Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
13-06-2024 22:08
General
-
Target
4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe
-
Size
65KB
-
MD5
70c35d668d0506e94a29f3cd95c3687a
-
SHA1
2d460c83d5d6fe3835ca595ce35b420b3b90443d
-
SHA256
4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e
-
SHA512
609837bf04451f65a072ecede018f99ef71fb696e6323b1542d6dc5fba28aeffbe13ce2864dc8bdd3fe935b4405fe73e3c8ede64e41d47dcbef3b28466812a64
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuWppppppppppppppppppq:7WNqkOJWmo1HpM0MkTUmup
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe"C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 22:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 22:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 22:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
65KB
MD57b1eb5e40eb090b6883c667152fb7910
SHA12a9d815b6354b7cd28434a0801e25e89dfc88e33
SHA256bf51abb0835af61962e127020009f5cfa9075b489ea3f7c885c38ee4458d07ea
SHA512d59566db6ebb253576db51da86baba5ef3eebe4c0f5414d99c9f24c3c0168b27c7b19410e830220872ae104680b3715fbd1c27007bbb698f5636b4ad73b20314
-
C:\Windows\System\explorer.exeFilesize
65KB
MD5a5c4f007ed066cd3a3be49449f262d73
SHA14fca605b70c767e465879f09cbc91b6f41924a4e
SHA2569a4b1b367248e118aeac3fab6c62dd08ac05c967a8bbe47fe0954b6a68242c79
SHA51291f4322e7c5cf69fb6559b4199c920b91d18d9b9d5ac6dd5b3e47484cc541df481719d0d514aad48845ea463456770f4a789f6a1089435894b8ce8544756259b
-
C:\Windows\System\spoolsv.exeFilesize
65KB
MD55c3e728f1b50ecb00507d20685634e52
SHA113e056ba82edcaf43be0313f250b85e0b0273bf0
SHA2569c5f0f661ee1049f8e4b8655e70e3ece6be9659acdea82ddc8091fdc93ddf27c
SHA51234eecd7d5aa9fe97538e8996f35a80c1e504e61067a4a51c7dc1010c4c169d5634416724d8de5eebf3c76ff3022c75ff79e6e978b6b8411414952b1f057d30fa
-
C:\Windows\System\svchost.exeFilesize
65KB
MD5c3d6909e4855d9bdf1c2b5642f193143
SHA195741ffbefc9e2fb046b1a6a3bd508ccd301e8e6
SHA256368c12ee5a01e241defd29e94dd0a665f585d2f72f30800a00b05f5f31eb4e08
SHA5121bf11dc54797a26f05507b433149683c02d2a36b84e6195867885d6dcea146b7d4c5348b374187c78dbe03e46a1f36fe968414096b5dbb64cfe82bcccd3e55ea
-
memory/1028-63-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1028-43-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1028-37-0x00000000755F0000-0x000000007574D000-memory.dmpFilesize
1.4MB
-
memory/1028-42-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2904-14-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2904-18-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2904-13-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2904-15-0x00000000755F0000-0x000000007574D000-memory.dmpFilesize
1.4MB
-
memory/2904-61-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2904-72-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3032-31-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3032-26-0x00000000755F0000-0x000000007574D000-memory.dmpFilesize
1.4MB
-
memory/3032-56-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3448-0-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3448-45-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/3448-60-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/3448-59-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3448-2-0x00000000755F0000-0x000000007574D000-memory.dmpFilesize
1.4MB
-
memory/3448-5-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/3448-3-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3448-1-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/3724-46-0x00000000755F0000-0x000000007574D000-memory.dmpFilesize
1.4MB
-
memory/3724-52-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB