Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 03:28
Static task
static1
Behavioral task
behavioral1
Sample
cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe
Resource
win10v2004-20240508-en
General
-
Target
cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe
-
Size
66KB
-
MD5
49fbfdd2a04dbf9c0c4550d0bb4763e3
-
SHA1
d9d5ed726dd707da03ba6edfb4bd8e73e53599ba
-
SHA256
cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034
-
SHA512
12dcfce9b2d2fe6d9706d8cf042ef94b5201949314dda266b1dfc9e0f4673431f1757ff3366cb759650fce28e104c3dda7b6ccb2379874f6c58f668b471e3382
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXic:IeklMMYJhqezw/pXzH9ic
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 632 explorer.exe 2724 spoolsv.exe 2272 svchost.exe 2648 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1148 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 1148 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 632 explorer.exe 632 explorer.exe 2724 spoolsv.exe 2724 spoolsv.exe 2272 svchost.exe 2272 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1148 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 2272 svchost.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe 632 explorer.exe 2272 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 632 explorer.exe 2272 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1148 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 1148 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 632 explorer.exe 632 explorer.exe 2724 spoolsv.exe 2724 spoolsv.exe 2272 svchost.exe 2272 svchost.exe 2648 spoolsv.exe 2648 spoolsv.exe 632 explorer.exe 632 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1148 wrote to memory of 632 1148 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 28 PID 1148 wrote to memory of 632 1148 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 28 PID 1148 wrote to memory of 632 1148 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 28 PID 1148 wrote to memory of 632 1148 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe 28 PID 632 wrote to memory of 2724 632 explorer.exe 29 PID 632 wrote to memory of 2724 632 explorer.exe 29 PID 632 wrote to memory of 2724 632 explorer.exe 29 PID 632 wrote to memory of 2724 632 explorer.exe 29 PID 2724 wrote to memory of 2272 2724 spoolsv.exe 30 PID 2724 wrote to memory of 2272 2724 spoolsv.exe 30 PID 2724 wrote to memory of 2272 2724 spoolsv.exe 30 PID 2724 wrote to memory of 2272 2724 spoolsv.exe 30 PID 2272 wrote to memory of 2648 2272 svchost.exe 31 PID 2272 wrote to memory of 2648 2272 svchost.exe 31 PID 2272 wrote to memory of 2648 2272 svchost.exe 31 PID 2272 wrote to memory of 2648 2272 svchost.exe 31 PID 2272 wrote to memory of 2368 2272 svchost.exe 32 PID 2272 wrote to memory of 2368 2272 svchost.exe 32 PID 2272 wrote to memory of 2368 2272 svchost.exe 32 PID 2272 wrote to memory of 2368 2272 svchost.exe 32 PID 2272 wrote to memory of 1652 2272 svchost.exe 36 PID 2272 wrote to memory of 1652 2272 svchost.exe 36 PID 2272 wrote to memory of 1652 2272 svchost.exe 36 PID 2272 wrote to memory of 1652 2272 svchost.exe 36 PID 2272 wrote to memory of 3032 2272 svchost.exe 38 PID 2272 wrote to memory of 3032 2272 svchost.exe 38 PID 2272 wrote to memory of 3032 2272 svchost.exe 38 PID 2272 wrote to memory of 3032 2272 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe"C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2648
-
-
C:\Windows\SysWOW64\at.exeat 03:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2368
-
-
C:\Windows\SysWOW64\at.exeat 03:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1652
-
-
C:\Windows\SysWOW64\at.exeat 03:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3032
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD536cf1ea7bf24f7675544ec10d353bb86
SHA1f05ae38680b0570411d36546ab0b7f021a6ffc0e
SHA256557b3e32ab5ad26a24b667defeb9c1f2990da21dc1493cc0c6a3b71eaee80792
SHA5128c303c4dac975f028a06da4d067016f897c751e0f8548fd6d5e186432a0b0c1de34f3b242d6bbd1a4d1ec73db920e6931ac7f09dbfb8c37e052820563eccc620
-
Filesize
66KB
MD5b8dbecb7fcee6ded7424ee4b172f65be
SHA18a82a45b29975eae26d521e27544858bc3defb69
SHA2561bc2fc62b29919924799dc523702760707b645939742b84939ec96588d9905a4
SHA5122eb66b9f24c10c6f0c854fc6be65203ac772edd8592a671e660c51838c4e971b1ed84ddc12981c734e3203ae3958fc12e71b65d12198f89fb6f2058328527423
-
Filesize
66KB
MD5b1163182380adceed277634f786a5044
SHA1ec362c5874101945a31ba55d683852e9f9d143c3
SHA25630eb97c26b21f4cd22918c06f8b35da6af8f057dffba71b859f61b3c3fc949d3
SHA512956279aca8a61cb31487b1c91fc6291c5fd79b986aa923b078e873bf94ad36c8ff70d04741c5e2c99eeff2de853fa8a4851cfde4ed92b673ff58d2d5ce44eda4
-
Filesize
66KB
MD5a7776974256d215340f566f17bf2007e
SHA162fa07b7de91d7c5352c5ee9d77757347a28a848
SHA256c1a4ac4a17190377f8586355eb731371208b9d98653531050dfa0be0601377c9
SHA512f0c5da5ee7f1dc722ce8bc3062d7bc53f77110b8df384d93d73eb5c05cb85ee848b1f1f34f028eabea9f2e06ef67ddddc68382a76832603a498ec4af8ec39f94