Overview

overview

10

Static

static

3

59915f9410...20.exe

windows7-x64

10

59915f9410...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59915f9410eca4a1e2b43888387ec215d6e5a7ccb39a58d2ebf4f5ebdf700220.exe

  • Size

    66KB

  • MD5

    835a29ddcb263bf8e68d6ba1d541c7ab

  • SHA1

    3f487df6d59df3e429c79cb65ca750fac39075d0

  • SHA256

    59915f9410eca4a1e2b43888387ec215d6e5a7ccb39a58d2ebf4f5ebdf700220

  • SHA512

    2f856edcafb95e34f7ddcd90734c02e08894faf01d23bf43947f703b5f5326d825c93ad1f24dfa1e25517fa3db951bb3b795ef754bd4062ab59f235d9b59558c

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiW:IeklMMYJhqezw/pXzH9iW

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59915f9410eca4a1e2b43888387ec215d6e5a7ccb39a58d2ebf4f5ebdf700220.exe
    "C:\Users\Admin\AppData\Local\Temp\59915f9410eca4a1e2b43888387ec215d6e5a7ccb39a58d2ebf4f5ebdf700220.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:536
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4936
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1112
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4460
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1104
          • C:\Windows\SysWOW64\at.exe
            at 22:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4104
            • C:\Windows\SysWOW64\at.exe
              at 22:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4620
              • C:\Windows\SysWOW64\at.exe
                at 22:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2916
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
          1⤵
            PID:4836

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\mrsys.exe
            Filesize

            66KB

            MD5

            611829adcbc40292d8dcdce8fbadcb9c

            SHA1

            5e813bc7d7f5ad248bb2d83109d2835b3ea30576

            SHA256

            1bab597b19c020c71de2f8709cebf0115b1b709e9ece9adf8faa2e6bbc424afd

            SHA512

            7b3a8234c9389922f5c4a49ce34feb36aeadcab484271ad0e153778f16b7bae1323e14c8c9200f8a557a5a4192f0271a9743ac550f8cc70fcec93899a4c033fa

            Download Submit

          • C:\Windows\System\explorer.exe
            Filesize

            66KB

            MD5

            4eced97766f454f80316e2e058c0b2bc

            SHA1

            eb24a2c78d024457c1de1cd854f788d19e9c9691

            SHA256

            2b12de21d2c7f3ca49acf180f6a222dbff9dd5b731de5c706e572182474fa1b8

            SHA512

            80a1f95226caa326044c1aa9991c68d779c97788cc140583e1b8136c52c53e65c141a1d87d126e5a54c1af4d21afa6947a690f58a283d963d17109c6fad78fd3

            Download Submit

          • C:\Windows\System\spoolsv.exe
            Filesize

            66KB

            MD5

            2228560400c43861d419924082ad8409

            SHA1

            3f2983b154d2f57b989bd7d81851cae6eb40a908

            SHA256

            ed61928cbb5368094a09833552529f44813892dea2aea0b50f1efe79ae2e122e

            SHA512

            f8a50fe1e0a43045ca07082cc9aac071f17912e1bf99d6934f33710e608c401dc2a9f25fe4bdba292c4a2c1f4e8613d2127f06f3ab4036792da7fe382b36196b

            Download Submit

          • C:\Windows\System\svchost.exe
            Filesize

            66KB

            MD5

            a5eb9b2f09893368500799adfe7db863

            SHA1

            ebbdf66ac6b8be7d54207a21468a61de66835b01

            SHA256

            1c17c4acedb7eae89c6033dd45fed32362bce62fd72b9bc4bcff14c7c024db22

            SHA512

            fb0569f0ef95d8ea80a066e72ac0ca5c37b564d2f1bccda81379abf1290f8e79be2944b2b6cc6376a45e749496d23fa9924b8617abd44e15e392d6d9beeb548a

            Download Submit

          • memory/536-3-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/536-4-0x0000000000401000-0x000000000042E000-memory.dmp

            Filesize

            180KB

            Download

          • memory/536-55-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/536-2-0x0000000074B20000-0x0000000074C7D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/536-56-0x0000000000401000-0x000000000042E000-memory.dmp

            Filesize

            180KB

            Download

          • memory/536-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/536-0-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/1104-51-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/1104-43-0x0000000074B20000-0x0000000074C7D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1112-26-0x0000000074B20000-0x0000000074C7D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1112-30-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/1112-25-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/1112-53-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4460-37-0x0000000074B20000-0x0000000074C7D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4460-60-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4936-14-0x0000000074B20000-0x0000000074C7D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4936-16-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4936-12-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4936-58-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4936-69-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download