Overview

overview

10

Static

static

3

f6ca759ba8...c4.exe

windows7-x64

10

f6ca759ba8...c4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 05:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe

  • Size

    206KB

  • MD5

    765abd0efdd3288f2181237ba07b6e05

  • SHA1

    dc76aa3717681c63485ae7837969f34e129168fb

  • SHA256

    f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4

  • SHA512

    8207d55a0924bfd3218692330d28c985726b27acd025f6d67bc7e3e6858411049cf1ca6736622eedcfb8398cf954bb6caa68138cf19a4324575720da371934f8

  • SSDEEP

    3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLQ:5vEN2U+T6i5LirrllHy4HUcMQY6KQ

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe
    "C:\Users\Admin\AppData\Local\Temp\f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:220
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1716
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3232
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1440
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1896
          • C:\Windows\SysWOW64\at.exe
            at 05:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1436
            • C:\Windows\SysWOW64\at.exe
              at 05:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2576
              • C:\Windows\SysWOW64\at.exe
                at 05:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3604

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          206KB

          MD5

          c1904f9dc5762c88369908b44fae99c2

          SHA1

          4df01469ecf0152205460134cd006d3756aa1947

          SHA256

          b055ab47b59848e329feceba537c7dd529b39b97f4aff56ae8ab0777d87f2a3a

          SHA512

          6c5ce09030240c8b96975678000a35aaf0b6434725d19c0d0ca5ddda21717a23b875762b19ea0f72f265f453c216782f1df65a03eedeb48ff55d3604bb5c3be4

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          206KB

          MD5

          f4262ef52b5685fdb2f8be0fd45d7d8d

          SHA1

          5209e2c5f076a8c0e32fa829a1e03fbcc33ea7b3

          SHA256

          6334d3db2957c4bf4990c05fd002c1b4d0d35171fab6cd0397c71704a9a55349

          SHA512

          d1d780513bf32623acac5835cb4c5b0e1f347bb5347d28f0b2c30f5db2c388cdb036729323e5040c931a546d973f10b573893fa01e434381d8b69401ff69b1ab

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          206KB

          MD5

          3ce59b824541e8e56899dae314c8f988

          SHA1

          002406b3a066f62a3776686804ff9334ccaf3bfd

          SHA256

          e01e9a2f3f5774c8b407d9569fd887c2fabdf0d79e9bbb2221c2e63d1d808f22

          SHA512

          5b873dd4f2f3248e957903011d0efeca0ce34033278e51dcb3f020689c60934e058d19969cf116c7723325acc60451cc30bacb3b430f6508c9104ca45816b20b

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          206KB

          MD5

          65fca0c71012d88e0a5bcc399cbda4ff

          SHA1

          ebba333fec9a16d2588fbf4fa5d8d5bd673a0c7f

          SHA256

          22f6841860549bb547c703bedbc4275ba5ba8cd518e701fc710257b446583579

          SHA512

          ca62be381dadb56a7fdb3406469b73c63248adcd712634ce7e1026f644ccf715764612112ed9c8921dcd18856714ff59b5a8a83c3484f7d82c718560ccdc4db4

          Download Submit

        • memory/220-0-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/220-37-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1716-9-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1896-33-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3232-36-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download