Analysis

  • max time kernel
    150s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 02:07

General

  • Target

    dffce7fe5a998086d3e8e70c395ca9bbaa966b7ac74383e9de38c39732ab6cef.exe

  • Size

    211KB

  • MD5

    4d6f250bb8d011ade5678301ef60d3d4

  • SHA1

    07c2ef14f490767bf938bd9bce997f3384da3be4

  • SHA256

    dffce7fe5a998086d3e8e70c395ca9bbaa966b7ac74383e9de38c39732ab6cef

  • SHA512

    52fce216b88e3089e57633f83c409abecf596d6ea126129be7136630503ee8e86250389a53bbc00e524c191ca0339faba895020e48f47b3b95c5b605d5ff183a

  • SSDEEP

    3072:WD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqO4:Wh8cBzHLRMpZ4d1Z4

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dffce7fe5a998086d3e8e70c395ca9bbaa966b7ac74383e9de38c39732ab6cef.exe
    "C:\Users\Admin\AppData\Local\Temp\dffce7fe5a998086d3e8e70c395ca9bbaa966b7ac74383e9de38c39732ab6cef.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2864
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4708
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1404
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4456
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe

    Filesize

    211KB

    MD5

    c23a826a8d7a8f07b4ae94898b69180e

    SHA1

    ff86fbd5245f55c57b7109e4287a2fe219f87153

    SHA256

    322984949a75ea83f363c7bb4bee44e44dc4ee5b92999288c720e167136893a1

    SHA512

    f05b803427cb9b9d9e37a98ff9fb762863bf2386f8b090057c64ba44c083d5152c81c3700a5e9a20964f97ccb595faf27697306a578fc9c6fc235f4b4c6bc889

  • C:\Windows\spoolsw.exe

    Filesize

    211KB

    MD5

    bc1c177c058579cb29417e4487f636d5

    SHA1

    c5b7bbb49af81b78fba29b33a446f3c69ce56779

    SHA256

    bcfdc8a78621f6458da8358317e5d81d21a29931f9af32ed6b081edc136eebfa

    SHA512

    fc0754253a83f69b0a68ee8e99b9376f2c736dd012a5140b28bce34a132a46538f350b56268415bce5bb2a95dc9b349abfa0e42d0875b419f85a8fb953ab4590

  • C:\Windows\swchost.exe

    Filesize

    211KB

    MD5

    3d9d4bf629c36eba2c946b197f95805d

    SHA1

    f74d464838891442ac277a03a11b62892661d95a

    SHA256

    57a943a88d0461a4133ef11855da523ad9436591cb4a6933e4a86e94d4337abb

    SHA512

    7e5cdaf43731705f00fd68caa311e62a94c23089207dca0d184685706f37608144645ecabfafed6b2ff2b8345a67a2d0f546c7eb7635059a45843cc2593b4caa

  • C:\Windows\userinit.exe

    Filesize

    211KB

    MD5

    41d2ebfea9b1c884b33cad5896911a59

    SHA1

    041c74d9ca68a9dae184c0a776f1a57b940a19e2

    SHA256

    3a8a0c9237f890cce519505b1fa7a98f00f3d2374eda007c24a018bc85ea1fc4

    SHA512

    60c344069611939c756570bfa5321c1cccf7a8282516071f5206fadf45b2009b0ad773b72a7af6596c425e790b6e4c2d749a0558cac134466c52dbeaaaa88d02

  • memory/1404-36-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2600-33-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2864-0-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2864-37-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/4456-25-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB