Overview

overview

10

Static

static

3

f3578a382a...03.exe

windows7-x64

10

f3578a382a...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 05:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe

  • Size

    66KB

  • MD5

    87a2bb2b79956f8fd7ea71ae7d0782fe

  • SHA1

    ae16645d2f25b83016dc8e32d2ae9dce4dcf6eac

  • SHA256

    f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103

  • SHA512

    2fcfe2af5e26430ddc390dddc90cc0da986e123538e5f194590a5caaa0e4985355ce55e42a495498b7e081d783f27e0d32a5ee3893132eac9ac2d0ba0e227b4e

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi5oKoKoKoKoKoKoKoKoKoKr:IeklMMYJhqezw/pXzH9ix

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe
    "C:\Users\Admin\AppData\Local\Temp\f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1148
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1544
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:312
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2208
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:808
          • C:\Windows\SysWOW64\at.exe
            at 05:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4864
            • C:\Windows\SysWOW64\at.exe
              at 05:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:5076
              • C:\Windows\SysWOW64\at.exe
                at 05:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2320

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          91efeb329d1be28062e161247e243d77

          SHA1

          88bbcc5d12dafcf8ea16a0514f7a31792f20749b

          SHA256

          7dfbd357559bf89292c0dc7c1ada70ae9b06b2ffd49725c23fb619ddc01318fa

          SHA512

          9738c2b93a8c76ed7751c05583e122ff27306e0e8b9aa876a9079dd55f0a8eb49bddff464f4a404efdd661450237c35cbaedf5456f03fd79dee183a249d4e520

          Download Submit
        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          91ff26b3b88d560d1832d9cd6cda2b6c

          SHA1

          4660233229db7b3695ae370c32fc12b68bc01162

          SHA256

          5b4ee14d61b7ad0ec4523a5c00dd0e775e05a9bda905aac40ffad11e6097a88c

          SHA512

          122cf14c20687382a8318b207f627e1fd1eb655c18afe78e7088c114583fa06ac515c68c1c383e00da5ff371d665f0fa6cf64ea018c598f5f6a1ac1de1b1f426

          Download Submit
        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          565e6f57b96548eb5c461b5d1ac61a5c

          SHA1

          ae047c3e1239d270087bdafe996496d6099aca3b

          SHA256

          5657727c315404f556b8421cd95663945cae0432282f6ada72cc6fab865d9284

          SHA512

          7f03bf0c57fac5943f225ac2e4b86029151e4014670633fe65bd08191f550b2d9f25e2c8aa20eb97730cfa29174314edd734f6e4f268e378f144d33bf5f9612e

          Download Submit
        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          b752753f1b1024280d5eb60ac4339a26

          SHA1

          3e944bc0d98bcffb26b50daed94fc3d504e0c08f

          SHA256

          3461d72c68e3426b033c01c54377947cda4df9f8e099f7bd2dd9e27518f77498

          SHA512

          94e60d531ef1089d1df89bd190751fa8d14501ee42584fcb108cb800edac763000038e800a4b7ec77ee2ccb1a76f1c4300bab4ff82eb36a1624ba66ee3339b7b

          Download Submit
        • memory/312-54-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/312-26-0x0000000075080000-0x00000000751DD000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/808-52-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/808-44-0x0000000075080000-0x00000000751DD000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1148-57-0x0000000000401000-0x000000000042E000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1148-0-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1148-2-0x0000000075080000-0x00000000751DD000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1148-5-0x0000000000401000-0x000000000042E000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1148-3-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1148-1-0x00000000001C0000-0x00000000001C4000-memory.dmp
          Filesize

          16KB

          Download
        • memory/1148-55-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1544-13-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1544-14-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1544-17-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1544-15-0x0000000075080000-0x00000000751DD000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1544-58-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1544-68-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/2208-42-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/2208-37-0x0000000075080000-0x00000000751DD000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/2208-36-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/2208-59-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download