Overview

overview

10

Static

static

3

7f29b94717...95.exe

windows7-x64

10

7f29b94717...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2024, 01:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe

  • Size

    2.3MB

  • MD5

    703e39b826f8f94fc1d1423cee8b5abf

  • SHA1

    51e6e6f9ddb023f7d749c26157931ecfb27c4615

  • SHA256

    7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95

  • SHA512

    639aa4158cb878816e853b976871ca4fe678eb45042b28e0cd550731acdd5387ab4ba06bc5023e41a8103d77cc1507911a2af6297ecdf4a05a2e9ea60782f91e

  • SSDEEP

    49152:SLDEfWcnLJ6I3BUz8fsK5CdoQmTZMCpylljm:tXnL73XHdFHpqm

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe
    "C:\Users\Admin\AppData\Local\Temp\7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1676
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2324
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2632
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2676
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2472
          • C:\Windows\SysWOW64\at.exe
            at 01:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1800
            • C:\Windows\SysWOW64\at.exe
              at 01:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1964
              • C:\Windows\SysWOW64\at.exe
                at 01:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1624

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe
                Filesize

                2.3MB

                MD5

                acad8993b94ea5bfa242362bd2c70d87

                SHA1

                4cee50fe96c110ecdd4d2bf8e69a0db99417671f

                SHA256

                601815159dbc2fe84d2f135036c3616e0011e3a9baf565111e27f20dbd1beb50

                SHA512

                75308fd3e433b6004b7750367a06344e9878db22bb976769799a0b9939b948838cc2af7d83c9933574b2c6255f283a31d92c110b90c1376c67027aa92542ba16

                Download Submit

              • \Windows\system\explorer.exe
                Filesize

                2.3MB

                MD5

                e8d20e760f74e1577f3d37313c088b67

                SHA1

                2d204961d10ec33ecffc0f514cf12e1e67cb6aba

                SHA256

                948dc00c2655ccf5638f5e647214db9149cc81312336bcb78a197597ae50b0a1

                SHA512

                385e1b19932215d2b64ca015add1fb7d397cf733b2500b4ee457e48d95dd23c6bfe3fd49f3b8c021e1c0ba708bae34b82276366a716f59b625516f1e9913e027

                Download Submit

              • \Windows\system\spoolsv.exe
                Filesize

                2.3MB

                MD5

                978f2eb9de89e52040748e1bcb5cbc7e

                SHA1

                c888e09cec40c1a7dfbb14c248240dade6952ae9

                SHA256

                7f191ac175399527df9bd893c8434ac19b935174cb2ec83f6c910c859abf1eb1

                SHA512

                90f5e6e6f63f76b82e43df5d40a45d0ddd3008413992d5d124222bec90cb355a47bbcadcefedc969155927ceed0ab727de6e7626d71e9dbc985b741e6bdc589b

                Download Submit

              • \Windows\system\svchost.exe
                Filesize

                2.3MB

                MD5

                85c9d49d8ec3e625d52981df462cb6d9

                SHA1

                6d2341d1ca8501ab6e77621aa224713abab9f2e7

                SHA256

                5a1060cfc94382e9a7a5b21f3693207a7db96238f7a8de1d2a23f09b0515dac6

                SHA512

                a0bb0cbd23c1c77cf404f7bb8009145c1f6ea7318247f0c57de0aafe00f740e5ca4473cd1d77c3179696b1d3ed9d8447fdbde90bf0b35c4e1153799c736be8ac

                Download Submit

              • memory/1676-63-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/1676-0-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/1676-16-0x0000000004AB0000-0x000000000533A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/1676-66-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/1676-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/1676-14-0x0000000004AB0000-0x000000000533A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2324-17-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2324-85-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2324-93-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2324-81-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2324-79-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2324-77-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2324-83-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2324-32-0x0000000004A50000-0x00000000052DA000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2324-73-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2324-21-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/2324-67-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2324-89-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2324-71-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2472-59-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2632-35-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2632-46-0x0000000004910000-0x000000000519A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2632-54-0x0000000004910000-0x000000000519A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2632-64-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2676-68-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2676-78-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2676-82-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2676-76-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2676-84-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2676-72-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2676-86-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2676-88-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2676-90-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2676-70-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2676-92-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2676-94-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download

              • memory/2676-58-0x0000000000400000-0x0000000000C8A000-memory.dmp

                Filesize

                8.5MB

                Download