Overview

overview

10

Static

static

3

3fc8084e72...b6.exe

windows7-x64

10

3fc8084e72...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe

  • Size

    66KB

  • MD5

    23aa9b9c01f9b6a3c5661b2dc652cb2e

  • SHA1

    d0ba8f8db0654ddeff99e7885fdc7a2972a3a4ee

  • SHA256

    3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6

  • SHA512

    63871b0cee982464fc37b48ea1365e6203ccdf19df21091c44e05ccb0b4dd22b73921b548a2158e553c5f920ab91f99a13a90e3df291919ec8c6b515ecb05669

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiP:IeklMMYJhqezw/pXzH9iP

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe
    "C:\Users\Admin\AppData\Local\Temp\3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:776
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1148
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3708
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4796
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3336
          • C:\Windows\SysWOW64\at.exe
            at 22:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:3692
            • C:\Windows\SysWOW64\at.exe
              at 22:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3768
              • C:\Windows\SysWOW64\at.exe
                at 22:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3904

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Defense Evasion

        Modify Registry

        4
        T1112

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          f9b7fa0df8d5733c9263c5c1b814a176

          SHA1

          6889f6be650c1f7a54281ba7395c33772af0cf90

          SHA256

          5e06b17108ca13f58e48d44579e079e37e59225b38d28d93af43baaed523b5a3

          SHA512

          668800ab987c629c7e8031422629bcf41a7b8212370e664b28240113e55c8a2776e3732a5e44222b1a3553e42c236abd4bed2ad8fcd7941083db0090e0f42731

          Download Submit
        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          bf76efcb7bbcd3ff384fc1ed610518d7

          SHA1

          4508afa56589e927d620ba693e0794304387b5bb

          SHA256

          502efb2a63915d795e598624b2e5273903fe490af83bb787078ce7d3edb185e4

          SHA512

          f3b17b2009a47a8aa505a7e18767aa994e089bdc130c563b38538be2c84bb26dfab79617ae51ec583010b96663ba7106e4b707adcbdd897a3e3de20006be6b28

          Download Submit
        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          0aa9e11fbc50df051841825cbb763621

          SHA1

          56b4fc1bb243ea2acb21143186080be9ccd78644

          SHA256

          cfe0d9e6c215c0b515ce08eade8a21eeb299ce0ef5e8f302926be60cda3dc186

          SHA512

          28ddc62aa6e1e426b55f4a5c179aba238afc6b39dad1c76b967ff9ddfb8e1f989fbe8deb316d5297257c5f2598ef2ef5f8866465af8a01384a6fb29ecfc6a1b2

          Download Submit
        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          5da64f42a4646c6d1d7f057a74b8cb98

          SHA1

          fa9a72111b010387f19b6cb8e6a67febb0d10977

          SHA256

          1f6b18de15b273dd5e532c8f446d32fe1f55361e3d98dbbcf2eb51b48cbf1819

          SHA512

          9f53c457e91afc41fb55be8863e4a40d180bba7c534838576d963ead829c4b2f5d9bcdc28044e1a6a599909e8d89e59cbf9084bdb17532dd74bbbb7eead1092b

          Download Submit
        • \??\PIPE\atsvc
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit
        • memory/776-5-0x0000000000401000-0x000000000042E000-memory.dmp
          Filesize

          180KB

          Download
        • memory/776-57-0x0000000000401000-0x000000000042E000-memory.dmp
          Filesize

          180KB

          Download
        • memory/776-2-0x00000000750B0000-0x000000007520D000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/776-0-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/776-3-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/776-1-0x00000000001C0000-0x00000000001C4000-memory.dmp
          Filesize

          16KB

          Download
        • memory/776-56-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1148-15-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1148-13-0x00000000750B0000-0x000000007520D000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1148-69-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1148-59-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3336-44-0x00000000750B0000-0x000000007520D000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3336-50-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3708-26-0x00000000750B0000-0x000000007520D000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3708-54-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3708-30-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3708-24-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3708-25-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/4796-42-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/4796-37-0x00000000750B0000-0x000000007520D000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/4796-60-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download