Overview

overview

10

Static

static

3

6fddec5d8f...30.exe

windows7-x64

10

6fddec5d8f...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2024, 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fddec5d8fc66bcf441e99b2a3be8830.exe

  • Size

    65KB

  • MD5

    6fddec5d8fc66bcf441e99b2a3be8830

  • SHA1

    a23f13a250c72c7e033accffcad88c5e3bab5ab4

  • SHA256

    d0203818d3d8b32bf5a293d29cb4fef1ccfe0502ca8207977dd70430306f2121

  • SHA512

    f4fe79af6cf7836406f6243338ab0f949cfc8ab551a15adc685dd15fb288ce2a037a7c4daf56b80e19e4acbcfc64d1d4695df391c671a8037e1da52a636387ed

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ouh:7WNqkOJWmo1HpM0MkTUmuh

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fddec5d8fc66bcf441e99b2a3be8830.exe
    "C:\Users\Admin\AppData\Local\Temp\6fddec5d8fc66bcf441e99b2a3be8830.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3840
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3324
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4452
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1848
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1780
          • C:\Windows\SysWOW64\at.exe
            at 03:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2548
            • C:\Windows\SysWOW64\at.exe
              at 03:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2592
              • C:\Windows\SysWOW64\at.exe
                at 03:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3512

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          940182f4963f0f640f79226beedc83be

          SHA1

          f1f77c7eb374a4ab9f6c874640ed39e954a88b06

          SHA256

          2adedfff0d9319d2640505fe3498bb0d0b03a9e96335e436f35c13e72e419a9f

          SHA512

          71ee3273594f806fba81dfbf8d5ba696b8448114fc334fcd0038586c41e4e6d420fa46d31bbf425caa179cbac25c894277d8f8fcc23657391ec93be0564fa86d

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          65KB

          MD5

          3c85f2392b21c3eb538d7ddde76c8f57

          SHA1

          9526a1583f35198de6bb43726c5b59b372bb8207

          SHA256

          21d82ea0113bd0ee6a12d273b6792bc9fb342ca9b2657e08220a4074e034acaa

          SHA512

          d7850a891b8634904212b93d1579edf05b51f72d43518564d92ad2fb6a8e342c5e787f015b6b96091f9528e821fd8f312ef792b4808c77847931953af726715e

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          65KB

          MD5

          bf776ae15bdd8a2589d9cc160ac078eb

          SHA1

          f7e0324a5fb0878c5a3dfe23b7841299fada9d25

          SHA256

          efd558ff1ecfda6b7f71cacfab80c6579492f59ce3a1e353a5fc02bd8fa4cf7d

          SHA512

          aaca69ad7f030f6b541337280aab4ee5665fe7f925c57eb84491f2998143e50374ad96f1687a402e9747f6b4788df8487c5a1aa38c464867a165a600ef4091eb

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          65KB

          MD5

          75c539915a382a3dda9016792c1da52f

          SHA1

          e346e524e9c82b810427b42157f71c5f12de5cb0

          SHA256

          87c7102d57192a20ada1a4a4a994b09e8d9ebe3906b6177c235e0ee7005bdb67

          SHA512

          51469da1c4cc1f62965373e8c13469979ea1d422074409c56c096c4d5bdb217b40ce4682475a1803b52e47d61234a132aaf3b25b8b878abfb83f94aceb18e061

          Download Submit

        • memory/1780-45-0x00000000750B0000-0x000000007520D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1780-54-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1780-46-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1848-63-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1848-39-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1848-37-0x00000000750B0000-0x000000007520D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3324-18-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3324-61-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3324-72-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3324-12-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3324-14-0x00000000750B0000-0x000000007520D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3840-44-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/3840-5-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3840-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/3840-2-0x00000000750B0000-0x000000007520D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3840-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3840-59-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3840-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3840-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4452-30-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4452-26-0x00000000750B0000-0x000000007520D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4452-25-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4452-56-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download