Overview

overview

10

Static

static

3

dd02cac8b9...cf.exe

windows7-x64

10

dd02cac8b9...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2024, 03:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dd02cac8b9a2679690c86bdbcc407dd0a4a03017a542a01dba7a2532b80eebcf.exe

  • Size

    66KB

  • MD5

    422d40a0e93b3f71a5c129a738aafdb4

  • SHA1

    c6da2db8e78b27a790f35686f765da7db7ee4c6d

  • SHA256

    dd02cac8b9a2679690c86bdbcc407dd0a4a03017a542a01dba7a2532b80eebcf

  • SHA512

    32d32c59bddaab526709b731263192d5ded5fdeb3c467c153640aaaa7fb20b202295214d1a99387b2a985815304881a7055532abb632fb88254396bacaf4c56d

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi4:IeklMMYJhqezw/pXzH9i4

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd02cac8b9a2679690c86bdbcc407dd0a4a03017a542a01dba7a2532b80eebcf.exe
    "C:\Users\Admin\AppData\Local\Temp\dd02cac8b9a2679690c86bdbcc407dd0a4a03017a542a01dba7a2532b80eebcf.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4600
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4000
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1588
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1420
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4856
          • C:\Windows\SysWOW64\at.exe
            at 03:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1872
            • C:\Windows\SysWOW64\at.exe
              at 03:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3084
              • C:\Windows\SysWOW64\at.exe
                at 03:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4860

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe
                Filesize

                66KB

                MD5

                2a3b81d8b91a3767c20d6e9c857d14f2

                SHA1

                cc837223c957e890ee11808675be6291da51180c

                SHA256

                9afb8d75f7a12dae3fd109f45ce34e4ea05c02b00e589cb07251d46d1b0bce18

                SHA512

                2cd4cb46781cd66317cd01a19d5a96afe323e0b0af54a430fd68f509fa8e993aa33799eb86d52d4455a1cdce9189636a8a9a10c8184ed9c80d009e02c14239ac

                Download Submit

              • C:\Windows\System\spoolsv.exe
                Filesize

                66KB

                MD5

                b3f60f080d0c853be8b1802359b9021c

                SHA1

                16aa262d95dd7a8a9452e547e4e9b590bb248c98

                SHA256

                20d498d45db7b608e30286b8f581f905c1a835523330961a80c80fbd0b663195

                SHA512

                8d4b89d72189da249040f3593f6db3390134e1b1ff40e34ff892a4512203f1499e0e202ea2ecf75f13840bb2c8af247b9d5922a54823df158b7c63b512edd15f

                Download Submit

              • C:\Windows\System\svchost.exe
                Filesize

                66KB

                MD5

                e2c91348f1b17ad8f53434b9e4d2c5e3

                SHA1

                1d62af9d295115646e6cfa23428f495f0fe61095

                SHA256

                3dcb570534cf180676eb62970f36a9a4f8a3b7d2dc8fc4f36b17d5672a828a01

                SHA512

                7bca7f28ba12b4ff9f91ced27dc6b7b9a34f383588b4c205d39a811cad0a1df37c6bd3aeb2c0fe2f7a37fddac1a2d40ac2d7928c8fc799aaaf6e1972da445881

                Download Submit

              • \??\c:\windows\system\explorer.exe
                Filesize

                66KB

                MD5

                8414877d912a2f39ec6c68d64ea2439f

                SHA1

                5f9f9c61f42ac61739bb8f4a3458d2fc2de530ef

                SHA256

                56f71959b7f786affe41ef951aa2e948ce0ea10dddc89fa25cad9114f4b002af

                SHA512

                ba3be188675017f2735a3f63bc02632ef735c39dfba5a578a78b468530a0140ff21bd0e8641ec89151418b2369fb35b297a3c4c82648c21245a1ed33673d4352

                Download Submit

              • memory/1420-61-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1420-41-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1420-37-0x0000000074FF0000-0x000000007514D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1588-54-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1588-25-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1588-26-0x0000000074FF0000-0x000000007514D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1588-31-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4000-14-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4000-13-0x0000000074FF0000-0x000000007514D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4000-16-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4000-70-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4000-59-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4600-57-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/4600-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

                Filesize

                16KB

                Download

              • memory/4600-55-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4600-56-0x00000000001C0000-0x00000000001C4000-memory.dmp

                Filesize

                16KB

                Download

              • memory/4600-2-0x0000000074FF0000-0x000000007514D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4600-3-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4600-0-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4600-4-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/4856-52-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4856-44-0x0000000074FF0000-0x000000007514D000-memory.dmp

                Filesize

                1.4MB

                Download