Overview

overview

10

Static

static

3

ce8d09b560...ab.exe

windows7-x64

10

ce8d09b560...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce8d09b56030a10bf42dadcea1297c899133a4817c360bc9a4c5e7bd38077dab.exe

  • Size

    66KB

  • MD5

    147349cb633169a528f55d4ee713449c

  • SHA1

    6a96814c65361b0243dae01a5df960d9cdfc130d

  • SHA256

    ce8d09b56030a10bf42dadcea1297c899133a4817c360bc9a4c5e7bd38077dab

  • SHA512

    b36d2a1bf117ba3742e177d3935cd722629607c8a5474e77f18ecd971dae93a58a21a7aad87308ba939a9d4d7a9de4121295b691f500fad1b2b6f66859a8e7ea

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi0:IeklMMYJhqezw/pXzH9i0

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce8d09b56030a10bf42dadcea1297c899133a4817c360bc9a4c5e7bd38077dab.exe
    "C:\Users\Admin\AppData\Local\Temp\ce8d09b56030a10bf42dadcea1297c899133a4817c360bc9a4c5e7bd38077dab.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2340
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3052
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2660
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2808
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2220
          • C:\Windows\SysWOW64\at.exe
            at 04:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2904
            • C:\Windows\SysWOW64\at.exe
              at 04:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1532
              • C:\Windows\SysWOW64\at.exe
                at 04:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:924

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          8d4ffc1349abd6e20f8cd37534ed2677

          SHA1

          c5f97e3fe37659196e5aa07e1f631526042150c3

          SHA256

          e54a579033d7557ea169d2712cf3b5be3fb24839fa64c9399e7b1f2dba8720f2

          SHA512

          b46588660c4bc792c3d533dd172169900aa1bebd2fa902129b9a977e0f79a273fec777d055f8cb319d52bf00d4c9e3ac9cbb3bf951f7fec5c7ee1166a9a1406e

          Download Submit

        • \Windows\system\explorer.exe
          Filesize

          66KB

          MD5

          4f0a5a17178267e934d723f1dbbd79b3

          SHA1

          6e6477f33ece1705287c3dee890701097dea4294

          SHA256

          935ef400698645d0d19e09fea19b0b483de89e2aa20419f4b8ae947defcf8ba8

          SHA512

          1680f9b27b3050aa145bbe417099decfece339124804413a7580ebeccdd899f18d58f87da5c348770323df6b2adc2ec9e1c335376e579fa2b5b4c2311e1297d6

          Download Submit

        • \Windows\system\spoolsv.exe
          Filesize

          66KB

          MD5

          27b51b92a303d35d1e4bbd5b758f2655

          SHA1

          075887862c20640b50346d192a917c8764de4082

          SHA256

          5000b49dfbb36769ec518fdc0e4084d6b0d95035be4cebb081a5a1e425736d16

          SHA512

          35899d10a7ba33f3a4419c6a81355c0981a3ed02d1430fa021c76da7cc899efd90f4025b0bdaa60e1911f5647f5b4e6392246783a7d5cc4172005da2389eeb36

          Download Submit

        • \Windows\system\svchost.exe
          Filesize

          66KB

          MD5

          121bf0c32cdb562438ea09487e4fedd4

          SHA1

          9cec1f804bdb926382e30af96c30f4426344b7c9

          SHA256

          5203e566bf9b2d73fca5a729c12922fc2f03f2ff3560c90a621646a0c08b5819

          SHA512

          24edd30a44719f680c3fa368380bde37cdae78a9bc41fc26ae907c32e06289a06ac5ba31b0316e9a44d1631c580e7a7f3c97b6478110788fc071e2dd840bf634

          Download Submit

        • memory/2220-69-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2220-75-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2340-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2340-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2340-80-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2340-17-0x0000000002C80000-0x0000000002CB1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2340-16-0x0000000002C80000-0x0000000002CB1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2340-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2340-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2340-79-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2340-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2340-66-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2660-37-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2660-42-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2660-54-0x0000000002AE0000-0x0000000002B11000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2660-38-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2808-61-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2808-68-0x00000000025F0000-0x0000000002621000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2808-67-0x00000000025F0000-0x0000000002621000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2808-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2808-56-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2808-84-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3052-35-0x0000000001EF0000-0x0000000001F21000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3052-36-0x0000000001EF0000-0x0000000001F21000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3052-19-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3052-21-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3052-82-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3052-93-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download