86a7ad76eefddb254a7f7a379d57532072d6834a5

    Download Submit

  • \Windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    06f8de3a795a792120781079a9f8b93c

    SHA1

    401d92e5c56438cc885b4eb5ba5d64d76bdb8bb2

    SHA256

    4300eaaff53b45429cdb0ec01955f322a4c2ab18cc7aa0c93c3d047a210dfc00

    SHA512

    ec988b6bebaee83a5a45671ad19440f7681d3cf241c1834749e7d426e1a740bbdcce18d240f3a9ecd524f9d86a7ad76eefddb254a7f7a379d57532072d6834a5

    Download Submit

  • \Windows\system\svchost.exe
    Filesize

    122KB

    MD5

    4a82baf68c0a91565cd5dff6a51b9cc2

    SHA1

    b0c41e973b16e0c3f773bf6ec17df96aa857d3d7

    SHA256

    6737e220506b6a9ff49901f24ce381a23059317f81d4b42383d6a83fa167989c

    SHA512

    681910576c8c5a5cc2b876210615cf657da470086c817d54c50115099293cf41c9c77fcfc8190ae1495c735095321adcfb899a47ed0a5bb6a650c2eff0363fd5

    Download Submit

  • \Windows\system\svchost.exe
    Filesize

    122KB

    MD5

    4a82baf68c0a91565cd5dff6a51b9cc2

    SHA1

    b0c41e973b16e0c3f773bf6ec17df96aa857d3d7

    SHA256

    6737e220506b6a9ff49901f24ce381a23059317f81d4b42383d6a83fa167989c

    SHA512

    681910576c8c5a5cc2b876210615cf657da470086c817d54c50115099293cf41c9c77fcfc8190ae1495c735095321adcfb899a47ed0a5bb6a650c2eff0363fd5

    Download Submit

  • memory/972-78-0x0000000000000000-mapping.dmp

    Download

  • memory/1028-57-0x0000000075071000-0x0000000075073000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1052-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1164-87-0x0000000000000000-mapping.dmp

    Download

  • memory/1240-69-0x0000000000000000-mapping.dmp

    Download