Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 05:01
Static task
static1
Behavioral task
behavioral1
Sample
f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe
Resource
win10v2004-20240508-en
General
-
Target
f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe
-
Size
65KB
-
MD5
3bef8324184694884dad05fa686d4bac
-
SHA1
091a6d68fa130d8ee32b32425cd64d92612a5a91
-
SHA256
f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd
-
SHA512
ef9bee56ce2dedc4cd07f428299f81045c0a9a32fd9f98a3316f23ead8f801e1e1bf6620dcda720649a2e29f10ef60dce1dd2788c16390b6a383de82d934596d
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ou5WWWWWWWWWWWWWWWWWWZ:7WNqkOJWmo1HpM0MkTUmub
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4468 explorer.exe 4932 spoolsv.exe 4900 svchost.exe 740 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4352 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 4352 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 4468 explorer.exe 4468 explorer.exe 4468 explorer.exe 4468 explorer.exe 4468 explorer.exe 4468 explorer.exe 4900 svchost.exe 4900 svchost.exe 4900 svchost.exe 4900 svchost.exe 4468 explorer.exe 4468 explorer.exe 4900 svchost.exe 4900 svchost.exe 4468 explorer.exe 4468 explorer.exe 4900 svchost.exe 4900 svchost.exe 4468 explorer.exe 4468 explorer.exe 4900 svchost.exe 4900 svchost.exe 4468 explorer.exe 4468 explorer.exe 4900 svchost.exe 4900 svchost.exe 4468 explorer.exe 4468 explorer.exe 4900 svchost.exe 4900 svchost.exe 4468 explorer.exe 4468 explorer.exe 4900 svchost.exe 4900 svchost.exe 4468 explorer.exe 4468 explorer.exe 4900 svchost.exe 4900 svchost.exe 4468 explorer.exe 4468 explorer.exe 4900 svchost.exe 4468 explorer.exe 4468 explorer.exe 4900 svchost.exe 4900 svchost.exe 4468 explorer.exe 4468 explorer.exe 4900 svchost.exe 4468 explorer.exe 4900 svchost.exe 4468 explorer.exe 4900 svchost.exe 4468 explorer.exe 4900 svchost.exe 4468 explorer.exe 4900 svchost.exe 4900 svchost.exe 4468 explorer.exe 4468 explorer.exe 4900 svchost.exe 4468 explorer.exe 4900 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4468 explorer.exe 4900 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4352 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 4352 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 4468 explorer.exe 4468 explorer.exe 4932 spoolsv.exe 4932 spoolsv.exe 4900 svchost.exe 4900 svchost.exe 740 spoolsv.exe 740 spoolsv.exe 4468 explorer.exe 4468 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4352 wrote to memory of 4468 4352 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 82 PID 4352 wrote to memory of 4468 4352 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 82 PID 4352 wrote to memory of 4468 4352 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe 82 PID 4468 wrote to memory of 4932 4468 explorer.exe 83 PID 4468 wrote to memory of 4932 4468 explorer.exe 83 PID 4468 wrote to memory of 4932 4468 explorer.exe 83 PID 4932 wrote to memory of 4900 4932 spoolsv.exe 84 PID 4932 wrote to memory of 4900 4932 spoolsv.exe 84 PID 4932 wrote to memory of 4900 4932 spoolsv.exe 84 PID 4900 wrote to memory of 740 4900 svchost.exe 85 PID 4900 wrote to memory of 740 4900 svchost.exe 85 PID 4900 wrote to memory of 740 4900 svchost.exe 85 PID 4900 wrote to memory of 4276 4900 svchost.exe 86 PID 4900 wrote to memory of 4276 4900 svchost.exe 86 PID 4900 wrote to memory of 4276 4900 svchost.exe 86 PID 4900 wrote to memory of 788 4900 svchost.exe 96 PID 4900 wrote to memory of 788 4900 svchost.exe 96 PID 4900 wrote to memory of 788 4900 svchost.exe 96 PID 4900 wrote to memory of 3412 4900 svchost.exe 98 PID 4900 wrote to memory of 3412 4900 svchost.exe 98 PID 4900 wrote to memory of 3412 4900 svchost.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe"C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:740
-
-
C:\Windows\SysWOW64\at.exeat 05:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4276
-
-
C:\Windows\SysWOW64\at.exeat 05:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:788
-
-
C:\Windows\SysWOW64\at.exeat 05:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3412
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD54e7d2cf43358b76f6bbe8c4ab5de8f0a
SHA143256f66588b2682bd3c4264c3da64d3d4ccabd0
SHA25668180bd2f828a9cf9c78cbb96f2d10ef931e524c586f1f79671ebd549130aa17
SHA512e91bf3e815ead4e235ce19bb1d100ed7f06d22cb466eb43983b0dcd057b023b41d0292d43080e98f1793eeed69594308aa1036c0b07af6474618b23c7893b626
-
Filesize
65KB
MD5568215ced9d00583e162420c8e5eb6c1
SHA1341c4ec5565e50318bfd3d95f38abeada71de8c0
SHA256f26d8a57a96cac840f7870439908808d334d41620fbbeaed0f789cd631dafbfd
SHA512f46fb3b056a9a64506e69bc1cf13b489be8e7c25e653a1c3190ebcd20156fe325fe311fb2d7177ca3f8e749b2f89e49c0c6d837166fbf69d3680ce11fb47cc5f
-
Filesize
65KB
MD5f03cee8302b52d2d0ee3d527ba81d2e0
SHA147a8ecc6a07eeef65f4b51117ad6988aa3fdd38d
SHA256f9ed1e3065653ec0c9d766ab7daf1639d44308147905dc058bf6d977f36ed281
SHA5122b4b7a395ae25e2c93a9aa57b348d58c9d595b0874a4105e79c0fe98ed8424311954d51c3af768039f9021e114e035feaf0e7fe1f6e3500d7be6d9d41741f297
-
Filesize
65KB
MD58b2f5b0cf349fb62581f2ca78f8f5e29
SHA18f8fdc8e4ebaa05d0ca87bf05129e378c8a6e8e5
SHA256c77487d144e75d4a1bdf24456f79c91cd968e7519c9535e1a569271dcb3dfbb7
SHA51216a928cf75263711634cbd8ec0f7ef51cc5083ba7a22b6ad78afe858494b4df3e46d26c1392f88c6c7a3a0fbb93f2214b29158514d315cc31c88592d85344d58