Overview

overview

10

Static

static

3

73baa056e4...2b.exe

windows7-x64

10

73baa056e4...2b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73baa056e40cfba5ff9da552c2b2311dd8442712904d33185dbbbba39b6bf82b.exe

  • Size

    66KB

  • MD5

    93952a80aebecd034262a8de55fcfc3d

  • SHA1

    832498327f4fbcc16f4ed14c4707d6e40b786b3f

  • SHA256

    73baa056e40cfba5ff9da552c2b2311dd8442712904d33185dbbbba39b6bf82b

  • SHA512

    07e82fec0cea719b230a443baf5ee0d98e15226c9012575c4597bc38756def099a003f3cd1abe8726abbc1e98217415dcd9b5ede0d06faf3a3fb395fb0bb44b2

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiO:IeklMMYJhqezw/pXzH9iO

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73baa056e40cfba5ff9da552c2b2311dd8442712904d33185dbbbba39b6bf82b.exe
    "C:\Users\Admin\AppData\Local\Temp\73baa056e40cfba5ff9da552c2b2311dd8442712904d33185dbbbba39b6bf82b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2344
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2932
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2712
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2612
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2420
          • C:\Windows\SysWOW64\at.exe
            at 23:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1480
            • C:\Windows\SysWOW64\at.exe
              at 23:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:920
              • C:\Windows\SysWOW64\at.exe
                at 23:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1256

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          d9b268ac5451f97f530d38fd64128ee7

          SHA1

          2e1ab7421aa6c80169dab06058ab1329103249bc

          SHA256

          5d345ae5ff73d3649ca018e0961598224d969d13b88712c3b8bf509051584ba3

          SHA512

          556e192426280719cbadad35e096a073adcb85fd8045278d0e1d527311c28493f97004eaa43aa7f9aa475d8a0c1160410420bbcfc03df912ea7aacf890e3128c

          Download Submit

        • \Windows\system\explorer.exe
          Filesize

          66KB

          MD5

          1dacd3a7fe109dad7fa732a736515360

          SHA1

          7b87326773cc6a617f55113f763a6d7ec78d4c79

          SHA256

          bb464115336ca4426713fdb83fe97a7d0d349c6c95405cd006c64d331e91051c

          SHA512

          778352ded2413e51bb71c586d50becefda33423932a43a30f3531d520884a1866dee25d53236d1187d1f9e84dd0b784745918ff5ff3e6da03b9f6fc853eda526

          Download Submit

        • \Windows\system\spoolsv.exe
          Filesize

          66KB

          MD5

          3080f2799147e1024bbbb6891ec9d893

          SHA1

          5eb2f3a6d249dde3e46d9c698e8a96820a06fd76

          SHA256

          952a3ddb12b8890800b6aaa09b251f376a611a9c7a31f4f5ed01178f25c02f48

          SHA512

          aa6f8ce124940cefbef73abc435af516de0b156dd6d2400a0e67f9d657328b0f501c543f95f858dbd83c163807d33611545c029f251de98b91d6ce07acbe0903

          Download Submit

        • \Windows\system\svchost.exe
          Filesize

          66KB

          MD5

          3085240cddcc0fe27faf7fd6e1a35cb9

          SHA1

          75ed310820a53cabcb1bedaed1ce09e185adcbc3

          SHA256

          080170c2a48ccf826e5143522a29542fd1014e9912c51dfdc66645a1e1fbcfb2

          SHA512

          1fcc8070d8963a8bfa66795481614dbbc2c2c3b02c5bf450622e1bb43bcefb108efac91e476cc59308e1180885566705f1ba02090809a5cd67e512365e7f9efa

          Download Submit

        • memory/2344-81-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2344-37-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2344-17-0x00000000027E0000-0x0000000002811000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2344-16-0x00000000027E0000-0x0000000002811000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2344-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2344-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2344-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2344-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2344-82-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2344-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2344-42-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2420-75-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2420-69-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2612-68-0x0000000002470000-0x00000000024A1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2612-85-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2612-56-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2612-57-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2612-63-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2712-38-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2712-55-0x0000000001DC0000-0x0000000001DF1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2712-43-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2712-79-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2932-62-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2932-35-0x0000000002B80000-0x0000000002BB1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2932-20-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2932-22-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2932-84-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2932-19-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2932-94-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download