Overview

overview

10

Static

static

3

d2aefc636b...7a.exe

windows7-x64

10

d2aefc636b...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 04:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d2aefc636b6db18278187345fb5bf1e898c2edae0d0edb35cb4e736ac434ad7a.exe

  • Size

    66KB

  • MD5

    79566a1c23d7399ce2d4cb6172a753ce

  • SHA1

    4f007c19c14cca656c5a814a1d2c65349bc2be80

  • SHA256

    d2aefc636b6db18278187345fb5bf1e898c2edae0d0edb35cb4e736ac434ad7a

  • SHA512

    0765258ac8c1510722d4169251e94cc7c845c69060c9621827b76595899c9832d7840fdd7c3c4cbf95ad469733bfd904b30e82f6808bd1314283af68ff2f9071

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiY:IeklMMYJhqezw/pXzH9iY

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2aefc636b6db18278187345fb5bf1e898c2edae0d0edb35cb4e736ac434ad7a.exe
    "C:\Users\Admin\AppData\Local\Temp\d2aefc636b6db18278187345fb5bf1e898c2edae0d0edb35cb4e736ac434ad7a.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1300
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4012
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5076
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3232
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2512
          • C:\Windows\SysWOW64\at.exe
            at 04:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1364
            • C:\Windows\SysWOW64\at.exe
              at 04:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3000
              • C:\Windows\SysWOW64\at.exe
                at 04:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4352

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe
                Filesize

                66KB

                MD5

                770f70bd83d9edf145d5eb4a85cacefd

                SHA1

                62b103b3e7c8b6b6baed284f16b5ce8bc6f46c97

                SHA256

                d4cd43ebe7588f5fd6dffe9da3f729a04a3f71c96fb7c807417939637da03a2f

                SHA512

                e2bb25628817dcbdd6fe7a33d8b1a0f5ac046b9ae8bf5493cb23834c3e3d1594d2d48dbe0449b92dd2f2f3cc1a09143a29b77107fabe61dd3b47c7c7f5124c3e

                Download Submit

              • C:\Windows\System\spoolsv.exe
                Filesize

                66KB

                MD5

                b1ca700ff7bf83c4ebf78fb8ff6b45bf

                SHA1

                c3b742ffee1a411cd5718473851c8c205b71aa51

                SHA256

                d3b9154273cceeb3c6ee2435948de0ef9d0818eb2fabd8706e75e623e33f9aed

                SHA512

                33f95ff815bd421770c87ff10711441ebae9cbd694f817042151a633011f4d9f81c21f068e0b6f01678a44d01f08b8164c6b8b5cc070b6bc7059cddc69e90946

                Download Submit

              • \??\c:\windows\system\explorer.exe
                Filesize

                66KB

                MD5

                dcd9ce9bb6ccee604e85fcdfba3d4759

                SHA1

                2b2af21dddfdb01c875d6e7434afe723c71a31b0

                SHA256

                18cabd59c9a2a3e25356935e538c3c0b22aefca4910eef8fbfefa8fa8cc3b67a

                SHA512

                27d910d21ce6e33e8acf148b22dcf0dab2d94ca3f3e8929258e8b83c04dbe850ba40dec31425346995ec254570aaeee9c29c917eda81a1e394c040559fc0c738

                Download Submit

              • \??\c:\windows\system\svchost.exe
                Filesize

                66KB

                MD5

                5c11f3c5f86d39360e0281ec1d8bd911

                SHA1

                273ddd0e85ec508c12a0d86f573050ebb2ecab0a

                SHA256

                272c434fdebdd9d35671e222fd2ac5cb7946bb54ec8adf33d21edb19562cfa43

                SHA512

                99a527b0af9d9c3ba22d8ecbb18b5069c9e8036e65333887cf43659fadbcf87119b23400a092fb6f4c3234c829c6ef665eb6d2ee12358dbf7bb2ad60564c9505

                Download Submit

              • memory/1300-2-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1300-57-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1300-58-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/1300-4-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/1300-3-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1300-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

                Filesize

                16KB

                Download

              • memory/1300-0-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1300-56-0x00000000001C0000-0x00000000001C4000-memory.dmp

                Filesize

                16KB

                Download

              • memory/2512-50-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2512-44-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3232-38-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3232-37-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3232-62-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4012-60-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4012-71-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4012-13-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4012-15-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/5076-25-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/5076-54-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/5076-30-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/5076-26-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/5076-24-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download