Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 03:43

General

  • Target

    d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe

  • Size

    65KB

  • MD5

    2514b1ea9181355c60f8fecd2079d520

  • SHA1

    a29773eabbd64ff10fabe570a288c44231c69c87

  • SHA256

    d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95

  • SHA512

    c3942b709634cebe0a899440ed3de53e1c3b21c4c9aacc17056c61372378099c532c7277e8aac109f64b5b832c577280c20afee871b7a93affe45320c43f7d66

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Oujjjjjjjjjjjjjjjjjjj4:7WNqkOJWmo1HpM0MkTUmu0

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe
    "C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2152
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2916
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2500
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2492
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2384
          • C:\Windows\SysWOW64\at.exe
            at 03:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1368
            • C:\Windows\SysWOW64\at.exe
              at 03:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2392
              • C:\Windows\SysWOW64\at.exe
                at 03:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2904

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          65KB

          MD5

          3237082280f25bcc0173810ad2df0cee

          SHA1

          6e42a644bfe28a0f62dc403680559a163bf600eb

          SHA256

          18828627f4a7f5f31ac4cb2db26183a4a6b5676ffe8180937437a73c1050d6a2

          SHA512

          2c8299c08f42693494dfda93682e1b78e9bcd52444cfe370757112e659136ba852222e884d0388a7cc8c2ae7b7077f20c18ad594c7270e912bc7ed101075d9e9

        • \Windows\system\explorer.exe

          Filesize

          65KB

          MD5

          0a44449ca9b13f435053f6d71f295975

          SHA1

          7fdcf1f67bd0ca10f4a1ea97d60f2705a1df6dea

          SHA256

          2f9465227b1c76355030a7431cfca1617281541375b8d9ddb5a31cfb090c2379

          SHA512

          419110ed2dc04ba67b2c175d55bc23333da401013ccfc5e53988b86b3c9267fa2c5f5e4740d45bdf4239fceb14580291a3f27ed3cc23440f6cfadc0837b0314d

        • \Windows\system\spoolsv.exe

          Filesize

          65KB

          MD5

          b6f5c490cf8004d43085accd9165b12c

          SHA1

          b30bba50e7f84686a5083d771933610731c9cf22

          SHA256

          450d6af1d1a266a51920d7f61076d371289ee276f89398af5037615dc23288bb

          SHA512

          2f2a3511a5e8ad3b770d9ea7d8e48b2b8596a194f903bc75a2f453f9ecdbb3a3f4764e0ed20aaa65479d0cb458b638d04ab43c66c491940ba48fe6b448e327b6

        • \Windows\system\svchost.exe

          Filesize

          65KB

          MD5

          a6908142eedc768ead1975e3a65f46c1

          SHA1

          548b242412ef8a14d468d02725a758501e75c471

          SHA256

          6c5c27f3434ea80d2e56f277ca6d7265aa2425bd2f05638246372490d1e67640

          SHA512

          d643c479bfb7264e76d2ef406a7207462021ba209b498e14a450565fda6b4ea46110734046d301473053608563347490d2d2d69e7ab4c02a2c0219da34d33550

        • memory/2152-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2152-79-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

        • memory/2152-12-0x0000000002710000-0x0000000002741000-memory.dmp

          Filesize

          196KB

        • memory/2152-54-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

        • memory/2152-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2152-78-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2152-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

        • memory/2152-58-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

        • memory/2152-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

        • memory/2152-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2384-66-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2384-72-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2492-65-0x00000000029D0000-0x0000000002A01000-memory.dmp

          Filesize

          196KB

        • memory/2492-84-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2492-55-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2500-41-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2500-53-0x00000000027A0000-0x00000000027D1000-memory.dmp

          Filesize

          196KB

        • memory/2500-37-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2500-76-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2500-36-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2916-35-0x0000000000750000-0x0000000000781000-memory.dmp

          Filesize

          196KB

        • memory/2916-21-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2916-19-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2916-81-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2916-82-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2916-18-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2916-93-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB