Overview

overview

10

Static

static

3

77b75ef2b0...2d.exe

windows7-x64

10

77b75ef2b0...2d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 23:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    77b75ef2b087e43af291b2dde7be123f91eeec5d67e918186884e67bfa69c02d.exe

  • Size

    2.1MB

  • MD5

    b020de0b8135bfd41b136eb5b8572f2e

  • SHA1

    e9382178428409fde954fa4d1b7ad32781dbb305

  • SHA256

    77b75ef2b087e43af291b2dde7be123f91eeec5d67e918186884e67bfa69c02d

  • SHA512

    6cdef0024a5570c0e6549da081ce4aa94a088009626cb9571e15515c7ea2062d6f8cf54e3c7b9074c9e566e6ed8d4b65bf62ec27d759675339b97e502b63114d

  • SSDEEP

    49152:bYi2aV8V9QaHywQlYAiN9ef/3IXtdOOqxbwPsR7mGhQ:EAQxUlYTqVRLhQ

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 15 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77b75ef2b087e43af291b2dde7be123f91eeec5d67e918186884e67bfa69c02d.exe
    "C:\Users\Admin\AppData\Local\Temp\77b75ef2b087e43af291b2dde7be123f91eeec5d67e918186884e67bfa69c02d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1740
    • \??\c:\users\admin\appdata\local\temp\77b75ef2b087e43af291b2dde7be123f91eeec5d67e918186884e67bfa69c02d.exe 
      c:\users\admin\appdata\local\temp\77b75ef2b087e43af291b2dde7be123f91eeec5d67e918186884e67bfa69c02d.exe 
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
        "C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "c:\users\admin\appdata\local\temp\77b75ef2b087e43af291b2dde7be123f91eeec5d67e918186884e67bfa69c02d.exe " -instdata "C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2520
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2556
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2452
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2480
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1648
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2764
            • C:\Windows\SysWOW64\at.exe
              at 23:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
                PID:2168
              • C:\Windows\SysWOW64\at.exe
                at 23:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                6⤵
                  PID:3064
                • C:\Windows\SysWOW64\at.exe
                  at 23:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  6⤵
                    PID:2388

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          206KB

          MD5

          6ca063d92b8ca9e08d18e0971695e976

          SHA1

          c31dd8732e7030fda5f0aff11b10fda5b43ebd66

          SHA256

          3575e24fed224d16025770e965fada5a49fbe0f06372f4d094bb48659b467406

          SHA512

          2874a186fc93edbcd4cf256968043b47df2032b25785dd412577ed6c5cae52d3fdf9c7ea4504d35ef4004cf4f55e01ce2d28caaf64cd3c99d1f3b45da6aa0326

          Download Submit

        • C:\Windows\system\spoolsv.exe
          Filesize

          206KB

          MD5

          6761d63f044ca07ae8317f0b77002f1a

          SHA1

          0af4c81eb5a6c3cb3b9699865cbfe73febdfc45b

          SHA256

          aab3af13e2ebc1888497fefa6e0b66144cab155c965ea164dd8e2e7f433e33e3

          SHA512

          18578601dabab0952f130769ad5c985168d5c774b4039ee984c71bf7d16464fec4b8287167d39e0187d3186fc5e2380261d33c51fce99e42243fc8afd0d6954e

          Download Submit

        • \??\PIPE\atsvc
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\77b75ef2b087e43af291b2dde7be123f91eeec5d67e918186884e67bfa69c02d.exe 
          Filesize

          1.9MB

          MD5

          ccb51dcbaa34b39d446a81396369eb6a

          SHA1

          fd4a5ef1b06787c25d78c3379cf6ccfab8f6cf54

          SHA256

          4901cf57ef741ddba97f0a28e7e8f1628585ff5c2c48e72fb3aad49e66c68da6

          SHA512

          6dddaaa0931551f86700df9f1d27df5943c82a87ae6baf193b7bd1925beb9a2514aa3ddbcac8c62fbe7621035be41e085b99c14a82c3877e17764d1dc5d70ee7

          Download Submit

        • \Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
          Filesize

          1.5MB

          MD5

          7b97aad379efeb939274cf4c597a657e

          SHA1

          a995c0a6e71c2991a58a48a7549f2b1816e92fba

          SHA256

          31604e942ae8dbfda2361efa4afa49d1b604baac06b92ac15e6150172f18c1f4

          SHA512

          a71b3350789dec121bc14b9aa48292e2ce5f06b97c0346050fd648c10df06c5cbf3468700a2494cde399c3e8420354c10349f8dd270a66f2deba7bcae7239ba7

          Download Submit

        • \Users\Admin\AppData\Local\icsys.icn.exe
          Filesize

          215KB

          MD5

          7e8ef94c7b4a6f4b9f74700ea7ddb04d

          SHA1

          d2b0dd1376dca5cd46bd73084bbbf957fa9aa4f8

          SHA256

          2898d38a7a714326654c466b9daccf3c9e839913cfd93b0c57d3cf53e8a977af

          SHA512

          357b948dcce2f0aee7bd10cc565acd30fd21031c3e696c5189068ce92caa333bea4d1bac1a59efab0b01839e068f7cbea71fe0d25b50adc59a56a25b7f9f1e9a

          Download Submit

        • \Windows\system\explorer.exe
          Filesize

          206KB

          MD5

          b5e56df8efb4c7b9840eaa97480c07de

          SHA1

          73916cfcb02d41c7c50c4209568516f3ad2a81e0

          SHA256

          f8f5e5f9198b55d3b3a2a88ec93f1bbc26bc819abb15b2198fde6a20d4a44e17

          SHA512

          71476c9a0f5b85c861389358391ff65b8a2ad8d0e88f7cfc1f6c9b24c3a40b06d3ed4e7024544c0e92bc1ae0fc1a2845a68418903d7cbe1f0eda2cc3fdfef795

          Download Submit

        • \Windows\system\svchost.exe
          Filesize

          206KB

          MD5

          c731ccf2375df325e4e2e75da9d3f446

          SHA1

          7b275f91ff7f2b2063f4d1e680c0e1110d15d15b

          SHA256

          0e350458b154c6c986c28a5a030bb807c3f6391966ecf5ccd57a4854412a423d

          SHA512

          5d4d0555301cb8900279d1091cea626f7f5c9cd7b0078f1c202c2b12af15ba9c6a5c3c8c227088ae73e2f9fea2d2ead039877f1cd2b06a0e8e010820cf6a3ba8

          Download Submit

        • memory/1740-40-0x0000000001EE0000-0x0000000001F21000-memory.dmp

          Filesize

          260KB

          Download

        • memory/1740-41-0x0000000001EE0000-0x0000000001F21000-memory.dmp

          Filesize

          260KB

          Download

        • memory/1740-0-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/1740-102-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/2452-73-0x0000000002DA0000-0x0000000002DE1000-memory.dmp

          Filesize

          260KB

          Download

        • memory/2480-98-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/2480-75-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/2520-32-0x00000000000B0000-0x00000000000B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2520-93-0x00000000000B0000-0x00000000000B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2556-42-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/2556-101-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/2556-56-0x0000000003270000-0x00000000032B1000-memory.dmp

          Filesize

          260KB

          Download

        • memory/2556-57-0x0000000003270000-0x00000000032B1000-memory.dmp

          Filesize

          260KB

          Download

        • memory/2764-97-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download