Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 03:53
Static task
static1
Behavioral task
behavioral1
Sample
d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe
Resource
win10v2004-20240508-en
General
-
Target
d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe
-
Size
199KB
-
MD5
02e04cb9835c61b7a67b4fb33d61b341
-
SHA1
fd43bb828ea798f3d0f1d48b9f8a25c610494ae0
-
SHA256
d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad
-
SHA512
1e2b4b71ba579c57cb0897045c2c55a28d780a5da411b504d82ea8301c6201c1cd767c3f38a408d4fe22aea6eaae4d8fbf2573583879f2d319c9d420649c1b9c
-
SSDEEP
3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u4PmuY:7vEN2U+T6i5LirrllHy4HUcMQY6y
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4588 explorer.exe 4432 spoolsv.exe 4536 svchost.exe 4888 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2740 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 2740 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4536 svchost.exe 4536 svchost.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4588 explorer.exe 4536 svchost.exe 4536 svchost.exe 4588 explorer.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4536 svchost.exe 4588 explorer.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4536 svchost.exe 4588 explorer.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4588 explorer.exe 4536 svchost.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe 4588 explorer.exe 4536 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4588 explorer.exe 4536 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2740 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 2740 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 4588 explorer.exe 4588 explorer.exe 4432 spoolsv.exe 4432 spoolsv.exe 4536 svchost.exe 4536 svchost.exe 4888 spoolsv.exe 4888 spoolsv.exe 4588 explorer.exe 4588 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2740 wrote to memory of 4588 2740 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 90 PID 2740 wrote to memory of 4588 2740 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 90 PID 2740 wrote to memory of 4588 2740 d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe 90 PID 4588 wrote to memory of 4432 4588 explorer.exe 91 PID 4588 wrote to memory of 4432 4588 explorer.exe 91 PID 4588 wrote to memory of 4432 4588 explorer.exe 91 PID 4432 wrote to memory of 4536 4432 spoolsv.exe 92 PID 4432 wrote to memory of 4536 4432 spoolsv.exe 92 PID 4432 wrote to memory of 4536 4432 spoolsv.exe 92 PID 4536 wrote to memory of 4888 4536 svchost.exe 93 PID 4536 wrote to memory of 4888 4536 svchost.exe 93 PID 4536 wrote to memory of 4888 4536 svchost.exe 93 PID 4536 wrote to memory of 3952 4536 svchost.exe 94 PID 4536 wrote to memory of 3952 4536 svchost.exe 94 PID 4536 wrote to memory of 3952 4536 svchost.exe 94 PID 4536 wrote to memory of 2216 4536 svchost.exe 112 PID 4536 wrote to memory of 2216 4536 svchost.exe 112 PID 4536 wrote to memory of 2216 4536 svchost.exe 112 PID 4536 wrote to memory of 1544 4536 svchost.exe 117 PID 4536 wrote to memory of 1544 4536 svchost.exe 117 PID 4536 wrote to memory of 1544 4536 svchost.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe"C:\Users\Admin\AppData\Local\Temp\d857773a9d859db7e56f5750cf02c1bd11e5d2daa4ed778df2da81ec692f34ad.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4888
-
-
C:\Windows\SysWOW64\at.exeat 03:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3952
-
-
C:\Windows\SysWOW64\at.exeat 03:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2216
-
-
C:\Windows\SysWOW64\at.exeat 03:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1544
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:81⤵PID:2932
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5f907492051b58f8815187163d569c8c1
SHA1902cdebd52ffc786d3ee2034886bef83a314c850
SHA2565a1ffdeadd1013cd8e6a50518e11a0e8c2cf539f65a58832350d5019b944b700
SHA512122ff8e89999495807f197774006f3b4e232b98e8f5ca0e6d1fc587b7a2da77e9a41bc323cc101bf27f20bd7b731c3bea2a772f95315107371c99fbe68916db4
-
Filesize
216KB
MD5fadf032300c01367ac8301ed257ec8c3
SHA18d417c6dc2518aaaef4c01b585fff55f9c0d734e
SHA256c23c83475b28728965d145200d8301958c37a4fd3f1fb92b5631fe4cd1b2b656
SHA512228bd0a201b4379790b34c5eac5ee487967bd3db9788ce92433504dc62b820ef5a1c06b284cff4362ecf0557b8127e64a318a359cb8ceaa739b17389763b9a8e
-
Filesize
216KB
MD52045f95d6d0dd2a628a481f0aa0981db
SHA1e8af5ee0f2653a4cecf87e7ead471d68251869ce
SHA256a8fc3b681ca2402c61d752d92e1e99855196dbb0b8d90b4d6640aebda43b1d79
SHA5128c04de8e4a17499bc04a37ca85bad509cee3a53800bc8a4f1a46d568d02a43114f9265eae11394ff3c7e31e331407035ef446840a448a64a62aeb9b338f72aee
-
Filesize
216KB
MD53f66d90b06a020bde2f856cb322d919f
SHA13d268de311017ea07f9ca08495089d9266545987
SHA256eaf85bfb9128a5dd1bd72b5c95908543825ec8ea100c1f44df42497b60f34a18
SHA512959d0f8a2dfb846aad422762cc09764da5b1993d9098bfe80744d45fe636233de9f970b08e583dc3ae623e09d69286990ad3764a58f00268cc58ffe6eab0beed