Overview

overview

10

Static

static

3

40846733ca...cc.exe

windows7-x64

10

40846733ca...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 20:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe

  • Size

    206KB

  • MD5

    036d77e8a713f3e4516aba7f2a5c2b75

  • SHA1

    5b7fd394aac8fd89f5ba681e903842f2fac8c67f

  • SHA256

    40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc

  • SHA512

    d25ddfd1375129b923e03943ebe8e80599aa3d529d747c19d734f551db67e518846b92aea49e3682c4cf846f288efec8ba60eeb1edcf8311754fc9d6157bb052

  • SSDEEP

    3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLf:5vEN2U+T6i5LirrllHy4HUcMQY6Kf

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe
    "C:\Users\Admin\AppData\Local\Temp\40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2796
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3932
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3248
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3500
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2656
          • C:\Windows\SysWOW64\at.exe
            at 20:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1520
            • C:\Windows\SysWOW64\at.exe
              at 20:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2632
              • C:\Windows\SysWOW64\at.exe
                at 20:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3796

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          206KB

          MD5

          45d07054f61fbeac6da24544dfd76b73

          SHA1

          36cd2079c61b572cb374f65fff80b2a777dd7f7c

          SHA256

          d4702d9069843358ebdb7b3c9ee11365c613f43b8c8d8f06bdba3be945c0d419

          SHA512

          b71dba772212d359fb9f84c783f4e2a1dd42f65754b31bdb095f217d6a2e22c70d6a2acfa8bca3b67f40d66e8ef6265f77763d58f5911d132dc6773529077030

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          206KB

          MD5

          7bafb7483ad80d3a12337894e2c23d2e

          SHA1

          959e259624a84290269c806cf17d1865a65ca6c7

          SHA256

          6a1f6adff7d073cc3aa6d4f4ff01c3f087aa8731c19375416f4fe10e9f81e199

          SHA512

          12680d27894cb5ac1b55d0e374e30c083e15575cc7c9900fb76e48ab55ec9151742aa4dce9974be29f2e2d692c4aa377bed22b6c1a6efa24900db9b6bf2be4a1

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          207KB

          MD5

          3d4d757a195cd071c63592200a13ffad

          SHA1

          466c3625d65dc3748de48bb350fa677a29c14766

          SHA256

          2c5b6eb7f607b36a8bf2947a33d29c0f8a49da3798549187a062f1b0d215a4dd

          SHA512

          4c6b2aadcde050557faae387c2682e0bced55b9a3078654bb639e35de07071daf65b6cda450ddc5caf2a870c8dd4754526a286ae398cc881a0b5db82aa47bcce

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          206KB

          MD5

          09add0bde96b59dc851044b4fe77c4fd

          SHA1

          7138103dba31d2f9e5e34519e079a1316f048f32

          SHA256

          0bc652d366a31f563e330b2b7b78d32cf1dc4203ea0195dc692512fe758a3fff

          SHA512

          4ea380097aed7d91ad1c65c0a7ad3d4ee2f22bc0f206b8f9942264f077a7c1e26ea76ec00b3ecb8fd3c431323a90fefcd52cb09689ab323ea298c5948224e86d

          Download Submit

        • memory/2656-32-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2796-0-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2796-37-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3248-35-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download