Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 03:43
Static task
static1
Behavioral task
behavioral1
Sample
d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe
Resource
win10v2004-20240426-en
General
-
Target
d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe
-
Size
65KB
-
MD5
2514b1ea9181355c60f8fecd2079d520
-
SHA1
a29773eabbd64ff10fabe570a288c44231c69c87
-
SHA256
d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95
-
SHA512
c3942b709634cebe0a899440ed3de53e1c3b21c4c9aacc17056c61372378099c532c7277e8aac109f64b5b832c577280c20afee871b7a93affe45320c43f7d66
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Oujjjjjjjjjjjjjjjjjjj4:7WNqkOJWmo1HpM0MkTUmu0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2916 explorer.exe 2500 spoolsv.exe 2492 svchost.exe 2384 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2152 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 2152 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 2916 explorer.exe 2916 explorer.exe 2500 spoolsv.exe 2500 spoolsv.exe 2492 svchost.exe 2492 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2152 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2492 svchost.exe 2492 svchost.exe 2492 svchost.exe 2916 explorer.exe 2916 explorer.exe 2492 svchost.exe 2916 explorer.exe 2492 svchost.exe 2492 svchost.exe 2916 explorer.exe 2492 svchost.exe 2916 explorer.exe 2916 explorer.exe 2492 svchost.exe 2916 explorer.exe 2492 svchost.exe 2916 explorer.exe 2492 svchost.exe 2492 svchost.exe 2916 explorer.exe 2492 svchost.exe 2916 explorer.exe 2492 svchost.exe 2916 explorer.exe 2916 explorer.exe 2492 svchost.exe 2492 svchost.exe 2916 explorer.exe 2916 explorer.exe 2492 svchost.exe 2492 svchost.exe 2916 explorer.exe 2916 explorer.exe 2492 svchost.exe 2492 svchost.exe 2916 explorer.exe 2492 svchost.exe 2916 explorer.exe 2916 explorer.exe 2492 svchost.exe 2492 svchost.exe 2916 explorer.exe 2916 explorer.exe 2492 svchost.exe 2916 explorer.exe 2492 svchost.exe 2492 svchost.exe 2916 explorer.exe 2916 explorer.exe 2492 svchost.exe 2492 svchost.exe 2916 explorer.exe 2916 explorer.exe 2492 svchost.exe 2492 svchost.exe 2916 explorer.exe 2916 explorer.exe 2492 svchost.exe 2492 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2916 explorer.exe 2492 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2152 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 2152 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 2916 explorer.exe 2916 explorer.exe 2500 spoolsv.exe 2500 spoolsv.exe 2492 svchost.exe 2492 svchost.exe 2384 spoolsv.exe 2384 spoolsv.exe 2916 explorer.exe 2916 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2916 2152 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 28 PID 2152 wrote to memory of 2916 2152 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 28 PID 2152 wrote to memory of 2916 2152 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 28 PID 2152 wrote to memory of 2916 2152 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 28 PID 2916 wrote to memory of 2500 2916 explorer.exe 29 PID 2916 wrote to memory of 2500 2916 explorer.exe 29 PID 2916 wrote to memory of 2500 2916 explorer.exe 29 PID 2916 wrote to memory of 2500 2916 explorer.exe 29 PID 2500 wrote to memory of 2492 2500 spoolsv.exe 30 PID 2500 wrote to memory of 2492 2500 spoolsv.exe 30 PID 2500 wrote to memory of 2492 2500 spoolsv.exe 30 PID 2500 wrote to memory of 2492 2500 spoolsv.exe 30 PID 2492 wrote to memory of 2384 2492 svchost.exe 31 PID 2492 wrote to memory of 2384 2492 svchost.exe 31 PID 2492 wrote to memory of 2384 2492 svchost.exe 31 PID 2492 wrote to memory of 2384 2492 svchost.exe 31 PID 2492 wrote to memory of 1368 2492 svchost.exe 32 PID 2492 wrote to memory of 1368 2492 svchost.exe 32 PID 2492 wrote to memory of 1368 2492 svchost.exe 32 PID 2492 wrote to memory of 1368 2492 svchost.exe 32 PID 2492 wrote to memory of 2392 2492 svchost.exe 36 PID 2492 wrote to memory of 2392 2492 svchost.exe 36 PID 2492 wrote to memory of 2392 2492 svchost.exe 36 PID 2492 wrote to memory of 2392 2492 svchost.exe 36 PID 2492 wrote to memory of 2904 2492 svchost.exe 38 PID 2492 wrote to memory of 2904 2492 svchost.exe 38 PID 2492 wrote to memory of 2904 2492 svchost.exe 38 PID 2492 wrote to memory of 2904 2492 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe"C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2384
-
-
C:\Windows\SysWOW64\at.exeat 03:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1368
-
-
C:\Windows\SysWOW64\at.exeat 03:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2392
-
-
C:\Windows\SysWOW64\at.exeat 03:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2904
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD53237082280f25bcc0173810ad2df0cee
SHA16e42a644bfe28a0f62dc403680559a163bf600eb
SHA25618828627f4a7f5f31ac4cb2db26183a4a6b5676ffe8180937437a73c1050d6a2
SHA5122c8299c08f42693494dfda93682e1b78e9bcd52444cfe370757112e659136ba852222e884d0388a7cc8c2ae7b7077f20c18ad594c7270e912bc7ed101075d9e9
-
Filesize
65KB
MD50a44449ca9b13f435053f6d71f295975
SHA17fdcf1f67bd0ca10f4a1ea97d60f2705a1df6dea
SHA2562f9465227b1c76355030a7431cfca1617281541375b8d9ddb5a31cfb090c2379
SHA512419110ed2dc04ba67b2c175d55bc23333da401013ccfc5e53988b86b3c9267fa2c5f5e4740d45bdf4239fceb14580291a3f27ed3cc23440f6cfadc0837b0314d
-
Filesize
65KB
MD5b6f5c490cf8004d43085accd9165b12c
SHA1b30bba50e7f84686a5083d771933610731c9cf22
SHA256450d6af1d1a266a51920d7f61076d371289ee276f89398af5037615dc23288bb
SHA5122f2a3511a5e8ad3b770d9ea7d8e48b2b8596a194f903bc75a2f453f9ecdbb3a3f4764e0ed20aaa65479d0cb458b638d04ab43c66c491940ba48fe6b448e327b6
-
Filesize
65KB
MD5a6908142eedc768ead1975e3a65f46c1
SHA1548b242412ef8a14d468d02725a758501e75c471
SHA2566c5c27f3434ea80d2e56f277ca6d7265aa2425bd2f05638246372490d1e67640
SHA512d643c479bfb7264e76d2ef406a7207462021ba209b498e14a450565fda6b4ea46110734046d301473053608563347490d2d2d69e7ab4c02a2c0219da34d33550