Overview

overview

10

Static

static

3

81a2b08ade...7e.exe

windows7-x64

10

81a2b08ade...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe

  • Size

    65KB

  • MD5

    1776870e08d43bad71031a61c0338a53

  • SHA1

    436ace6e362807fc0e19ae5aea4ffd7b78d8ee0b

  • SHA256

    81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e

  • SHA512

    7f3bd946f304d079ceb96334d69268dfa0259a332b7b99b3f29556a48f7205e86c5df2af863f871f98822094650ba86f2b95341d9c27f248ecfeb61d5e3fba3a

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuT:7WNqkOJWmo1HpM0MkTUmuT

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe
    "C:\Users\Admin\AppData\Local\Temp\81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3148
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4676
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2360
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4232
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:224
          • C:\Windows\SysWOW64\at.exe
            at 00:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:5036
            • C:\Windows\SysWOW64\at.exe
              at 00:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4588
              • C:\Windows\SysWOW64\at.exe
                at 00:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4460
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:3648

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\mrsys.exe
            Filesize

            65KB

            MD5

            d85acbb987686c64471a3107bd6aea33

            SHA1

            1456cc8a34c3e03ef66c9e82c80d36705b7027c5

            SHA256

            3508fd2cade2a2485f1f8bc990572fbad5b07a5d0963ae063d01ece8fa37b280

            SHA512

            0164ea9acc55f36f644e9274b3ece9979997951983cc1cf3f22596eec774a9335f6540105109dc93433e052417796f1d907be41ea91243e9d238f634d1a4a565

            Download Submit

          • C:\Windows\System\explorer.exe
            Filesize

            65KB

            MD5

            46057c0f1f5d55d9584a6e35fe6272e8

            SHA1

            9565e744eda4668793d23f8e54c5523b0ed07f2e

            SHA256

            cad40d777bc80abdf1d4090eb28b8dfb61ad0750867c519faf002974be69b448

            SHA512

            766fbd96c1a3385ac485f9edc2eaf6a7b12ae44e824041e5d9206868696eedd887aac7fc109ebb5c3be9ffab6b57d71e315943319839c56af07f91b05b86e11f

            Download Submit

          • C:\Windows\System\spoolsv.exe
            Filesize

            65KB

            MD5

            f08b97d36365882f056ca4dfb54d8cab

            SHA1

            46cc5f6827a3ebcbc6aedbc288b3237b52017798

            SHA256

            637bc1cc1f00954d08ef56fbb1723833dc8d2145f46bbbcd218def9c86e0ea28

            SHA512

            6490c2018009a0bb444beafe3b46870cbbe08fc57113fb77cf56bcc522e961e9b40592d044e8bbea1b458575c701c3ac7d6b5ee025fca0a441d8a8b614996655

            Download Submit

          • C:\Windows\System\svchost.exe
            Filesize

            65KB

            MD5

            adf9707f33bffdaf3e7c300653d0784f

            SHA1

            747e386dcfb58574ad7052a679a5b995f0ae0a09

            SHA256

            382297f4b64b0fb8431d4532802216b28083fb847799ef4033af35ce84e01968

            SHA512

            490446613ba0548f3a872e0591b59071ca00a49344a8b7ddf4a10f2c4aee1bf65255dc4b96e7d5f9d0b46c73aa2fadace9b66d1c79f05656e02a77f0b691d1d6

            Download Submit

          • memory/224-50-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/224-44-0x0000000075530000-0x000000007568D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2360-51-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/2360-25-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/2360-26-0x0000000075530000-0x000000007568D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3148-43-0x0000000000401000-0x000000000042E000-memory.dmp

            Filesize

            180KB

            Download

          • memory/3148-4-0x0000000000401000-0x000000000042E000-memory.dmp

            Filesize

            180KB

            Download

          • memory/3148-56-0x0000000000401000-0x000000000042E000-memory.dmp

            Filesize

            180KB

            Download

          • memory/3148-2-0x0000000075530000-0x000000007568D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3148-36-0x00000000001C0000-0x00000000001C4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/3148-55-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3148-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/3148-0-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3148-3-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4232-37-0x0000000075530000-0x000000007568D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4232-59-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4676-13-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4676-16-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4676-14-0x0000000075530000-0x000000007568D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4676-57-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4676-70-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download