Overview

overview

10

Static

static

3

1720f8426f...a0.exe

windows7-x64

10

1720f8426f...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 10:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1720f8426f21f5de168038a0820a39a0.exe

  • Size

    206KB

  • MD5

    1720f8426f21f5de168038a0820a39a0

  • SHA1

    e54bc419c5293e422a0eae8054a081a3c4e56c8c

  • SHA256

    48c073b15ba2d0c496b5e663ebf4c11f87d0dd7952eeea7fc11cf90f6f7df8fd

  • SHA512

    5a5510862ccb3965c67d8ecc8056d2a0e504b4059bcffad4960fe0031b0d82abf70e6ff0d7b2157a9e4fe81e4d0e5abff9aef7ca1b90fd2759ed2713c36baf2e

  • SSDEEP

    6144:zvEN2U+T6i5LirrllHy4HUcMQY6oSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSE:zENN+T5xYrllrU7QY6oSSSSSSSSSSSS9

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1720f8426f21f5de168038a0820a39a0.exe
    "C:\Users\Admin\AppData\Local\Temp\1720f8426f21f5de168038a0820a39a0.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2612
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:620
  • \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4804
    • \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Windows\SysWOW64\at.exe
        at 23:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        3⤵
          PID:5020
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe PR
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:228
        • C:\Windows\SysWOW64\at.exe
          at 23:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
          3⤵
            PID:4384
          • C:\Windows\SysWOW64\at.exe
            at 23:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            3⤵
              PID:1044

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe
                Filesize

                66KB

                MD5

                7dcce129f8438fb94912aa3aa4fff2c9

                SHA1

                95f033d8f5caba5b084e6d5587a183c2b691f1d2

                SHA256

                735b03666e7235ee608ecb60ec785c3668b2e8bb74baa72d44f44689db828c40

                SHA512

                7a6671b342d813698f548e32dac2100eed647d66dfc8dd5ece7d62e18ab9732739ba4a9fa5e71b457be30ef85ac61bf2aaa40326fbef0def42bbe8a0425369e1

                Download Submit

              • C:\Windows\System\explorer.exe
                Filesize

                82KB

                MD5

                46861734b1bce3d63d206ce8c9591325

                SHA1

                0947402a314550bc74f3d9835d8e8c5aebe5594b

                SHA256

                ef2c89dc31aebeb7826d3899a3633dfd7008b14e3428351d599f060d7f5a9f7f

                SHA512

                4b8c6a4259ac875cb9649671b1110873b19bf7a9e367991881790887f119fdb7c2f92204c516724b3ff04e238e880a19b1261380e046688e9046842d137a9620

                Download Submit

              • C:\Windows\System\spoolsv.exe
                Filesize

                52KB

                MD5

                4d406d4cab3d67acb1ff5ff3cfe222d2

                SHA1

                3260e9d10c40deedfe99b88b2ea8f407aa6129fb

                SHA256

                471368e4d97932e7de439398f501edc92e16d339f126fb74d414be4d8cc4ce9b

                SHA512

                e471cae12d1e36a9342e2982d9687c4bd776aadf5a22087d7497083a7ccfb73048ae686667e50a99442c63c0c6782be2cb98ff4433579accac1739e8cbb5fa6d

                Download Submit

              • C:\Windows\System\spoolsv.exe
                Filesize

                76KB

                MD5

                7259d9950d277a37b1e26c46c153350b

                SHA1

                e343b5c101fc5d6862dee0af7a43cfd03e233927

                SHA256

                1c3b0da28cbc01d1bc950a79ecc6b7f693b7dbc1ff479aaba159ef1e6e517378

                SHA512

                1ed0bae0e2afaaf7c3d3adcd11cc96687964e0dbb24e5d7ee83ce9ae8806a9caad23c151686de6ca2ae469938e939aa3316b214cdca37dfbee5a815bbf861f0d

                Download Submit

              • C:\Windows\System\spoolsv.exe
                Filesize

                92KB

                MD5

                b6a1d5a8b9bcb5a2f5c17c762e64eb28

                SHA1

                cbba7999b5638f1b884303d49e4d4f27cc902c22

                SHA256

                b18c47a87383282de29f443c7e139fc3a7afb745986c64c1e7fed2fbd0f663cf

                SHA512

                22eeb2a03e7f303d696cb2438168d8447238960feadf93094e8d7f1ccb1d357e5000fab5fad18a9b8213c374fd8c76d142b85c7a1754465ad4a598a7dd4a01c5

                Download Submit

              • C:\Windows\System\svchost.exe
                Filesize

                34KB

                MD5

                1b0132780d0b5d94af34d5945d4cf519

                SHA1

                772e489a7bf26b96830421da79991fe9957f8aed

                SHA256

                466576b78bf82347e7910edb54c9820512c01c00e04563346fc03f6d073582d3

                SHA512

                01fc5388821b44503eb3ffdde680255ffb93344b9225573be28ad1e4b39d682ca26aec0ee3a686a330e1dd62a67d9b1f3209fc5d88d98a3db45ea672212b6563

                Download Submit

              • \??\c:\windows\system\explorer.exe
                Filesize

                64KB

                MD5

                c800582e43c15f6024c17a44f4ef5120

                SHA1

                75ba795e5f1a16532aa920427afe3034e1982f9f

                SHA256

                b969ecc0635400f4ee1a8858e59dde7d129c51df9d23f72d53dfa6c3aab52421

                SHA512

                3878b37e62d579921b6c6d8439a9c63a15aea02e6a7a88c52ab4c2bab02270a5a008a28b58bb50858c278ff7b7c547f8debb055425000d0df8667dacad54391e

                Download Submit

              • \??\c:\windows\system\spoolsv.exe
                Filesize

                65KB

                MD5

                0aaa89e02cc236785da7e127f8c460b7

                SHA1

                e99cd6579d01dd776f18aa919251154342a3e8be

                SHA256

                e196e9480f22722b1e15f6bbe1bec450cd57678bc8e5f4a8b6cfcb2c5fcc029b

                SHA512

                5758e4f704a6cdd78ad8563a0316ee30c1750e149a4c753619242d0321c1b461938af756b0aef47d5b796b72d64355dc47f8cbc46ef5581c043dc3b94d5bb256

                Download Submit

              • \??\c:\windows\system\svchost.exe
                Filesize

                124KB

                MD5

                f426bea6fb3725cfb8df117672a12b28

                SHA1

                d6e7c582b3be09cf2cd0f29479a1d5d2a32f252e

                SHA256

                06a56f46442fb49bec52a8a7ea45cc607bf4ecc1aa802fed2bcd2b0fc61321a8

                SHA512

                5dcd7e6adf5bc67632fa3c0daede6f432864890d3a9753bc1ca8a150f8b24ca6037134dbca2cb420f77afc5b7bf7b227f85f74682c8400ac9de3e27cc3b380a3

                Download Submit