Overview

overview

10

Static

static

3

6fddec5d8f...30.exe

windows7-x64

10

6fddec5d8f...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fddec5d8fc66bcf441e99b2a3be8830.exe

  • Size

    65KB

  • MD5

    6fddec5d8fc66bcf441e99b2a3be8830

  • SHA1

    a23f13a250c72c7e033accffcad88c5e3bab5ab4

  • SHA256

    d0203818d3d8b32bf5a293d29cb4fef1ccfe0502ca8207977dd70430306f2121

  • SHA512

    f4fe79af6cf7836406f6243338ab0f949cfc8ab551a15adc685dd15fb288ce2a037a7c4daf56b80e19e4acbcfc64d1d4695df391c671a8037e1da52a636387ed

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ouh:7WNqkOJWmo1HpM0MkTUmuh

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fddec5d8fc66bcf441e99b2a3be8830.exe
    "C:\Users\Admin\AppData\Local\Temp\6fddec5d8fc66bcf441e99b2a3be8830.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1028
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2760
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2828
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2776
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2520
          • C:\Windows\SysWOW64\at.exe
            at 03:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2088
            • C:\Windows\SysWOW64\at.exe
              at 03:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1556
              • C:\Windows\SysWOW64\at.exe
                at 03:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:904

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          f03926030f62591916770723b3c5c02d

          SHA1

          0120c997048d4be6386437cdb4252ba69b6772af

          SHA256

          49d8aafae155b6f95cbac9144454625ca8ff22dacfc95bd63c47de6632644f53

          SHA512

          22721da3dfeb852a513ebebab20c2fb3e91e631ed746c27d1bcba09f33adca536833204d018155efa958933448bfde727d75c7fdb565066300e0bdea94d74e32

          Download Submit

        • C:\Windows\system\svchost.exe
          Filesize

          65KB

          MD5

          8dcdad81d8b72dc6a7d2186532d9f26c

          SHA1

          05adbe8365cba4549f9f58b003336cac8173326c

          SHA256

          0c4e4a8254b22e83a686b30a5b4ddb68e5ac5a9059151dd575197805a276d34f

          SHA512

          cae9968fe3e05a2270cb0eed39ca75fabb40991be22cd00b49a77e2a7088296d054390aa2cb52d20e847f60a3626a74f7bb9740667b0ada9c0591625f385004c

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          65KB

          MD5

          638c14db6b673a28c28ef194a04273a6

          SHA1

          7bc8c5b59c1e3832b55c5f2cd1a2c9c6bedfa7e0

          SHA256

          67fa1c9930321378026856833007854bc78561d38f87dc1072a410e4144f455f

          SHA512

          505952bcb9d17ce344da5a4dca554618b8ac49ed55abe9f2f8c2c0df94913eadc2dd7d3846ca4d7e11d1914c42da3100e4fb3c6938a359493b44561b7325761e

          Download Submit

        • \Windows\system\spoolsv.exe
          Filesize

          65KB

          MD5

          6e87f3b24c28551a713daa3fb07e571d

          SHA1

          1ac7d839983f6675ba5357427b031ebc0db8bc7c

          SHA256

          a7bdd0f959cfe198c9aae36c06eca8b48daa583d2896ff7d5e743cb151483977

          SHA512

          afcab7d259837d7a957f7c0b0ac79936a94a4a30d96fbb37ca3fc84755da30dfa1aebbfac895a00878bb404f97f1b8374ebc04764852fda43d75e8853e3c63d5

          Download Submit

        • memory/1028-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1028-17-0x0000000003140000-0x0000000003171000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1028-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1028-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1028-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1028-77-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1028-76-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1028-18-0x0000000003140000-0x0000000003171000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1028-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2520-71-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2520-65-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2760-20-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2760-24-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2760-79-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2760-90-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2760-19-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2760-31-0x0000000003140000-0x0000000003171000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2776-53-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2776-59-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2776-57-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2776-81-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2776-56-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2828-42-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2828-75-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2828-37-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download