Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 03:43
Static task
static1
Behavioral task
behavioral1
Sample
d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe
Resource
win10v2004-20240426-en
General
-
Target
d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe
-
Size
65KB
-
MD5
2514b1ea9181355c60f8fecd2079d520
-
SHA1
a29773eabbd64ff10fabe570a288c44231c69c87
-
SHA256
d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95
-
SHA512
c3942b709634cebe0a899440ed3de53e1c3b21c4c9aacc17056c61372378099c532c7277e8aac109f64b5b832c577280c20afee871b7a93affe45320c43f7d66
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Oujjjjjjjjjjjjjjjjjjj4:7WNqkOJWmo1HpM0MkTUmu0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 4160 explorer.exe 4440 spoolsv.exe 2896 svchost.exe 4804 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1660 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 1660 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 4160 explorer.exe 4160 explorer.exe 4160 explorer.exe 4160 explorer.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 2896 svchost.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 2896 svchost.exe 4160 explorer.exe 4160 explorer.exe 2896 svchost.exe 2896 svchost.exe 2896 svchost.exe 4160 explorer.exe 4160 explorer.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe 4160 explorer.exe 2896 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2896 svchost.exe 4160 explorer.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1660 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 1660 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 4160 explorer.exe 4160 explorer.exe 4440 spoolsv.exe 4440 spoolsv.exe 2896 svchost.exe 2896 svchost.exe 4804 spoolsv.exe 4804 spoolsv.exe 4160 explorer.exe 4160 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1660 wrote to memory of 4160 1660 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 82 PID 1660 wrote to memory of 4160 1660 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 82 PID 1660 wrote to memory of 4160 1660 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe 82 PID 4160 wrote to memory of 4440 4160 explorer.exe 83 PID 4160 wrote to memory of 4440 4160 explorer.exe 83 PID 4160 wrote to memory of 4440 4160 explorer.exe 83 PID 4440 wrote to memory of 2896 4440 spoolsv.exe 84 PID 4440 wrote to memory of 2896 4440 spoolsv.exe 84 PID 4440 wrote to memory of 2896 4440 spoolsv.exe 84 PID 2896 wrote to memory of 4804 2896 svchost.exe 85 PID 2896 wrote to memory of 4804 2896 svchost.exe 85 PID 2896 wrote to memory of 4804 2896 svchost.exe 85 PID 2896 wrote to memory of 3952 2896 svchost.exe 87 PID 2896 wrote to memory of 3952 2896 svchost.exe 87 PID 2896 wrote to memory of 3952 2896 svchost.exe 87 PID 2896 wrote to memory of 2316 2896 svchost.exe 99 PID 2896 wrote to memory of 2316 2896 svchost.exe 99 PID 2896 wrote to memory of 2316 2896 svchost.exe 99 PID 2896 wrote to memory of 2632 2896 svchost.exe 101 PID 2896 wrote to memory of 2632 2896 svchost.exe 101 PID 2896 wrote to memory of 2632 2896 svchost.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe"C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4804
-
-
C:\Windows\SysWOW64\at.exeat 03:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3952
-
-
C:\Windows\SysWOW64\at.exeat 03:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2316
-
-
C:\Windows\SysWOW64\at.exeat 03:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2632
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD57761195f0761755119d5b6310667308d
SHA1fd90e3d94c1f37914ab0f19c321120da7473a609
SHA2560cd3c1991420479292f5de5246285966772eaf3569d330da459f174c45618cc4
SHA5123c65dfa71e81d07daa8eff20cd96287717e7c3700a9b94032ba3215796a19095cc07e987ef6b4fac20e5e73c26d3e98f2a1f4f9520cf84d9aa71b5ea10699bd8
-
Filesize
65KB
MD5436c7fe1a851dbaa6bebf486def031b3
SHA1ed35cf2526a67197172e26966c2c4aa2c6ed9fdd
SHA2565e7dd74dc0294f8c5205c9d4df2da277003872b44836dbc87e299fd483939288
SHA5121ef057f5e4d8bbd94697ac36eab2bad4a511d33027ac969827dd98b9433e7b31abf406e6ae3d0f8f14568e9f2c0f04ab15fae1d222dcdf68cff2c4e74b528e8a
-
Filesize
65KB
MD50df70d2f465aa663d91be6525bc9352f
SHA18be6c71eea5949a66ee778415f93eee498c963cc
SHA2563df9e94153d659bee758f6bf1d997cb2049f171ef6286e5de2a956eecef57732
SHA51227107e6abde5d66521e4160dcb9a117454596b228d0fff2b1ac738432f039e8576806a827dc5eb9d8a8337e8f902a1937ec59d2e11bc59ca414656777427973a
-
Filesize
65KB
MD5fdce0c49408d062de8e23530beb5443d
SHA11c52b98e379e8ad39d4b6c094e870e965639b645
SHA2566597a841bafed6fdedd4de4dddfc4a5baff423fb4c57af03ef8cb008aa3e4a04
SHA512cf00d17f2a424d0b7b4d4becbc6d68c71a7061ba865499a6eb82858490f4ef2f4460da1b66178da0aabffd0ff2180c907c450faa2e39c6babee68a696a563069