Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 03:53

General

  • Target

    d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe

  • Size

    199KB

  • MD5

    02e04cb9835c61b7a67b4fb33d61b341

  • SHA1

    fd43bb828ea798f3d0f1d48b9f8a25c610494ae0

  • SHA256

    d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad

  • SHA512

    1e2b4b71ba579c57cb0897045c2c55a28d780a5da411b504d82ea8301c6201c1cd767c3f38a408d4fe22aea6eaae4d8fbf2573583879f2d319c9d420649c1b9c

  • SSDEEP

    3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u4PmuY:7vEN2U+T6i5LirrllHy4HUcMQY6y

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe
    "C:\Users\Admin\AppData\Local\Temp\d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2428
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1728
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2340
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2744
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2516
          • C:\Windows\SysWOW64\at.exe
            at 03:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2360
            • C:\Windows\SysWOW64\at.exe
              at 03:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1916
              • C:\Windows\SysWOW64\at.exe
                at 03:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2308

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          216KB

          MD5

          176002a3e4606e449bfee63e41269c38

          SHA1

          10404c5425f4593b33790a8fd449cc8675bd7572

          SHA256

          a6c9ed453e6ba30fe1a033018e01da5bd43a12a49f6588fb838cee72e2cadb78

          SHA512

          b2d14d189d8b27bab46b4e438d16e215715915cb883d9e0123c2c6bdc837c1b4aab0b843598bc1c023101e222c52a53139ac5fd8ae126c3133093413f7849e1d

        • \Windows\system\explorer.exe

          Filesize

          216KB

          MD5

          1134575eaf6971045a6fcf47520fed85

          SHA1

          a679f7820720489ac587a968e3530aec9661a08d

          SHA256

          344eff1f93960a063dee9e5c51a95db6ee8dbcd470a5a6d01c23cb389e9b7e01

          SHA512

          afdfb6719e3de91c6a886d3dbd9f9008fb5454a6957f556ae59fce4c78363553e5b048eb714b3d4bfbeb41ab815f7fea6caf56be1719de0aca3836a6d5f160ef

        • \Windows\system\spoolsv.exe

          Filesize

          216KB

          MD5

          8529baddf2d486f7420013b4033bdb9b

          SHA1

          88374124e3d3c31917354b0c93519f64139e4572

          SHA256

          26e40e4deab46e007cd6bcfcd9a3247714ea412afe02e0b6bd27216811480640

          SHA512

          ed83f47d5a462a277dd86458f6828b243b843f43bb395ed25b8f449340812c01df8b96a41da41c08ec78e827a853ed7d626ed99bee68a2811185c3348720eccf

        • \Windows\system\svchost.exe

          Filesize

          216KB

          MD5

          b0be3bd5d06ffcbd86970e00a7a6336e

          SHA1

          e7531697503a004d247ed0d0c6e7d1b6e29a9771

          SHA256

          6178cec77fa09ff7b809a4d5ebd99a5869ffb4753daba406ab96b6920ae67d52

          SHA512

          55962d1b234adabd22319d42e37a3d60e5c1c1e02f006af29fa5fbc599cc2607ee6a137831a29a5020a9b576e94860e680d59c1589dbd8c5fadfe6bd968bc2f2

        • memory/1728-27-0x00000000026C0000-0x00000000026F1000-memory.dmp

          Filesize

          196KB

        • memory/2340-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2428-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2428-13-0x0000000003290000-0x00000000032C1000-memory.dmp

          Filesize

          196KB

        • memory/2428-56-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2516-52-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2744-43-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB