Overview

overview

10

Static

static

3

7506ecba0c...f7.exe

windows7-x64

10

7506ecba0c...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7506ecba0c8dcd4496f7f336808e98706fb7b0b4bbe156b4c7ce9dc4efa392f7.exe

  • Size

    211KB

  • MD5

    114f4aaaca4e97325d1c8ccc63e783c0

  • SHA1

    f8a8e8a94ae052486d3a862ad9d96b12594bd15b

  • SHA256

    7506ecba0c8dcd4496f7f336808e98706fb7b0b4bbe156b4c7ce9dc4efa392f7

  • SHA512

    1bbf431826b10f355c994d6e87746ef5de148d4e00a3d6589b5e292afe883b8b5103bc601dbe9e509ae8405f71a24ca1e59d4c4c2b238cb90897726b0f34c12e

  • SSDEEP

    3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOd:Jh8cBzHLRMpZ4d1Zd

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7506ecba0c8dcd4496f7f336808e98706fb7b0b4bbe156b4c7ce9dc4efa392f7.exe
    "C:\Users\Admin\AppData\Local\Temp\7506ecba0c8dcd4496f7f336808e98706fb7b0b4bbe156b4c7ce9dc4efa392f7.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4724
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5020
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3048
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2492
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

4
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe
    Filesize

    211KB

    MD5

    efaeb334b14444043de87d39f474b9a8

    SHA1

    568cc080d1c128ba312aac8530f9dd4a61a6c516

    SHA256

    e334bb4b7b4ed202a086d594fa51d772f6d03570b9831b816d8f33cbf95a3565

    SHA512

    3fcfba009be66d096047fa8e5e687800809dbf4fc97b2b2d98b5c02ef5d264c7e9aefa64c543a7ea5aa3c7a25de30a406ef7036b522ae889a722c877d91c85f7

    Download Submit
  • C:\Windows\spoolsw.exe
    Filesize

    211KB

    MD5

    66f9dc357adb725498ac2632785711d0

    SHA1

    e4b8779e8e968093b723ccdb05b4af0866298c3b

    SHA256

    e931ce70485fc3e130f921985bc43e87747353f7a9c8740ef995f2be51d482e3

    SHA512

    e0ffab6e08b1eb04565bed6714650ffab51bbab5f1dbb66cb0c7a22c8618ed0a9de9489c80eb9406dcbdf44c61b027bb4e1081c94342cb580d3fe9d84775dee2

    Download Submit
  • C:\Windows\swchost.exe
    Filesize

    211KB

    MD5

    768d7b47284d131d742549baa0e99a57

    SHA1

    6ebf5f21444fb800e1f7c4c4444bf491c29b72a7

    SHA256

    a7ea49f536cd2661ac0137c8b3fb8bbdb2d5e02c7b5916d5292b98cde42d3f3f

    SHA512

    42d07763d94c67fe3c5889d11e87cbf790284bdabf5f2677d18718a6aace28d32cf763a3ad6e2ccf9fcfcf2eb9afc487c2dad5ea65564b9f0265fcdb73f3c941

    Download Submit
  • C:\Windows\userinit.exe
    Filesize

    211KB

    MD5

    fdd84df6597075368c572ce1d2d658e9

    SHA1

    52e93e0cfa5d0b08ff46fa3e68d610bb722c53be

    SHA256

    ffa0273ad4b5a7025699183dadf4e2a86698b9cd59dc6a177df65af5b5f609b3

    SHA512

    3d51b474fe5236bca05fff0a57468d5e6d5eb8bc39e0184e5b9cf9c094ae045f14f14562115efaaba890e61265bd06d31fd3d0bc7c1c4a5c1dd81687b5ba7e48

    Download Submit