77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe
Size

6.7MB
MD5

4df67fdffb17735693e05dbc0ff1af49
SHA1

e83a5ca99aab07af047a28e8814cdab6ec2fcab9
SHA256

77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02
SHA512

1de5e18f908e8c82652f21f57f9816ce2792208196efb59ea3fec9f7b1c9f6e1b1aeb32ef23ac32bbf06e9c90506fc99573e7aa49581e950fd0179a97ae1e4bf
SSDEEP

98304:yYZUEjoJsG5kHHOBD3kjwLTLtLixoilX3oor+vm5KsxXAePEkj2crBgfh6gwH+:y0bmLdTLtLs3oor+vmIAjyh6gwe

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3024	MRmonitor.exe

Loads dropped DLL 1 IoCs

pid	Process
2396	77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MR_Sev = "C:\\Users\\Admin\\AppData\\Local\\MR\\MRmonitor.exe"	77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2396	77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2396	77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2396	77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe
2396	77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2396	77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe
2396	77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 3024	2396	77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe	28
PID 2396 wrote to memory of 3024	2396	77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe	28
PID 2396 wrote to memory of 3024	2396	77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe	28
PID 2396 wrote to memory of 3024	2396	77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe	28

C:\Users\Admin\AppData\Local\Temp\77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe
"C:\Users\Admin\AppData\Local\Temp\77fe8b7d1429b8207c98dbf2d2132a9f216504c417e70ca0ae4a8ebaf113cc02.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\MR\MRmonitor.exe
  "C:\Users\Admin\AppData\Local\MR\MRmonitor.exe"
  2⤵
  - Executes dropped EXE
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\MR\MRmonitor.exe

Filesize
81KB

MD5
6f4d5dc16cd7c031db5db2aeb9ca2369

SHA1
3c650d9294de02560144e17b2610b052d8ae8aa1

SHA256
f5983ce1dc3d479fec1d3c08fd88940682ec9d94f0470c7da7519490cb99525a

SHA512
87eb7082e3c7f3e9275cc1f5db4ff9aff8882b3f928837d9d07ebe219c0c423e8e237fc71661f324c45a06bf9ffe9a93a9952245385bd2f57a56029c8f11dbf5

Download Submit