Overview

overview

10

Static

static

3

dffce7fe5a...ef.exe

windows7-x64

10

dffce7fe5a...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dffce7fe5a998086d3e8e70c395ca9bbaa966b7ac74383e9de38c39732ab6cef.exe

  • Size

    211KB

  • MD5

    4d6f250bb8d011ade5678301ef60d3d4

  • SHA1

    07c2ef14f490767bf938bd9bce997f3384da3be4

  • SHA256

    dffce7fe5a998086d3e8e70c395ca9bbaa966b7ac74383e9de38c39732ab6cef

  • SHA512

    52fce216b88e3089e57633f83c409abecf596d6ea126129be7136630503ee8e86250389a53bbc00e524c191ca0339faba895020e48f47b3b95c5b605d5ff183a

  • SSDEEP

    3072:WD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqO4:Wh8cBzHLRMpZ4d1Z4

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dffce7fe5a998086d3e8e70c395ca9bbaa966b7ac74383e9de38c39732ab6cef.exe
    "C:\Users\Admin\AppData\Local\Temp\dffce7fe5a998086d3e8e70c395ca9bbaa966b7ac74383e9de38c39732ab6cef.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:640
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2580
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2364
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2536
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe
    Filesize

    211KB

    MD5

    540c2a73235cdb478928b2cb4df26d22

    SHA1

    bedb91c46d6f5f8da7a05cf30dd84373ce12c653

    SHA256

    d134fc8c3ba1514d3126cdc190ccf83c5bbec37a104d491f673dedfb9104476a

    SHA512

    bf9b0342e360c79aac2bab2c6e6e685923e77fb023b513a4112320b2647a3fb550d2e1657124a5611828b085c9456e8fedfd5f53c411c9358081cf86674af206

    Download Submit

  • C:\Windows\spoolsw.exe
    Filesize

    211KB

    MD5

    a2c09faafea1b57cfb4d29cc43deb01b

    SHA1

    da5d0d6db4cad8724bfa8346c0cd1b9f5f16918c

    SHA256

    7a6615c5b1655fa44b68330adce4ac97437821bfb20bfbf8e1c9507b08569cd9

    SHA512

    5c1a30d58cab81fbc2f2a5081d22a4549acec01d5f3e3defaffb421620b01ea7fa2e3c8ceccc592a3672f40e25e88a3628c8c020f20c281af2ed385c33fc2af5

    Download Submit

  • C:\Windows\swchost.exe
    Filesize

    211KB

    MD5

    1601e319eefbc75f80c905fa2cf20fb5

    SHA1

    8681f88fa9221d2933ea306c0cfa602328fcbb53

    SHA256

    83cfc920a470741a662698a9bad569265e064ffd97fe0910f72d6b66c61a850b

    SHA512

    838f9563fe0fe4b64e0a1fcee2333620f50f0365ea8ef51c7de6598535e6ddec82357d8c58fefc85c6ef1fb6e4590fe1e46e4e7e80d6b10b68cb0b553ba543ea

    Download Submit

  • C:\Windows\userinit.exe
    Filesize

    211KB

    MD5

    6148f2238e1b75c128d875a11614ebee

    SHA1

    6826dded2a36f49076dbb1bf08737a081e4c42ae

    SHA256

    8d4dffa42271fe5c069f935482274bd63606d481239e3f97f1ca306224c46579

    SHA512

    15b9a7be8846406f2af6cfe5f09e89903cfb898dff35ab98f6c3157f4991a6e58e04c5d4eee8ab88c826ef4d79734052787242edd9b8fd0585fcfbbe2c070147

    Download Submit

  • memory/640-0-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/640-11-0x0000000000760000-0x0000000000790000-memory.dmp

    Filesize

    192KB

    Download

  • memory/640-50-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2364-23-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2364-35-0x0000000001F80000-0x0000000001FB0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2364-48-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2408-47-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2536-41-0x0000000002520000-0x0000000002550000-memory.dmp

    Filesize

    192KB

    Download