Overview

overview

10

Static

static

3

4d9c90764d...ef.exe

windows7-x64

10

4d9c90764d...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 22:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4d9c90764d8f463c1b9b83242638bc350798a1d994887ce7820ac97aa3aa99ef.exe

  • Size

    66KB

  • MD5

    cfb9dfdcce2c43a8dfd818fb3a916465

  • SHA1

    8db58dc2c8751e108a0e98fd45c9e6452912924d

  • SHA256

    4d9c90764d8f463c1b9b83242638bc350798a1d994887ce7820ac97aa3aa99ef

  • SHA512

    89ebf9aa442adbd6e5b5a734cb8510a1665c343a019cfa88b70735efefff44545faad023e6b5594b4887a439a1e83c19c35d8f69aa3082258bc1f5049e4f2c5c

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXig:IeklMMYJhqezw/pXzH9ig

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d9c90764d8f463c1b9b83242638bc350798a1d994887ce7820ac97aa3aa99ef.exe
    "C:\Users\Admin\AppData\Local\Temp\4d9c90764d8f463c1b9b83242638bc350798a1d994887ce7820ac97aa3aa99ef.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3000
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2984
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2736
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2804
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2464
          • C:\Windows\SysWOW64\at.exe
            at 22:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2356
            • C:\Windows\SysWOW64\at.exe
              at 22:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1360
              • C:\Windows\SysWOW64\at.exe
                at 22:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2432

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe
                Filesize

                66KB

                MD5

                98d3659a8ca0f0b50170dfd16ce9f1ea

                SHA1

                bc6a6e359d0efc2d986832453138f6a21b793320

                SHA256

                ae03fee0fa9dc19bc4f82fc43d012c39a5bfe792470f162821a15e54b9a554bb

                SHA512

                6f114f15be5171aa1c03adccb2d7b861d8ec24b9af463121b8f3f0cc3ca783e671010bcc1a6817a2c6ca3bfce943bdf73964cf5b3551fae24c0d9d3b7afbe27d

                Download Submit

              • \Windows\system\explorer.exe
                Filesize

                66KB

                MD5

                456a2bffcde2fda904b89c11f2ee33ba

                SHA1

                2e5b5fa4f6d8811d2168e07441bacfcf46fce9e1

                SHA256

                8cb3d7ab04a8023bdc913b1daedad13d6a88e28d2562f665a66c2b7328154c78

                SHA512

                ba32f5477b9810c8b34569d203443dbd423c90c7823d0cbc17eab5c752819a8f49311ad6c4590b62acdd73d2e71af5dfbab0525fffad87b91dc76724b24f4c3e

                Download Submit

              • \Windows\system\spoolsv.exe
                Filesize

                66KB

                MD5

                70d0101fa090b197e269c0e153bb4286

                SHA1

                1bb4f2913a32ee3f9c551f7540ddfbcfe1dddeb2

                SHA256

                50ee349736e3501a0ecfb3ac8ec6031d6842f2bc973322d175ae9f7b3d5d6107

                SHA512

                a84f15ff4bb44fb17fc73f3e4555c31acf2fadea3ec205d86c8a710854478209bc4bcda00a43e3f428f2970339db8cb7c025d3d8b30f19656e5153a2567cfcb8

                Download Submit

              • \Windows\system\svchost.exe
                Filesize

                66KB

                MD5

                7428963efc7e2116b7444c93a8065f07

                SHA1

                b9a98c9a3328861900f496acac5e3603c296610e

                SHA256

                ec2f586155e5352b08928f3c8066daa4dbf1df47e8e29424d98fafb22a1107e4

                SHA512

                0365a4d0968b64274255e6ec687d2fec59fad11013711944b278402dc65656145e83961944cbd5e20cf60646de3b98a9eb6c98c1a78916ac643d349cb89c1429

                Download Submit

              • memory/2464-71-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2464-65-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2736-41-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2736-36-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2736-75-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2736-57-0x0000000003150000-0x0000000003181000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2736-37-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2804-53-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2804-83-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2804-63-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2804-60-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2984-81-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2984-35-0x0000000003120000-0x0000000003151000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2984-92-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2984-17-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2984-20-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2984-34-0x0000000003120000-0x0000000003151000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3000-4-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/3000-19-0x0000000002620000-0x0000000002651000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3000-79-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/3000-78-0x0000000000020000-0x0000000000024000-memory.dmp

                Filesize

                16KB

                Download

              • memory/3000-77-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3000-1-0x0000000000020000-0x0000000000024000-memory.dmp

                Filesize

                16KB

                Download

              • memory/3000-3-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3000-2-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3000-0-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download