Overview

overview

10

Static

static

3

df20327ae5...ab.exe

windows7-x64

10

df20327ae5...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 03:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df20327ae5c846b3dfc1d99bb1d617cc02a32b78d193487c07a1a6ab6f4916ab.exe

  • Size

    66KB

  • MD5

    9a605ca94d4c380c4e3065e3d7d9888c

  • SHA1

    f799c08750e479f56f67b33f56b9a8d3c9199e84

  • SHA256

    df20327ae5c846b3dfc1d99bb1d617cc02a32b78d193487c07a1a6ab6f4916ab

  • SHA512

    e28863d8125a262ff6bc47caa6c4e7dd30d07b27236c4e67a1ef37a9f52050ab87b689740e51e7fcf9d42ab7dc7c075dd7076437bb7c6938f3e29f728cea1c2d

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiF:IeklMMYJhqezw/pXzH9iF

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df20327ae5c846b3dfc1d99bb1d617cc02a32b78d193487c07a1a6ab6f4916ab.exe
    "C:\Users\Admin\AppData\Local\Temp\df20327ae5c846b3dfc1d99bb1d617cc02a32b78d193487c07a1a6ab6f4916ab.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2316
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4956
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2052
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2240
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3528
          • C:\Windows\SysWOW64\at.exe
            at 03:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1328
            • C:\Windows\SysWOW64\at.exe
              at 03:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4724
              • C:\Windows\SysWOW64\at.exe
                at 03:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:5116

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          3a33c74fc9cc95b5f69704278556a3d0

          SHA1

          855d414cdb8e8f9db4d0d82548bfad93b353a286

          SHA256

          1da538b287a5bd9ff191d55be0cc3c41205c6ed5047e35cd3089ccf11728985d

          SHA512

          5b8ae2f23d43d2d0169180ef9e1b25d90bd9526a216917a6711f64d5bd3b9c0b5337184e6a7db11f4ab18f394a64bcda4e40a68df9437647ce733225389cc832

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          6fe24795c6fdb98a4a72dc9a3ec98c01

          SHA1

          baf1f3dbed1a82918ed71e11106aa9317b7a412c

          SHA256

          bc76d0f308103102ac9687c73e8256862e6ed6fbc9f970cb25d885c89f640331

          SHA512

          23c46fb77d8782e706d56b585f013d5ec2f6346aa866c25cd49969f2f03d1a57a788b5cdc8c5a8ce03d3ac44df1657968c28a612dcba314ce3b6ada0eaa37a22

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          d9d0c6946bd5be2e5e1c14b579358f50

          SHA1

          05005635ab0625cfee478b21808e747c66c3cbd0

          SHA256

          f66ac0d85939bf46008b1c25be452b57f23649532813d1ac9ccd70bfa46586ca

          SHA512

          b4fd7820de73934f8360858130d22463ba943394234e1df9892691ff9c120962a643abaf070c08a3c4a59f1b4558bd4453f5059036e848b7a96b494d42667b5c

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          34374ab5836c715922062bec2e341e6a

          SHA1

          f2eadbd00de7980594fd3edac62bdc7981b94254

          SHA256

          9e859c37ac69142a8ca58751f642b4df2bdc73991889331121b99ead1b631d46

          SHA512

          eccecf3db3f5edf8766730ca61acef0bc3b6f0e98a10459e895080850f266d4a3b4568c8d7fbf282a286cef48670a1908943411bcc7b81c8596bf93f612e4844

          Download Submit

        • memory/2052-51-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2052-25-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2240-35-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2240-59-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2240-36-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2316-5-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2316-1-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2316-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2316-2-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2316-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2316-55-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2316-54-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3528-52-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3528-42-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4956-15-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4956-57-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4956-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4956-68-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4956-13-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download