Overview

overview

10

Static

static

3

b6138581b1...1d.exe

windows7-x64

10

b6138581b1...1d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6138581b11f392e2e3bfb0a7e3677a9a94540240504738b2213cc1d61f03c1d.exe

  • Size

    66KB

  • MD5

    6435f34e6f9444ad3cfbfac52afa0779

  • SHA1

    93c130fcfeb99ee78fc2d7c60c230fd70d983de8

  • SHA256

    b6138581b11f392e2e3bfb0a7e3677a9a94540240504738b2213cc1d61f03c1d

  • SHA512

    fa3f23a5734b08dc721ee523e603a314c15b5eb9ac7601dfac1e3984b17b8f2c1c656c3e33a7edc370b5f24399b82b64b51de428d79f7b58ae7c0f0f7fc027e9

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiTZZZZZZZZZZZZZZZZZZZZG:IeklMMYJhqezw/pXzH9ii

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6138581b11f392e2e3bfb0a7e3677a9a94540240504738b2213cc1d61f03c1d.exe
    "C:\Users\Admin\AppData\Local\Temp\b6138581b11f392e2e3bfb0a7e3677a9a94540240504738b2213cc1d61f03c1d.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1520
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2656
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3668
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3100
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1592
          • C:\Windows\SysWOW64\at.exe
            at 01:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:3996
            • C:\Windows\SysWOW64\at.exe
              at 01:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4360
              • C:\Windows\SysWOW64\at.exe
                at 01:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3036

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          7a696f85687f6b1c1e84bf39fb234c75

          SHA1

          c266f8d522a27f7f230ce594e3c39f6771ea4ad4

          SHA256

          f4edb5e7120b47e67f0eaf245bb2506edc07d71eef6dd5a32468cac14aced73d

          SHA512

          0b5d1b198a43dd1988d0db62ce3b8f0a62ff51b35db35a480aec58e42f288a43158ee029e4329cf429bf21c54b2e53cf7292fe08ecdd86be5c7de84f0aac734f

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          50f5d575601ec065c684f2d4b6242a1a

          SHA1

          a412691e4ee90bd0b22a4ddc56bb8d4cc8e9899f

          SHA256

          2521f397ca752259ac83202ab7c4285879ac444604ff4b3fa747283c6a05ede2

          SHA512

          599503024b5173c58dfe8156d151b796c68d771c67dcfbf862ddc72c42e827fae5911f5bdb8a686bd69f5232b3b535ac9b9084fd4e0cde87d9c9c12121874fd3

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          bbe63c6858888a104c13d2c41f700295

          SHA1

          9069b2f1a42ef4f41b3ac86b69e4615578c50374

          SHA256

          38738f172e6ee603398e71efb1b910cdd694766f1ddbfe8e02f9a1297841b545

          SHA512

          56fdf31058b9f6b33c3dddd281b0df591a4461bd1368b97c58ec441ba8508b63928b20aed1c9eeca17f2f19ec963254ee016d93bb08c37cf8ecb7c5f4000213f

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          4c76d9144b135e60c392c1ed28322386

          SHA1

          c5f9edb425bda58785413d71e99267d35cc7622b

          SHA256

          537ce0cd6b8bb4b0e1f7f0492c9343dd16be46df2ec65b6257c02d9d9cd1a298

          SHA512

          b2351fd2496b6ed7a8455065ee43a83dc2de63bb654de59402fabdfe899c667265c05a84ea037f4a46bb946c173d9640a5ef46eede9d5391563b02ffc893c394

          Download Submit

        • memory/1520-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1520-57-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1520-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1520-2-0x0000000075080000-0x00000000751DD000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1520-5-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1520-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1520-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1592-54-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1592-44-0x0000000075080000-0x00000000751DD000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2656-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2656-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2656-69-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2656-14-0x0000000075080000-0x00000000751DD000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2656-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3100-41-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3100-37-0x0000000075080000-0x00000000751DD000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3100-36-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3100-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3668-52-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3668-29-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3668-25-0x0000000075080000-0x00000000751DD000-memory.dmp

          Filesize

          1.4MB

          Download