Overview

overview

10

Static

static

3

3f8043c9ee...8c.exe

windows7-x64

10

3f8043c9ee...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 20:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f8043c9ee50757444607d22f70c94ed3df175add0bd4dbb09239a44e1583c8c.exe

  • Size

    2.6MB

  • MD5

    db9d14ae80710f32c9f7e678ebdc0928

  • SHA1

    6cd2aca6b719bd8fd14ab6c7ef040910fa82afa7

  • SHA256

    3f8043c9ee50757444607d22f70c94ed3df175add0bd4dbb09239a44e1583c8c

  • SHA512

    fa06e543a6c9447ece98a9e70dfaceb387cc67edd4f4dffdb66d34f84c532bbdcf908680a45616594c1913710acbd7b970d9b1bb3d42def737f92da1af46cc6e

  • SSDEEP

    49152:cYMum5+mnFOMaJGVAkfqKH64I66ZG4+uXBV4uTvM+v8g2qxL:ZMJrNAkfFI66f/M+v8g2qxL

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f8043c9ee50757444607d22f70c94ed3df175add0bd4dbb09239a44e1583c8c.exe
    "C:\Users\Admin\AppData\Local\Temp\3f8043c9ee50757444607d22f70c94ed3df175add0bd4dbb09239a44e1583c8c.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3152
    • \??\c:\users\admin\appdata\local\temp\3f8043c9ee50757444607d22f70c94ed3df175add0bd4dbb09239a44e1583c8c.exe 
      c:\users\admin\appdata\local\temp\3f8043c9ee50757444607d22f70c94ed3df175add0bd4dbb09239a44e1583c8c.exe 
      2⤵
      • Executes dropped EXE
      PID:2324
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4764
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4524
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2940
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2656
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2096
            • C:\Windows\SysWOW64\at.exe
              at 20:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
                PID:772
              • C:\Windows\SysWOW64\at.exe
                at 20:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                6⤵
                  PID:3656
                • C:\Windows\SysWOW64\at.exe
                  at 20:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  6⤵
                    PID:2876
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:3400

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\3f8043c9ee50757444607d22f70c94ed3df175add0bd4dbb09239a44e1583c8c.exe 
            Filesize

            2.4MB

            MD5

            a766188d75e570ea3f9b09fb9d82cb54

            SHA1

            a82705f4f5d1408f7c14d16a9cbe26c509422b29

            SHA256

            07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff

            SHA512

            7a953539885f4061dcd94fa78b0d60877e56b64012d75d7294b643df1a9e1a10418c2f2dd5b26708167624a1782b30501e0307c49dd2224d49deac10bcd75ee5

            Download Submit

          • C:\Users\Admin\AppData\Local\icsys.icn.exe
            Filesize

            206KB

            MD5

            56f9ef984a9c96d5fd455cd172582e7a

            SHA1

            013df3f9528c97f5edd0fa9f0b4f09afb1342aa4

            SHA256

            8b154c68869dbe01ce2480cffa72db9bee844c51eebb349d679e96e045bd59a9

            SHA512

            7e644bab57698381eb91368d07eaf1ea9fce659616bd9a7695e108b14ee66a690ebf704a58e87857217751b44a42389c0494fd71e2e2ca4b39c15fe43e41f8c7

            Download Submit

          • C:\Users\Admin\AppData\Roaming\mrsys.exe
            Filesize

            206KB

            MD5

            e9afeb7cb5fcd1be4dfc14bf94fb96ed

            SHA1

            9e0c068fc02588399e4221900288d4db98e87206

            SHA256

            0ad5f024b5004ff97bf73f91668c91903ca9cdf4be7958da2c8d1abe85939d07

            SHA512

            bff18420f24375fc7bc32eea078d360141abe6171134fc88397daa1542228d042ab6798ac91029b082f16b99f25a808044dee7199a0281b67fe2f719b78c8d73

            Download Submit

          • C:\Windows\System\explorer.exe
            Filesize

            206KB

            MD5

            f32209b91852ea3dc08df8ceed70d14c

            SHA1

            a2c31996766296d37232f53412d8ed918623c46b

            SHA256

            cafa37bef6e8f1e9deea9bcdbf055154415c8232ff127c0a168fccd8ade75212

            SHA512

            eff70d8d06815ac3ab7e0984c8397423906497b56837b412e8abb16ee9600709c4adfdbb0786d4f9ab932ac973f7cf576664132062a60b39afde4e7610211e0b

            Download Submit

          • C:\Windows\System\spoolsv.exe
            Filesize

            206KB

            MD5

            fc979a5c5f1fe571f6bed357e8944469

            SHA1

            bdf986b32ec95ca317581f6809a3762cb5be6793

            SHA256

            9cf63ec25e11ed8c8d45b1648d1fad8c4fde5f48029dcd5302ebb2abd8ab1dda

            SHA512

            de3e1ca0cec67ef1e2c4f045461dfaf4e691a09a008167761cb4bff10ff2f130145f8e888292ab3b4cdcfff07afcb06ba95776a29284e6b843888d509da0af58

            Download Submit

          • C:\Windows\System\svchost.exe
            Filesize

            206KB

            MD5

            00148d4ef56d619d166265c2778a1ffc

            SHA1

            15840226609a54988e21784dea3131674834dcea

            SHA256

            02b21708822299e94396a69d6ddf10958f20491ccb2139187143cb442df8b882

            SHA512

            cfb0d6cdddb65755eff41635640f9c7fd4bd0c1c922e5b6bfc4fc2e23bf274150ee849ea621b3cdbb2e5719914ea79f1cb3a40c28793cb72bdf1fea99a21dc12

            Download Submit