Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 03:45
Static task
static1
Behavioral task
behavioral1
Sample
ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5.exe
Resource
win10v2004-20240508-en
General
-
Target
ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5.exe
-
Size
200KB
-
MD5
540639790e808383dff1db73ffb3953f
-
SHA1
904848d13943b6e5f30ff759976af770d4514863
-
SHA256
ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5
-
SHA512
eb461f3131221cc3ffa97087c7846a96193c6446e8f5ef3726cbc3e4fc9839b640fb1d9781ce216cbce38f926e51661148b4006747085b2831e1a67d89ec240e
-
SSDEEP
3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6uBL9it:7vEN2U+T6i5LirrllHy4HUcMQY6C9it
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 764 explorer.exe 3972 spoolsv.exe 3152 svchost.exe 1624 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3860 ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5.exe 3860 ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 764 explorer.exe 764 explorer.exe 3152 svchost.exe 3152 svchost.exe 764 explorer.exe 764 explorer.exe 3152 svchost.exe 3152 svchost.exe 764 explorer.exe 764 explorer.exe 3152 svchost.exe 3152 svchost.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 3152 svchost.exe 3152 svchost.exe 764 explorer.exe 764 explorer.exe 3152 svchost.exe 3152 svchost.exe 764 explorer.exe 764 explorer.exe 3152 svchost.exe 764 explorer.exe 3152 svchost.exe 3152 svchost.exe 764 explorer.exe 3152 svchost.exe 764 explorer.exe 3152 svchost.exe 764 explorer.exe 3152 svchost.exe 764 explorer.exe 764 explorer.exe 3152 svchost.exe 3152 svchost.exe 764 explorer.exe 3152 svchost.exe 764 explorer.exe 3152 svchost.exe 764 explorer.exe 764 explorer.exe 3152 svchost.exe 3152 svchost.exe 764 explorer.exe 764 explorer.exe 3152 svchost.exe 764 explorer.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 764 explorer.exe 3152 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3860 ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5.exe 3860 ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5.exe 764 explorer.exe 764 explorer.exe 3972 spoolsv.exe 3972 spoolsv.exe 3152 svchost.exe 3152 svchost.exe 1624 spoolsv.exe 1624 spoolsv.exe 764 explorer.exe 764 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3860 wrote to memory of 764 3860 ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5.exe 82 PID 3860 wrote to memory of 764 3860 ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5.exe 82 PID 3860 wrote to memory of 764 3860 ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5.exe 82 PID 764 wrote to memory of 3972 764 explorer.exe 83 PID 764 wrote to memory of 3972 764 explorer.exe 83 PID 764 wrote to memory of 3972 764 explorer.exe 83 PID 3972 wrote to memory of 3152 3972 spoolsv.exe 84 PID 3972 wrote to memory of 3152 3972 spoolsv.exe 84 PID 3972 wrote to memory of 3152 3972 spoolsv.exe 84 PID 3152 wrote to memory of 1624 3152 svchost.exe 85 PID 3152 wrote to memory of 1624 3152 svchost.exe 85 PID 3152 wrote to memory of 1624 3152 svchost.exe 85 PID 3152 wrote to memory of 2264 3152 svchost.exe 86 PID 3152 wrote to memory of 2264 3152 svchost.exe 86 PID 3152 wrote to memory of 2264 3152 svchost.exe 86 PID 3152 wrote to memory of 1188 3152 svchost.exe 102 PID 3152 wrote to memory of 1188 3152 svchost.exe 102 PID 3152 wrote to memory of 1188 3152 svchost.exe 102 PID 3152 wrote to memory of 656 3152 svchost.exe 112 PID 3152 wrote to memory of 656 3152 svchost.exe 112 PID 3152 wrote to memory of 656 3152 svchost.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5.exe"C:\Users\Admin\AppData\Local\Temp\ca787487f1eec4b1b1bf1fd4e7edecae1cde4f6eb854695bc05f8e25695577e5.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1624
-
-
C:\Windows\SysWOW64\at.exeat 03:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2264
-
-
C:\Windows\SysWOW64\at.exeat 03:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1188
-
-
C:\Windows\SysWOW64\at.exeat 03:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:656
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD54bdb42638e3003efe509ec688fde214d
SHA19e3e2360bf6be4578d51728f8c88560e8e1af657
SHA256679a13f26c1221e6c544026422f5740887dcf136af6a09377fc8ae175c6519dd
SHA512b861b8bfeb6ca9cb787136f1c296156b82588e16e5a55ec7fb70b02959ce65135e31e4f54c97d77d35815f1d51f0d7786a05f5936bb5803b16f5f35a2325cd74
-
Filesize
216KB
MD587433a3d13c13c63a7645935fc98b541
SHA1bd72cc6b1452ce2be60cc0f008f180d34be6adb8
SHA256d73550a61be42e7914fed65f86443e68edd3bce3bfe189a7be8aa2665cbc0fcf
SHA512e75ad321e132b86ff0c4f619e4138e0866a8c6c265970bcf0c2e12ba7099d2100e1f3925cc94aeca557ef1d2ad77d2f57efb600c1e62ab21940c5d4eb56e8498
-
Filesize
216KB
MD56006098cd175b07b15957316b0e7ef37
SHA196424f96b9f278aededefb6346b5b7297384b973
SHA2568b11243e746ebd847427acb9d4fa51c3120b2fc515b1e9a073175c0c7cfeedb8
SHA512f9032461cded31bf11f62a9b92dd4fbaf67fe94f35e39cf48ab954281d78c180e269a3e865dbf04bcf805c6bf01345495f78f6a6feb6567afeb526e11528a870
-
Filesize
216KB
MD5b91bd1142afcb0af92e1cb392877a16a
SHA1dbb487454dea546d8848eaa1337dc4fe8ea88c75
SHA256142fa01cc22bafb73d0212956081829c0f433a2f71aed1e5c97edd1015542f4f
SHA51230fa2494eb5ae7c4a6a35749c37a720753b047f02fd0bd0b56343d2093cc053fb97057635f14995b1c7abf5472ac57b52c559f22fe19a50eb8a893ad7cfee6e7