Overview

overview

10

Static

static

3

04d389168d...7d.exe

windows7-x64

10

04d389168d...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 18:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe

  • Size

    66KB

  • MD5

    3e2428db2164bb359d7c6f4d6245bd85

  • SHA1

    5f0f3bfdd00b08e98011597e179b9f58fd510b81

  • SHA256

    04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d

  • SHA512

    0a88545e7755eac6be3ef832b2bd6f76c12e9a97e01bd57729618fb0ce519c9d163b1c277d8809dbfc4dbb46dde433b61dcc0992c5a887e77539a18adbe73c13

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXih:IeklMMYJhqezw/pXzH9ih

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe
    "C:\Users\Admin\AppData\Local\Temp\04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1320
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4668
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5088
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3504
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3780
          • C:\Windows\SysWOW64\at.exe
            at 18:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:220
            • C:\Windows\SysWOW64\at.exe
              at 18:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2360
              • C:\Windows\SysWOW64\at.exe
                at 18:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3688

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          e4bd8d1593601caf3455d2b551cc5edf

          SHA1

          e01684ff472ddd220ffcd528913ea55db36b9e03

          SHA256

          6eb241d40f3111f2aca31036e38067264c6cb2ee8bf636ab11d3145213bfd9df

          SHA512

          080b980f8ae7270f8dbab9e8510292a6e3e7fe0bfca1ae743522319195360ca088a91fa0bdbae95fec6b012fd5e55fa2e591bd18d8af1f934d924426d4e8501c

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          cb2ccf25a43c16cdbc26c248656dba83

          SHA1

          eca8c07ac2b4b1000d6a9bf7ac88792fbe5a70fb

          SHA256

          1e45e6e3d35dee1facecf9e722b132d98eda97476b1eb1f028044f53a8d9463a

          SHA512

          76e98d9b6996743e13657b659b17b4ff6e01b32b1dbaedfe77223e7e5da27e942edd042a459ca1d4a66cb9549a629d96f08b5abbe161c930fe4ba3fa4f5fd8e7

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          605c02b38466ab742684dc859dc65cfa

          SHA1

          cace3e72eea2cebe22b0fe341c2bbdee40c2ac28

          SHA256

          9c412c1c3a37076e5a04a22722c002908895c9511a3f2a9495ddffd2fdd4003d

          SHA512

          6d9d6aac2dd057210a3a4102e1347101ed7f64718c5d62f3f6be454ce1e88824e433476104301c41a4242a8ec2a9af127dbb2f09daafb5311f0260f01cf0962a

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          88e86a9dd6295f3d361207d481be7673

          SHA1

          021583a3fd82b1daea11062ca4af039665316ec0

          SHA256

          da558d94cdbdd89a8432a0da3e31d8869f667e24c7bd07224268a36f99fa4e92

          SHA512

          4ac2d57bf145e8b1765b5de74dfbc313cb11112e7f94de560f2220812c0b3540491f4a2af7f33fbeb85851a1a5da710628e9f4019b94f37caec60b54c70858d9

          Download Submit

        • memory/1320-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1320-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1320-2-0x0000000074FE0000-0x000000007513D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1320-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1320-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1320-56-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1320-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3504-35-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3504-36-0x0000000074FE0000-0x000000007513D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3504-40-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3504-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3780-43-0x0000000074FE0000-0x000000007513D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3780-49-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4668-15-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4668-13-0x0000000074FE0000-0x000000007513D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4668-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4668-69-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5088-24-0x0000000074FE0000-0x000000007513D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/5088-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5088-26-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download