Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 02:07 UTC

General

  • Target

    dffce7fe5a998086d3e8e70c395ca9bbaa966b7ac74383e9de38c39732ab6cef.exe

  • Size

    211KB

  • MD5

    4d6f250bb8d011ade5678301ef60d3d4

  • SHA1

    07c2ef14f490767bf938bd9bce997f3384da3be4

  • SHA256

    dffce7fe5a998086d3e8e70c395ca9bbaa966b7ac74383e9de38c39732ab6cef

  • SHA512

    52fce216b88e3089e57633f83c409abecf596d6ea126129be7136630503ee8e86250389a53bbc00e524c191ca0339faba895020e48f47b3b95c5b605d5ff183a

  • SSDEEP

    3072:WD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqO4:Wh8cBzHLRMpZ4d1Z4

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dffce7fe5a998086d3e8e70c395ca9bbaa966b7ac74383e9de38c39732ab6cef.exe
    "C:\Users\Admin\AppData\Local\Temp\dffce7fe5a998086d3e8e70c395ca9bbaa966b7ac74383e9de38c39732ab6cef.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:640
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2580
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2364
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2536
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe

    Filesize

    211KB

    MD5

    540c2a73235cdb478928b2cb4df26d22

    SHA1

    bedb91c46d6f5f8da7a05cf30dd84373ce12c653

    SHA256

    d134fc8c3ba1514d3126cdc190ccf83c5bbec37a104d491f673dedfb9104476a

    SHA512

    bf9b0342e360c79aac2bab2c6e6e685923e77fb023b513a4112320b2647a3fb550d2e1657124a5611828b085c9456e8fedfd5f53c411c9358081cf86674af206

  • C:\Windows\spoolsw.exe

    Filesize

    211KB

    MD5

    a2c09faafea1b57cfb4d29cc43deb01b

    SHA1

    da5d0d6db4cad8724bfa8346c0cd1b9f5f16918c

    SHA256

    7a6615c5b1655fa44b68330adce4ac97437821bfb20bfbf8e1c9507b08569cd9

    SHA512

    5c1a30d58cab81fbc2f2a5081d22a4549acec01d5f3e3defaffb421620b01ea7fa2e3c8ceccc592a3672f40e25e88a3628c8c020f20c281af2ed385c33fc2af5

  • C:\Windows\swchost.exe

    Filesize

    211KB

    MD5

    1601e319eefbc75f80c905fa2cf20fb5

    SHA1

    8681f88fa9221d2933ea306c0cfa602328fcbb53

    SHA256

    83cfc920a470741a662698a9bad569265e064ffd97fe0910f72d6b66c61a850b

    SHA512

    838f9563fe0fe4b64e0a1fcee2333620f50f0365ea8ef51c7de6598535e6ddec82357d8c58fefc85c6ef1fb6e4590fe1e46e4e7e80d6b10b68cb0b553ba543ea

  • C:\Windows\userinit.exe

    Filesize

    211KB

    MD5

    6148f2238e1b75c128d875a11614ebee

    SHA1

    6826dded2a36f49076dbb1bf08737a081e4c42ae

    SHA256

    8d4dffa42271fe5c069f935482274bd63606d481239e3f97f1ca306224c46579

    SHA512

    15b9a7be8846406f2af6cfe5f09e89903cfb898dff35ab98f6c3157f4991a6e58e04c5d4eee8ab88c826ef4d79734052787242edd9b8fd0585fcfbbe2c070147

  • memory/640-0-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/640-11-0x0000000000760000-0x0000000000790000-memory.dmp

    Filesize

    192KB

  • memory/640-50-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2364-23-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2364-35-0x0000000001F80000-0x0000000001FB0000-memory.dmp

    Filesize

    192KB

  • memory/2364-48-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2408-47-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2536-41-0x0000000002520000-0x0000000002550000-memory.dmp

    Filesize

    192KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.