Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 05:01
Static task
static1
Behavioral task
behavioral1
Sample
f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe
Resource
win10v2004-20240508-en
General
-
Target
f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe
-
Size
65KB
-
MD5
3bef8324184694884dad05fa686d4bac
-
SHA1
091a6d68fa130d8ee32b32425cd64d92612a5a91
-
SHA256
f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd
-
SHA512
ef9bee56ce2dedc4cd07f428299f81045c0a9a32fd9f98a3316f23ead8f801e1e1bf6620dcda720649a2e29f10ef60dce1dd2788c16390b6a383de82d934596d
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ou5WWWWWWWWWWWWWWWWWWZ:7WNqkOJWmo1HpM0MkTUmub
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2804 explorer.exe 2748 spoolsv.exe 2708 svchost.exe 2764 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2348 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 2348 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 2804 explorer.exe 2804 explorer.exe 2748 spoolsv.exe 2748 spoolsv.exe 2708 svchost.exe 2708 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2348 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2708 svchost.exe 2708 svchost.exe 2804 explorer.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2804 explorer.exe 2708 svchost.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2708 svchost.exe 2804 explorer.exe 2804 explorer.exe 2708 svchost.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2804 explorer.exe 2708 svchost.exe 2708 svchost.exe 2804 explorer.exe 2804 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2804 explorer.exe 2708 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2348 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 2348 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 2804 explorer.exe 2804 explorer.exe 2748 spoolsv.exe 2748 spoolsv.exe 2708 svchost.exe 2708 svchost.exe 2764 spoolsv.exe 2764 spoolsv.exe 2804 explorer.exe 2804 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2804 2348 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 28 PID 2348 wrote to memory of 2804 2348 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 28 PID 2348 wrote to memory of 2804 2348 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 28 PID 2348 wrote to memory of 2804 2348 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 28 PID 2804 wrote to memory of 2748 2804 explorer.exe 29 PID 2804 wrote to memory of 2748 2804 explorer.exe 29 PID 2804 wrote to memory of 2748 2804 explorer.exe 29 PID 2804 wrote to memory of 2748 2804 explorer.exe 29 PID 2748 wrote to memory of 2708 2748 spoolsv.exe 30 PID 2748 wrote to memory of 2708 2748 spoolsv.exe 30 PID 2748 wrote to memory of 2708 2748 spoolsv.exe 30 PID 2748 wrote to memory of 2708 2748 spoolsv.exe 30 PID 2708 wrote to memory of 2764 2708 svchost.exe 31 PID 2708 wrote to memory of 2764 2708 svchost.exe 31 PID 2708 wrote to memory of 2764 2708 svchost.exe 31 PID 2708 wrote to memory of 2764 2708 svchost.exe 31 PID 2708 wrote to memory of 2976 2708 svchost.exe 32 PID 2708 wrote to memory of 2976 2708 svchost.exe 32 PID 2708 wrote to memory of 2976 2708 svchost.exe 32 PID 2708 wrote to memory of 2976 2708 svchost.exe 32 PID 2708 wrote to memory of 1636 2708 svchost.exe 36 PID 2708 wrote to memory of 1636 2708 svchost.exe 36 PID 2708 wrote to memory of 1636 2708 svchost.exe 36 PID 2708 wrote to memory of 1636 2708 svchost.exe 36 PID 2708 wrote to memory of 1804 2708 svchost.exe 38 PID 2708 wrote to memory of 1804 2708 svchost.exe 38 PID 2708 wrote to memory of 1804 2708 svchost.exe 38 PID 2708 wrote to memory of 1804 2708 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe"C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2764
-
-
C:\Windows\SysWOW64\at.exeat 05:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2976
-
-
C:\Windows\SysWOW64\at.exeat 05:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1636
-
-
C:\Windows\SysWOW64\at.exeat 05:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1804
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5cfbaed00aedd9bd8f959b55f78f893f0
SHA1ffe7818592a9c4f2f12b4f845c22429a11d49546
SHA2565f251c8f9d95bb7a772c3a48305718a511c2a027afc8bb5054d9ab684637bfea
SHA51245b4ff77f60847e527369337756aebb63c85897a73f1c1b65e66fdbf0072c13adf087d99858e450e000607a945ce6d501bf357fe3140dd7936f9043432eccecd
-
Filesize
65KB
MD5e2fc5fe7308dddf832f20c30d3f247df
SHA112890a6414f4ea3da1635c9c160cf363b44db86d
SHA2567e3f0652435906635920a4e122dc9ab209d21cc19732b34426026de01ba5f812
SHA512be99df12be330784121ff063d33c3b5d7fcb8122462192df4360b08e3ff33b85cc5d00e9e4a644951ed5e7b7760bca884d853fe6d505de20e0f3451d624b97a5
-
Filesize
65KB
MD5060cd3198957053f85574fa1223bb9af
SHA16c8e9fa47fe0f74a06eee2927873b7062bbc11b4
SHA25602ee1759c905f190da1638f759c4a686d78bbd6fe3128072dc851bdb7a2ef7c9
SHA512237f9785578c4c86caeea24e0a0034c7e8d6ea423960d590d4d5fd14badce7d5fdcfaf20a62f54d8191017de9eae689778715e304de1d6f9882925fa61f71ee5
-
Filesize
65KB
MD58fdfe5f247033887969657cb3caae9c5
SHA1ed5fe1a2e2b8b59e6de72cae29e5b502c40c3f11
SHA256cdd12e878a328f4378f30862e6d76558932f7f831a67fc9a95aa6edae93cab17
SHA51271fe9a9d9c4b336ffb9f1837c29bd3bc47718a10d491da95a68ba71e7f315f1a0d5f97bb90ed8d7941abb1667fb3d3177123a0888b6be01d948fc8a7094198f9