Overview

overview

10

Static

static

3

5cb51f159d...0f.exe

windows7-x64

10

5cb51f159d...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 22:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5cb51f159da23cb3b2e5db0261292fbf971cfb12c27485e36d8b82de5058ae0f.exe

  • Size

    65KB

  • MD5

    13db7a5460fd9a38f54786a695153506

  • SHA1

    a8c3c18d82f6f0b8a12c4301cf8d8e7fc8768bbd

  • SHA256

    5cb51f159da23cb3b2e5db0261292fbf971cfb12c27485e36d8b82de5058ae0f

  • SHA512

    99a8580cce561b6920c0c2521bbbaa15286d2c3c0e1fd459e4ebcf6848b99756c2fc50d0e2f5201f5c7a9a937eaf9c705703c2c901d6baf12bda2b9b9fcdddf2

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Oug:7WNqkOJWmo1HpM0MkTUmug

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cb51f159da23cb3b2e5db0261292fbf971cfb12c27485e36d8b82de5058ae0f.exe
    "C:\Users\Admin\AppData\Local\Temp\5cb51f159da23cb3b2e5db0261292fbf971cfb12c27485e36d8b82de5058ae0f.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3916
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:320
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4740
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3692
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2676
          • C:\Windows\SysWOW64\at.exe
            at 22:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:5080
            • C:\Windows\SysWOW64\at.exe
              at 22:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2520
              • C:\Windows\SysWOW64\at.exe
                at 22:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4568

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe
                Filesize

                65KB

                MD5

                6050d80f3d7f0b93ebb8dc238fdb04a8

                SHA1

                f6f49a04e1cd49452c9b5d0b3c8b8d552572efd2

                SHA256

                5c577efc5c0c6283334c44a8765db363a08db9c7a2e3d0ec3055bd808d6ca1cd

                SHA512

                f456a0a192fac717890c663bc1799cbcac71ed529b5f68ff4a6d96f78666a6ffa86257920869c818ff237f189935db20883a0ffbdc702db66c13644c3fb04f7e

                Download Submit

              • C:\Windows\System\explorer.exe
                Filesize

                65KB

                MD5

                661eb68e168eb83755f6f1376a39b45c

                SHA1

                e925aef5b29f17d6ab38ac548f0a5afc38150066

                SHA256

                06b149b4615fe6c93cd970b59ce8b40240f1645c3bbe938739a0e80ef881c6d7

                SHA512

                57ee19b610122ff0aebc7d748b22e86efcf8091a698dd895e7287b44e366606ffe7ef5e1864dd05ea96599798b7218f073ae53e0c3ea4a79e094a35bbac47059

                Download Submit

              • C:\Windows\System\spoolsv.exe
                Filesize

                65KB

                MD5

                a4b07da7fa2bd071a1fac6313c6002de

                SHA1

                9fc7d76cbb270c93fae0d4c62fe5329919274148

                SHA256

                c4e171c136ae743f9ca94bd3ff681df251f64ed31768df1b44952975ec95fee9

                SHA512

                3ea07e04cda883bff75f70339e156823c04550a0351eb16a79852568d4c7c95ea8292accf679007a95c53e399cbc8327fd27ca559d1891a77b6d865f38fa7de7

                Download Submit

              • C:\Windows\System\svchost.exe
                Filesize

                65KB

                MD5

                c925b9a10d6e370081170b13d9078e81

                SHA1

                4a7a4cc2bce962a568297080344461b364339153

                SHA256

                64079d956e1af9ce21789c7f0d1e50d404f1d33583c1897f16f8f3497c96c6c2

                SHA512

                08a05f623f7ad42adf0966b461b2ed87ba4f00d4bdbd8e24791f30676c0d1c1d7c0842020ea3e04f1dde485487b8937b314d7526ba613a02df9474be42c69b94

                Download Submit

              • memory/320-16-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/320-72-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/320-13-0x00000000751F0000-0x000000007534D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/320-15-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/320-61-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/320-60-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2676-45-0x00000000751F0000-0x000000007534D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2676-53-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3692-63-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3692-36-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3692-37-0x00000000751F0000-0x000000007534D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3692-41-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3916-57-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3916-44-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/3916-2-0x00000000751F0000-0x000000007534D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3916-58-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/3916-5-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/3916-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

                Filesize

                16KB

                Download

              • memory/3916-3-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3916-0-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4740-55-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4740-26-0x00000000751F0000-0x000000007534D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4740-25-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download