Overview

overview

10

Static

static

3

7506ecba0c...f7.exe

windows7-x64

10

7506ecba0c...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7506ecba0c8dcd4496f7f336808e98706fb7b0b4bbe156b4c7ce9dc4efa392f7.exe

  • Size

    211KB

  • MD5

    114f4aaaca4e97325d1c8ccc63e783c0

  • SHA1

    f8a8e8a94ae052486d3a862ad9d96b12594bd15b

  • SHA256

    7506ecba0c8dcd4496f7f336808e98706fb7b0b4bbe156b4c7ce9dc4efa392f7

  • SHA512

    1bbf431826b10f355c994d6e87746ef5de148d4e00a3d6589b5e292afe883b8b5103bc601dbe9e509ae8405f71a24ca1e59d4c4c2b238cb90897726b0f34c12e

  • SSDEEP

    3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOd:Jh8cBzHLRMpZ4d1Zd

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7506ecba0c8dcd4496f7f336808e98706fb7b0b4bbe156b4c7ce9dc4efa392f7.exe
    "C:\Users\Admin\AppData\Local\Temp\7506ecba0c8dcd4496f7f336808e98706fb7b0b4bbe156b4c7ce9dc4efa392f7.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2420
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2364
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2772
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2816
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

4
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe
    Filesize

    211KB

    MD5

    7dba927831e336339297b8ab7c7ccaba

    SHA1

    10315932469ed5454c34572740fc61e1e2286550

    SHA256

    1a60000db2fbcff2812b1910873eaddc8a7b0050788878c1081c718351c86c88

    SHA512

    fbbbe466752f8821cec022f888682ac92ab7b29220c37f3a59804283bb8f49c4486fb407f323e13f1ad884c4f0fd829b90c614654bcef462aba3b0ba0a99bbe5

    Download Submit
  • C:\Windows\spoolsw.exe
    Filesize

    211KB

    MD5

    0046c031cf70c48577c8bc5f5e0a39e5

    SHA1

    f3bd700e3a2544630c3d8da6c757f7e06c0b7e48

    SHA256

    8af5904da3258f305a4d1b0ef6310035afa8c5785053cb8ee6417a948c0a1591

    SHA512

    f68df9ba9b581ef752d81fa4492b7095a70b2198a1ea8a92f578a19767aa038de9fca4c2248199110e0528612dd212265f9a667faba9753c2088e408469e8832

    Download Submit
  • C:\Windows\swchost.exe
    Filesize

    211KB

    MD5

    215cb2f3cb230a4ec88aae88abba84b5

    SHA1

    75cce633fff1a15d6c70a2d353fc2fcbb5b4d69b

    SHA256

    fa6a95007e67026bf6d6ed6bb04402d9454b1faebbb9dd06b08b4d597c3ca4a1

    SHA512

    f6c8d6502c97e016037e7456ce99c1dad5cfd0208084b6b6842a8c81b5386accdab382a62b6509e05d8e361fec9bb0d8dffe765ddd932d94196ef7b3f18b97e2

    Download Submit
  • C:\Windows\userinit.exe
    Filesize

    211KB

    MD5

    9b4816bb994e96b1a4ac3b06ecfa8339

    SHA1

    76bd696bc083239359177ee01c3fe58f4030b5ee

    SHA256

    be0446a80d0093a98a8b74d2c5faea415bef70cddef7c1d9ab021f071922eeed

    SHA512

    8c9d780322db4b2b518bae563d0795ff07fd9497423b238cc74a64af4d7358589ff2f6632c21021c7203fe706b26fddc22c8dda53dff11052652634605865bb4

    Download Submit