Overview

overview

10

Static

static

3

3c325ef1d3...30.exe

windows7-x64

10

3c325ef1d3...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29-05-2024 20:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c325ef1d3dc67640d0adab5c879d592d2ba27c178817bc1b656fa8645695a30.exe

  • Size

    65KB

  • MD5

    ca3803799e2756c25418d591cd8ee1f3

  • SHA1

    4f573f5eaec79200c67dcffbe356810fd1e019ab

  • SHA256

    3c325ef1d3dc67640d0adab5c879d592d2ba27c178817bc1b656fa8645695a30

  • SHA512

    767328e4e27188e4c22d82210f22dc959f5ecedabe60c61d44896440d03d17f3ca2e59b6e88777a24d7e023762f1d850f3a1d8092e88b87a35fa5b36cb249e17

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ouw:7WNqkOJWmo1HpM0MkTUmuw

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c325ef1d3dc67640d0adab5c879d592d2ba27c178817bc1b656fa8645695a30.exe
    "C:\Users\Admin\AppData\Local\Temp\3c325ef1d3dc67640d0adab5c879d592d2ba27c178817bc1b656fa8645695a30.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2024
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1872
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2816
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2828
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2560
          • C:\Windows\SysWOW64\at.exe
            at 20:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2136
            • C:\Windows\SysWOW64\at.exe
              at 20:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1328
              • C:\Windows\SysWOW64\at.exe
                at 20:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2844

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          3aa6388e08eb5170bafce8da5406e204

          SHA1

          0675f245254311f7af2cd5f5c76cdd9cedb93801

          SHA256

          2b4dc8c1739b4cb8b052b223780aab7ce5d53f894324148018f70c0e31f40be7

          SHA512

          b3db34e3c2666688ef9414ad9111719f868ad23b3233d7796c284bdc5638e16cf8cd702686cc43db048f215d9ca9858a9a34bb232c3dd119e7012a63f440786b

          Download Submit

        • C:\Windows\system\svchost.exe
          Filesize

          65KB

          MD5

          3ef97e0d294bda7f2b5c39c05c49c950

          SHA1

          9224c5124e8d356d8ec60781b947a14ac8282ddb

          SHA256

          c6b8b31f9bfeb8e707ebe2c10d812b8b15448297e3834c68c35dec8ea3b34806

          SHA512

          8cbc631ba12c73ec3641882c29fbe2bdaf76aa4cf960ae4a2d9d6e02a583bb60c7cae15205f664c993c744de2bd5194a649feec76a3bcd430fa21283f0d8d633

          Download Submit

        • \Windows\system\explorer.exe
          Filesize

          65KB

          MD5

          7ee0e27dfa476fd5f0f015d89e365474

          SHA1

          0284a80b5423d62f2b484b67869af9b9dd7dfd91

          SHA256

          6ca5fb0f30f02dd0ea73b03e1538761ff2d725f727bb1a51f0b8cb9b7d11f63f

          SHA512

          9eb98f9a767eb2aa4f36bdcc7f7bf9d3bd058ad9ce5a0540cdcd0e53317d1086225cb28522142c030448fdec3b1ebedbe5de09b712a817758df5a009eac7226c

          Download Submit

        • \Windows\system\spoolsv.exe
          Filesize

          65KB

          MD5

          59eb8fbcde968cf027f6f5f753866c3f

          SHA1

          a38350571e3c89ec42eb53607619a99fd729db9c

          SHA256

          2aab33ff48db328ed91cc5674b28f85db8133d6e0310947fda6f0669f7c1abf3

          SHA512

          3727b8567ca31f96b0fea2b4e5624af9b381d2d4396f194fe8f0bf8360662387786f24e297aeed2f7eaffaee6cab921725b5ae5c27ee9477a54660c39169b8b3

          Download Submit

        • memory/1872-20-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1872-94-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1872-40-0x0000000002670000-0x00000000026A1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1872-19-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1872-83-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1872-22-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2024-18-0x0000000002840000-0x0000000002871000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2024-5-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2024-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2024-66-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2024-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2024-12-0x0000000002840000-0x0000000002871000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2024-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2024-80-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2024-81-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2024-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2560-74-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2560-68-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2816-76-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2816-54-0x0000000001D40000-0x0000000001D71000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2816-36-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2816-41-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2816-43-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2828-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2828-67-0x0000000001ED0000-0x0000000001F01000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2828-56-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2828-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2828-85-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download