Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 02:30

General

  • Target

    bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe

  • Size

    69KB

  • MD5

    f56f004d5b096f4907fa0197eab2d21f

  • SHA1

    34ce1851628e4d38e2d9439440fe73e1ff98ee4a

  • SHA256

    bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063

  • SHA512

    fcd0b3b0409762cecc2602113b227b67b34ab81ae45e992b877594ff8631736fa5db730d8c0f8a37d409ae17b96008323245d46dac1f498839f528260b603ed7

  • SSDEEP

    1536:EJrFDMRyriCY/qXfatMp4Q2V6fIMxIpL9:0F8dCY85TE6fIMSR9

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • UPX dump on OEP (original entry point) 13 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe
    "C:\Users\Admin\AppData\Local\Temp\bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1152
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2080
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:840
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2616
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2728
          • C:\Windows\SysWOW64\at.exe
            at 02:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2440
            • C:\Windows\SysWOW64\at.exe
              at 02:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1924
              • C:\Windows\SysWOW64\at.exe
                at 02:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2132

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          69KB

          MD5

          7a0e8d962e892572eb337c1c031856b2

          SHA1

          a1c78a29496cc26205be47b58f7ee15921837ccc

          SHA256

          b8f73c587d4940565db14212f0811ea29ae947331d3df3c4662152392276aaa8

          SHA512

          6c8198df7c7c3ff30bfffcd62035647086ead92b2fd0fb71643ae7b0c9aa2c7e6232ec26bb680c3f282c22f850e5dc0ddaed7234954172a81a8b464f38ef3b6c

        • C:\Windows\system\spoolsv.exe

          Filesize

          69KB

          MD5

          6b8398971968cb90baa2c85442987734

          SHA1

          808317589f85140e82fd860aa608676b33f161ff

          SHA256

          221f2b6759ebd2c8f6cdbcbc721b8f211ca04928f638b55db95af751155a91b9

          SHA512

          b2f26c94f886eb603512300aa086c8f7b3d5a04f5e978ff96701159ae49a84e1620cb555cd04089e3b2a4fc7dd066176c13a44230f7ae2fbf7e47ba632a6868f

        • \??\c:\windows\system\explorer.exe

          Filesize

          69KB

          MD5

          922b12df24cc0525d1c186f54ed81e92

          SHA1

          780a07d750b376780929f37b586b4fde2a8a75d5

          SHA256

          09f35e6557007cbcda2d363bcfe9537b915c7336868ee675d5d7920ab3eb2d73

          SHA512

          83fb2ef8c072e1d9493db53b4f0b6b01df14dbc1c0d3e253f6206af8bbc506ac9aa83a932ff0c138144118f7f3b6a3c5e4a4ffa4828158eba5259e3d1aeb3cd0

        • \??\c:\windows\system\svchost.exe

          Filesize

          69KB

          MD5

          6f11b1179d3c26ad70c348f1154dfc10

          SHA1

          92748ae134aad24772bbae4249d89a87a6ee54f6

          SHA256

          c0d3a6fd7c3dff3d454166756d2f02bb15456195d763a41c3a7744adc003f3fe

          SHA512

          07ae95447e75f872e6848142458d92d1a70b1c7ebd482101284ecb6f8582f4e4e1f7f1bd597db526bb6d44ac5061636ea7245f3254d9da2f185dad90019658a6

        • memory/840-55-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/840-42-0x0000000002720000-0x0000000002754000-memory.dmp

          Filesize

          208KB

        • memory/1152-59-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1152-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1152-13-0x0000000001D00000-0x0000000001D34000-memory.dmp

          Filesize

          208KB

        • memory/2080-14-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2080-27-0x0000000002580000-0x00000000025B4000-memory.dmp

          Filesize

          208KB

        • memory/2080-61-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2080-72-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2616-63-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2728-53-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB