Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/06/2024, 03:20
Static task
static1
Behavioral task
behavioral1
Sample
6fddec5d8fc66bcf441e99b2a3be8830.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6fddec5d8fc66bcf441e99b2a3be8830.exe
Resource
win10v2004-20240508-en
General
-
Target
6fddec5d8fc66bcf441e99b2a3be8830.exe
-
Size
65KB
-
MD5
6fddec5d8fc66bcf441e99b2a3be8830
-
SHA1
a23f13a250c72c7e033accffcad88c5e3bab5ab4
-
SHA256
d0203818d3d8b32bf5a293d29cb4fef1ccfe0502ca8207977dd70430306f2121
-
SHA512
f4fe79af6cf7836406f6243338ab0f949cfc8ab551a15adc685dd15fb288ce2a037a7c4daf56b80e19e4acbcfc64d1d4695df391c671a8037e1da52a636387ed
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ouh:7WNqkOJWmo1HpM0MkTUmuh
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 3324 explorer.exe 4452 spoolsv.exe 1848 svchost.exe 1780 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 6fddec5d8fc66bcf441e99b2a3be8830.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3840 6fddec5d8fc66bcf441e99b2a3be8830.exe 3840 6fddec5d8fc66bcf441e99b2a3be8830.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 1848 svchost.exe 1848 svchost.exe 1848 svchost.exe 1848 svchost.exe 3324 explorer.exe 3324 explorer.exe 1848 svchost.exe 1848 svchost.exe 3324 explorer.exe 3324 explorer.exe 1848 svchost.exe 1848 svchost.exe 3324 explorer.exe 3324 explorer.exe 1848 svchost.exe 1848 svchost.exe 3324 explorer.exe 3324 explorer.exe 1848 svchost.exe 1848 svchost.exe 3324 explorer.exe 3324 explorer.exe 1848 svchost.exe 1848 svchost.exe 3324 explorer.exe 3324 explorer.exe 1848 svchost.exe 1848 svchost.exe 3324 explorer.exe 3324 explorer.exe 1848 svchost.exe 1848 svchost.exe 3324 explorer.exe 3324 explorer.exe 1848 svchost.exe 1848 svchost.exe 3324 explorer.exe 3324 explorer.exe 1848 svchost.exe 1848 svchost.exe 3324 explorer.exe 3324 explorer.exe 1848 svchost.exe 1848 svchost.exe 3324 explorer.exe 3324 explorer.exe 1848 svchost.exe 1848 svchost.exe 3324 explorer.exe 3324 explorer.exe 1848 svchost.exe 1848 svchost.exe 3324 explorer.exe 3324 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3324 explorer.exe 1848 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3840 6fddec5d8fc66bcf441e99b2a3be8830.exe 3840 6fddec5d8fc66bcf441e99b2a3be8830.exe 3324 explorer.exe 3324 explorer.exe 4452 spoolsv.exe 4452 spoolsv.exe 1848 svchost.exe 1848 svchost.exe 1780 spoolsv.exe 1780 spoolsv.exe 3324 explorer.exe 3324 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3840 wrote to memory of 3324 3840 6fddec5d8fc66bcf441e99b2a3be8830.exe 81 PID 3840 wrote to memory of 3324 3840 6fddec5d8fc66bcf441e99b2a3be8830.exe 81 PID 3840 wrote to memory of 3324 3840 6fddec5d8fc66bcf441e99b2a3be8830.exe 81 PID 3324 wrote to memory of 4452 3324 explorer.exe 83 PID 3324 wrote to memory of 4452 3324 explorer.exe 83 PID 3324 wrote to memory of 4452 3324 explorer.exe 83 PID 4452 wrote to memory of 1848 4452 spoolsv.exe 85 PID 4452 wrote to memory of 1848 4452 spoolsv.exe 85 PID 4452 wrote to memory of 1848 4452 spoolsv.exe 85 PID 1848 wrote to memory of 1780 1848 svchost.exe 86 PID 1848 wrote to memory of 1780 1848 svchost.exe 86 PID 1848 wrote to memory of 1780 1848 svchost.exe 86 PID 1848 wrote to memory of 2548 1848 svchost.exe 88 PID 1848 wrote to memory of 2548 1848 svchost.exe 88 PID 1848 wrote to memory of 2548 1848 svchost.exe 88 PID 1848 wrote to memory of 2592 1848 svchost.exe 98 PID 1848 wrote to memory of 2592 1848 svchost.exe 98 PID 1848 wrote to memory of 2592 1848 svchost.exe 98 PID 1848 wrote to memory of 3512 1848 svchost.exe 100 PID 1848 wrote to memory of 3512 1848 svchost.exe 100 PID 1848 wrote to memory of 3512 1848 svchost.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fddec5d8fc66bcf441e99b2a3be8830.exe"C:\Users\Admin\AppData\Local\Temp\6fddec5d8fc66bcf441e99b2a3be8830.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1780
-
-
C:\Windows\SysWOW64\at.exeat 03:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2548
-
-
C:\Windows\SysWOW64\at.exeat 03:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2592
-
-
C:\Windows\SysWOW64\at.exeat 03:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3512
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5940182f4963f0f640f79226beedc83be
SHA1f1f77c7eb374a4ab9f6c874640ed39e954a88b06
SHA2562adedfff0d9319d2640505fe3498bb0d0b03a9e96335e436f35c13e72e419a9f
SHA51271ee3273594f806fba81dfbf8d5ba696b8448114fc334fcd0038586c41e4e6d420fa46d31bbf425caa179cbac25c894277d8f8fcc23657391ec93be0564fa86d
-
Filesize
65KB
MD53c85f2392b21c3eb538d7ddde76c8f57
SHA19526a1583f35198de6bb43726c5b59b372bb8207
SHA25621d82ea0113bd0ee6a12d273b6792bc9fb342ca9b2657e08220a4074e034acaa
SHA512d7850a891b8634904212b93d1579edf05b51f72d43518564d92ad2fb6a8e342c5e787f015b6b96091f9528e821fd8f312ef792b4808c77847931953af726715e
-
Filesize
65KB
MD5bf776ae15bdd8a2589d9cc160ac078eb
SHA1f7e0324a5fb0878c5a3dfe23b7841299fada9d25
SHA256efd558ff1ecfda6b7f71cacfab80c6579492f59ce3a1e353a5fc02bd8fa4cf7d
SHA512aaca69ad7f030f6b541337280aab4ee5665fe7f925c57eb84491f2998143e50374ad96f1687a402e9747f6b4788df8487c5a1aa38c464867a165a600ef4091eb
-
Filesize
65KB
MD575c539915a382a3dda9016792c1da52f
SHA1e346e524e9c82b810427b42157f71c5f12de5cb0
SHA25687c7102d57192a20ada1a4a4a994b09e8d9ebe3906b6177c235e0ee7005bdb67
SHA51251469da1c4cc1f62965373e8c13469979ea1d422074409c56c096c4d5bdb217b40ce4682475a1803b52e47d61234a132aaf3b25b8b878abfb83f94aceb18e061