Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 03:53
Static task
static1
Behavioral task
behavioral1
Sample
d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe
Resource
win10v2004-20240508-en
General
-
Target
d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe
-
Size
199KB
-
MD5
02e04cb9835c61b7a67b4fb33d61b341
-
SHA1
fd43bb828ea798f3d0f1d48b9f8a25c610494ae0
-
SHA256
d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad
-
SHA512
1e2b4b71ba579c57cb0897045c2c55a28d780a5da411b504d82ea8301c6201c1cd767c3f38a408d4fe22aea6eaae4d8fbf2573583879f2d319c9d420649c1b9c
-
SSDEEP
3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u4PmuY:7vEN2U+T6i5LirrllHy4HUcMQY6y
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1728 explorer.exe 2340 spoolsv.exe 2744 svchost.exe 2516 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2428 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 2428 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 1728 explorer.exe 1728 explorer.exe 2340 spoolsv.exe 2340 spoolsv.exe 2744 svchost.exe 2744 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2428 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 2744 svchost.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe 2744 svchost.exe 1728 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1728 explorer.exe 2744 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2428 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 2428 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 1728 explorer.exe 1728 explorer.exe 2340 spoolsv.exe 2340 spoolsv.exe 2744 svchost.exe 2744 svchost.exe 2516 spoolsv.exe 2516 spoolsv.exe 1728 explorer.exe 1728 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2428 wrote to memory of 1728 2428 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 28 PID 2428 wrote to memory of 1728 2428 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 28 PID 2428 wrote to memory of 1728 2428 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 28 PID 2428 wrote to memory of 1728 2428 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 28 PID 1728 wrote to memory of 2340 1728 explorer.exe 29 PID 1728 wrote to memory of 2340 1728 explorer.exe 29 PID 1728 wrote to memory of 2340 1728 explorer.exe 29 PID 1728 wrote to memory of 2340 1728 explorer.exe 29 PID 2340 wrote to memory of 2744 2340 spoolsv.exe 30 PID 2340 wrote to memory of 2744 2340 spoolsv.exe 30 PID 2340 wrote to memory of 2744 2340 spoolsv.exe 30 PID 2340 wrote to memory of 2744 2340 spoolsv.exe 30 PID 2744 wrote to memory of 2516 2744 svchost.exe 31 PID 2744 wrote to memory of 2516 2744 svchost.exe 31 PID 2744 wrote to memory of 2516 2744 svchost.exe 31 PID 2744 wrote to memory of 2516 2744 svchost.exe 31 PID 2744 wrote to memory of 2360 2744 svchost.exe 32 PID 2744 wrote to memory of 2360 2744 svchost.exe 32 PID 2744 wrote to memory of 2360 2744 svchost.exe 32 PID 2744 wrote to memory of 2360 2744 svchost.exe 32 PID 2744 wrote to memory of 1916 2744 svchost.exe 36 PID 2744 wrote to memory of 1916 2744 svchost.exe 36 PID 2744 wrote to memory of 1916 2744 svchost.exe 36 PID 2744 wrote to memory of 1916 2744 svchost.exe 36 PID 2744 wrote to memory of 2308 2744 svchost.exe 38 PID 2744 wrote to memory of 2308 2744 svchost.exe 38 PID 2744 wrote to memory of 2308 2744 svchost.exe 38 PID 2744 wrote to memory of 2308 2744 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe"C:\Users\Admin\AppData\Local\Temp\d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2516
-
-
C:\Windows\SysWOW64\at.exeat 03:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2360
-
-
C:\Windows\SysWOW64\at.exeat 03:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1916
-
-
C:\Windows\SysWOW64\at.exeat 03:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2308
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5176002a3e4606e449bfee63e41269c38
SHA110404c5425f4593b33790a8fd449cc8675bd7572
SHA256a6c9ed453e6ba30fe1a033018e01da5bd43a12a49f6588fb838cee72e2cadb78
SHA512b2d14d189d8b27bab46b4e438d16e215715915cb883d9e0123c2c6bdc837c1b4aab0b843598bc1c023101e222c52a53139ac5fd8ae126c3133093413f7849e1d
-
Filesize
216KB
MD51134575eaf6971045a6fcf47520fed85
SHA1a679f7820720489ac587a968e3530aec9661a08d
SHA256344eff1f93960a063dee9e5c51a95db6ee8dbcd470a5a6d01c23cb389e9b7e01
SHA512afdfb6719e3de91c6a886d3dbd9f9008fb5454a6957f556ae59fce4c78363553e5b048eb714b3d4bfbeb41ab815f7fea6caf56be1719de0aca3836a6d5f160ef
-
Filesize
216KB
MD58529baddf2d486f7420013b4033bdb9b
SHA188374124e3d3c31917354b0c93519f64139e4572
SHA25626e40e4deab46e007cd6bcfcd9a3247714ea412afe02e0b6bd27216811480640
SHA512ed83f47d5a462a277dd86458f6828b243b843f43bb395ed25b8f449340812c01df8b96a41da41c08ec78e827a853ed7d626ed99bee68a2811185c3348720eccf
-
Filesize
216KB
MD5b0be3bd5d06ffcbd86970e00a7a6336e
SHA1e7531697503a004d247ed0d0c6e7d1b6e29a9771
SHA2566178cec77fa09ff7b809a4d5ebd99a5869ffb4753daba406ab96b6920ae67d52
SHA51255962d1b234adabd22319d42e37a3d60e5c1c1e02f006af29fa5fbc599cc2607ee6a137831a29a5020a9b576e94860e680d59c1589dbd8c5fadfe6bd968bc2f2