Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 03:53

General

  • Target

    d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe

  • Size

    199KB

  • MD5

    02e04cb9835c61b7a67b4fb33d61b341

  • SHA1

    fd43bb828ea798f3d0f1d48b9f8a25c610494ae0

  • SHA256

    d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad

  • SHA512

    1e2b4b71ba579c57cb0897045c2c55a28d780a5da411b504d82ea8301c6201c1cd767c3f38a408d4fe22aea6eaae4d8fbf2573583879f2d319c9d420649c1b9c

  • SSDEEP

    3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u4PmuY:7vEN2U+T6i5LirrllHy4HUcMQY6y

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe
    "C:\Users\Admin\AppData\Local\Temp\d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2740
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4588
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4432
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4536
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4888
          • C:\Windows\SysWOW64\at.exe
            at 03:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:3952
            • C:\Windows\SysWOW64\at.exe
              at 03:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2216
              • C:\Windows\SysWOW64\at.exe
                at 03:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1544
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8
          1⤵
            PID:2932

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\mrsys.exe

            Filesize

            216KB

            MD5

            f907492051b58f8815187163d569c8c1

            SHA1

            902cdebd52ffc786d3ee2034886bef83a314c850

            SHA256

            5a1ffdeadd1013cd8e6a50518e11a0e8c2cf539f65a58832350d5019b944b700

            SHA512

            122ff8e89999495807f197774006f3b4e232b98e8f5ca0e6d1fc587b7a2da77e9a41bc323cc101bf27f20bd7b731c3bea2a772f95315107371c99fbe68916db4

          • C:\Windows\System\spoolsv.exe

            Filesize

            216KB

            MD5

            fadf032300c01367ac8301ed257ec8c3

            SHA1

            8d417c6dc2518aaaef4c01b585fff55f9c0d734e

            SHA256

            c23c83475b28728965d145200d8301958c37a4fd3f1fb92b5631fe4cd1b2b656

            SHA512

            228bd0a201b4379790b34c5eac5ee487967bd3db9788ce92433504dc62b820ef5a1c06b284cff4362ecf0557b8127e64a318a359cb8ceaa739b17389763b9a8e

          • C:\Windows\System\svchost.exe

            Filesize

            216KB

            MD5

            2045f95d6d0dd2a628a481f0aa0981db

            SHA1

            e8af5ee0f2653a4cecf87e7ead471d68251869ce

            SHA256

            a8fc3b681ca2402c61d752d92e1e99855196dbb0b8d90b4d6640aebda43b1d79

            SHA512

            8c04de8e4a17499bc04a37ca85bad509cee3a53800bc8a4f1a46d568d02a43114f9265eae11394ff3c7e31e331407035ef446840a448a64a62aeb9b338f72aee

          • \??\c:\windows\system\explorer.exe

            Filesize

            216KB

            MD5

            3f66d90b06a020bde2f856cb322d919f

            SHA1

            3d268de311017ea07f9ca08495089d9266545987

            SHA256

            eaf85bfb9128a5dd1bd72b5c95908543825ec8ea100c1f44df42497b60f34a18

            SHA512

            959d0f8a2dfb846aad422762cc09764da5b1993d9098bfe80744d45fe636233de9f970b08e583dc3ae623e09d69286990ad3764a58f00268cc58ffe6eab0beed

          • memory/2740-0-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

          • memory/2740-37-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

          • memory/4432-36-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

          • memory/4588-8-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

          • memory/4888-33-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB