Overview

overview

10

Static

static

3

5294ec64ae...ff.exe

windows7-x64

10

5294ec64ae...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/05/2024, 21:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5294ec64ae3bca89b85906e709bff86fd3a68b4e259fb83545bb323215fe08ff.exe

  • Size

    211KB

  • MD5

    92c9f66aca1907e044d7b7ad2d06d851

  • SHA1

    5a656d6bae2042c00161d2f2380189cc7bad8c29

  • SHA256

    5294ec64ae3bca89b85906e709bff86fd3a68b4e259fb83545bb323215fe08ff

  • SHA512

    c02ccb4082e9b290989cdc39abdfc68be9592f2c1b6bb2dbe9598e150de09d6a32f0038c034e2f5d7dd9eae23aef069f9e1fd49162dab308caea6deec6027ad1

  • SSDEEP

    3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOO:Jh8cBzHLRMpZ4d1ZO

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5294ec64ae3bca89b85906e709bff86fd3a68b4e259fb83545bb323215fe08ff.exe
    "C:\Users\Admin\AppData\Local\Temp\5294ec64ae3bca89b85906e709bff86fd3a68b4e259fb83545bb323215fe08ff.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:720
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4164
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3028
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3940
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe
    Filesize

    211KB

    MD5

    fa74fbf9c052a3d8f9e2ab25868eeae4

    SHA1

    95432f5a25edb436dfa1f46b654495613804b19d

    SHA256

    9d826bedacf6ed305707b739b4ede2bb905a49dab5d8dfe3ba2dc90418d4b29c

    SHA512

    a339e19c7d02a89cffcb0f24d0e59743aeacbb834ef19641e7c46d5e12c49742696177368e532ab72e2613a4813873c1ec962ce915ed9eb23c7872f6d1ea7b9a

    Download Submit

  • C:\Windows\spoolsw.exe
    Filesize

    211KB

    MD5

    b18637078de456883783bba5a8e681a6

    SHA1

    90a0b3887fc2436f946773d08ee1b0399976845e

    SHA256

    d2b40d00166feea6214678ad0faafc8c159377fb3e75b67b8ebf9814933d1c03

    SHA512

    d9f86f32d2f7fe73ab590f6374dfe55f0322fc89a740e3b0e02fc9d128e14ee95628d0910ecbb49cc49edf2b227af0e82ba53ba1a638ab8d9e05bc8dbfa13dbe

    Download Submit

  • C:\Windows\swchost.exe
    Filesize

    211KB

    MD5

    92a32f6023886f46cb32fc3f7168f67a

    SHA1

    ef758f14c558f347ce18deed2cdf224caa698616

    SHA256

    13a4640eb6e708222ef54ccfc04df5648924f198ee13bd56166ea2650ecdc696

    SHA512

    442c7dbdf325e99707669b6f4721159a827e5fe9776573f4e84eb1f87d1ecb568fdab99aaa3eb1bbd861bc31960c1c03deffa708c8acf8cf958bb71a1b15d5f1

    Download Submit

  • C:\Windows\userinit.exe
    Filesize

    211KB

    MD5

    952ee6b49d4d1ec87041f6760115d78b

    SHA1

    3039baf3346994f29af3c895f18ed18ee1ac5ad9

    SHA256

    7d4c5f5f5f3df046d2a3308452386f927ed395133ab71b2bb2915c829f533603

    SHA512

    cacdfa10a2765bd184d7cd9317d437030092a2b1547c2f22aad57f2c7570231b3416dc958cb967ae878efb446b30483e7e3819dc85d8376d88a6c487f0901b45

    Download Submit