Overview

overview

10

Static

static

3

1db8c87ffb...8a.exe

windows7-x64

10

1db8c87ffb...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 19:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe

  • Size

    206KB

  • MD5

    57eb5252c1c32b79c0a8a159d3746ed4

  • SHA1

    363a253435345172a4e93e2e9b5e697bd9026f33

  • SHA256

    1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a

  • SHA512

    12e01bb5e4cd0778ddfeb89a49cfc01459d99a8607798c09d037abd754397d0a02f80acf30a6ac7069b1b58219328ca799a2e854cf50bcd31a768eed5ff2cccc

  • SSDEEP

    3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unl:zvEN2U+T6i5LirrllHy4HUcMQY6e

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe
    "C:\Users\Admin\AppData\Local\Temp\1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:660
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4684
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:228
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3096
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1020
          • C:\Windows\SysWOW64\at.exe
            at 19:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:3192
            • C:\Windows\SysWOW64\at.exe
              at 19:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2368
              • C:\Windows\SysWOW64\at.exe
                at 19:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4920

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          206KB

          MD5

          60b1e4a99f9ee8cd07716d6b32a91e52

          SHA1

          417a175eeeac903996a211d240bffae2f73e0eff

          SHA256

          ce3957ac48f97b53c3ae5ccc5daa94ccaace61a8135e1b436267e541c44dfc53

          SHA512

          60eab100e58e9bd62f1813255e995276b55c6ce67d42e4e93cac9a223f5177067bd8fd1b51c064951079819bb7dd2f8b49aaaeea8031e18c3f11fbb21357fe67

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          206KB

          MD5

          1706d41c83bd64b9418556a19103d8f8

          SHA1

          3e3300bda56334fb748012bca2249627bd69f547

          SHA256

          bea2ae76e8dcd85b37a8a488fb9ab7244990a1ef8ef230ed7045e73f8423694f

          SHA512

          fedab1cd815405c0a1d61a67179d51e6bc98504c63360204e346534444d499970bd79b6aaeb43867ccfd0644e662039e9b986b080160a23416d66f73a2659e92

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          206KB

          MD5

          8871f8beb923c7b876c1a4353ef068ca

          SHA1

          0ca0144d110dfd603ad15b88524ab0f023fe9eff

          SHA256

          19d21ea5d3b3d74d5c6e52937563ee1b47fe4c9178bb382e0fec1d147d65dc53

          SHA512

          7b2155cf7a0133535a9250b6f142b435095d5e4bb43fa1e0f6d8ceed9753837b1567faf7eced2a5607cf92b739cedeac35bfbee5446fed414cab1c47d6ad7826

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          206KB

          MD5

          319fcd2ed675b288db8655ce6af91888

          SHA1

          a3d11bf004c1c89c721cf70dc81efff8c4ac602e

          SHA256

          88477e3759562afc090b1141d16935177b713e466fc08815dbc69ffb9a3f3abb

          SHA512

          cdd796353da123ccccba9e3e3e8ec87a6ded399707529a2fddc9d84130279633a3f1b6ca85461f5d231899a5e1b4d8b5a33896025d5aff519689d783655bfecc

          Download Submit