Overview

overview

10

Static

static

3

73baa056e4...2b.exe

windows7-x64

10

73baa056e4...2b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73baa056e40cfba5ff9da552c2b2311dd8442712904d33185dbbbba39b6bf82b.exe

  • Size

    66KB

  • MD5

    93952a80aebecd034262a8de55fcfc3d

  • SHA1

    832498327f4fbcc16f4ed14c4707d6e40b786b3f

  • SHA256

    73baa056e40cfba5ff9da552c2b2311dd8442712904d33185dbbbba39b6bf82b

  • SHA512

    07e82fec0cea719b230a443baf5ee0d98e15226c9012575c4597bc38756def099a003f3cd1abe8726abbc1e98217415dcd9b5ede0d06faf3a3fb395fb0bb44b2

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiO:IeklMMYJhqezw/pXzH9iO

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73baa056e40cfba5ff9da552c2b2311dd8442712904d33185dbbbba39b6bf82b.exe
    "C:\Users\Admin\AppData\Local\Temp\73baa056e40cfba5ff9da552c2b2311dd8442712904d33185dbbbba39b6bf82b.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4476
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4012
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:548
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1000
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3964
          • C:\Windows\SysWOW64\at.exe
            at 23:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:3220
            • C:\Windows\SysWOW64\at.exe
              at 23:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4524
              • C:\Windows\SysWOW64\at.exe
                at 23:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1224

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          652f31d1e9472a32bde382f2aaa6cd29

          SHA1

          2e4226b63a8fadc869c8be953c0eb317136da210

          SHA256

          9590ca337b7e9f4f2ae9ad06df7e7a200113f4b42081520c24eb9c58147dd16d

          SHA512

          e9338db96edc440502a9284f71a673cbf9dc02aa753a27ba5fe6b65f4849343bc888f2267a945dbf0477eff7f2e5d8c6efc2b14b188f3cf71c86c7b9ced8c83c

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          87cf19e6f0e34816f92dd6be5063453a

          SHA1

          d673c242299e0a7416287a0f9c1be33845921328

          SHA256

          e6d87262b6dacfdd07df9fecf373241a585f8e546f983d96bea0da337697219b

          SHA512

          78a3839458a0795f692e7c96ab02d90720fa81db75f3547b04253bf299081fab4837b71612493acbc499ff39b35f84647cb2a6691eaa1a6651a59ab3129aa4bf

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          98164ecb5a3e7f8bd84e923649dc7dfc

          SHA1

          6a7e00ffbbc54e9846a045f8c25c6b89ba1fa617

          SHA256

          95e1529505c01fac4235097114d6ed06092026b32cb7bcbf53043cce020d1acf

          SHA512

          cea7646bc0f3aaa52749787d668cfb26332271d2af3d94c6ca928b932a37219f569833f0dcc4be5e9821a2fdf316cb416223c0027caeda4a64e631bf9ce3bb8f

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          1e35d3677a0427162fbb12598835485e

          SHA1

          ad56875e1a83916af301a238855d4266237056ed

          SHA256

          17ce02e3a6aae2179d5ed6089a1f4bc9d4e7210ec9325a0d66d3f85790ac945b

          SHA512

          3c24a3495f0261459ff68c07a3b72f99db355c26a1f2ba2b9ba1fc1e63d163c8088ff0bdd316210b4998d3edcba8245bfccf0fcfb2596a28ab589d7b855e10f0

          Download Submit

        • memory/548-31-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/548-57-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/548-27-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/548-26-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1000-42-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1000-38-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1000-62-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3964-45-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3964-46-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3964-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4012-14-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4012-19-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4012-15-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4012-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4012-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4012-71-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4476-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4476-59-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4476-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4476-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4476-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4476-2-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4476-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download