Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe
Resource
win10v2004-20240426-en
General
-
Target
933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe
-
Size
66KB
-
MD5
766daa59bb63db8c6743ea35e10ee3bf
-
SHA1
73e4b640c09ea9a74604422b6524f9cada87465d
-
SHA256
933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071
-
SHA512
86952fe8682bec94f5db178c4a5ebf294ac14ae4da28f54b7fcb4b73bbd4d159a7943237776fa616b0da4d5cee9647e1f6f4ab847f0112f029e9ecdcb32cb659
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXis:IeklMMYJhqezw/pXzH9is
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2492 explorer.exe 2524 spoolsv.exe 2428 svchost.exe 2476 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1784 933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe 1784 933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe 2492 explorer.exe 2492 explorer.exe 2524 spoolsv.exe 2524 spoolsv.exe 2428 svchost.exe 2428 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1784 933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2428 svchost.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe 2428 svchost.exe 2492 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2492 explorer.exe 2428 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1784 933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe 1784 933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe 2492 explorer.exe 2492 explorer.exe 2524 spoolsv.exe 2524 spoolsv.exe 2428 svchost.exe 2428 svchost.exe 2476 spoolsv.exe 2476 spoolsv.exe 2492 explorer.exe 2492 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1784 wrote to memory of 2492 1784 933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe 28 PID 1784 wrote to memory of 2492 1784 933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe 28 PID 1784 wrote to memory of 2492 1784 933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe 28 PID 1784 wrote to memory of 2492 1784 933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe 28 PID 2492 wrote to memory of 2524 2492 explorer.exe 29 PID 2492 wrote to memory of 2524 2492 explorer.exe 29 PID 2492 wrote to memory of 2524 2492 explorer.exe 29 PID 2492 wrote to memory of 2524 2492 explorer.exe 29 PID 2524 wrote to memory of 2428 2524 spoolsv.exe 30 PID 2524 wrote to memory of 2428 2524 spoolsv.exe 30 PID 2524 wrote to memory of 2428 2524 spoolsv.exe 30 PID 2524 wrote to memory of 2428 2524 spoolsv.exe 30 PID 2428 wrote to memory of 2476 2428 svchost.exe 31 PID 2428 wrote to memory of 2476 2428 svchost.exe 31 PID 2428 wrote to memory of 2476 2428 svchost.exe 31 PID 2428 wrote to memory of 2476 2428 svchost.exe 31 PID 2428 wrote to memory of 760 2428 svchost.exe 32 PID 2428 wrote to memory of 760 2428 svchost.exe 32 PID 2428 wrote to memory of 760 2428 svchost.exe 32 PID 2428 wrote to memory of 760 2428 svchost.exe 32 PID 2428 wrote to memory of 1448 2428 svchost.exe 36 PID 2428 wrote to memory of 1448 2428 svchost.exe 36 PID 2428 wrote to memory of 1448 2428 svchost.exe 36 PID 2428 wrote to memory of 1448 2428 svchost.exe 36 PID 2428 wrote to memory of 2272 2428 svchost.exe 38 PID 2428 wrote to memory of 2272 2428 svchost.exe 38 PID 2428 wrote to memory of 2272 2428 svchost.exe 38 PID 2428 wrote to memory of 2272 2428 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe"C:\Users\Admin\AppData\Local\Temp\933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
C:\Windows\SysWOW64\at.exeat 14:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:760
-
-
C:\Windows\SysWOW64\at.exeat 14:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1448
-
-
C:\Windows\SysWOW64\at.exeat 14:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2272
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD547568b7da935ff63c835102e4ef5ca06
SHA1b972e1f2e61ee08ca33d475b54c00a572b4bf7bd
SHA2566e56e256f61a99553fb98af17d13c2f9566a0795bde803ac3595efd0ea8ee628
SHA5126b8092832435737d0f3a83ef011806d40e4ec4d14dda75646438de994fea496fcf9ffae1caec37484fad4845ec6b00729063e3bb5045e48ad87af7592d82491b
-
Filesize
66KB
MD54b98ae4c246be900490850e70072dac1
SHA10de5251c324ffdfe680ffcf22332a957cec09a19
SHA256ab97b41eacb0c56a6f4f7ef8dc3f5ae9586ffde463f8aa9c1ac915bf812e08a9
SHA5127e7fb33e0f19403b2969645c7995437ac2716eab6644b651ee9bf63f48517516a7cba2e967e8ecdedee9354097e06d6a9513c19a77227b8cd9c74c2c92ad1fd0
-
Filesize
66KB
MD532a5603b9a7a98a6d199167cf4702f1e
SHA1951ad98fbc181ced8df7c691db7430e376eac44d
SHA256eff572585568c08f77996c546843cdbc5263a16c0859812d1a34589f8bcbf06d
SHA51241ba25449a9de161a9ab49e392a06afa4bc13197ef54a9cc95599dcb4296e9d34d7bc02e73548eb12c899d1cd05f9b5a460bdc2e6230b0338cca51894c6f3682
-
Filesize
66KB
MD5ab811bf7d8f35442921e8788af99a08e
SHA1059756a1ac95d097dab437346e7f88c49ce944f2
SHA2568811e9bc4971fd9d440dd12d1a13b84a37c68e44245fa05eff6b267e18a854c7
SHA5127d56738dda2aaa2b6ece6341d916fe0f7d57c4a997df771942cc8616db82b89213ec4ecd258a4feef52d05f8a10afb8b63e24be1fca381a2c9065809b1c82b29