Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 22:49

General

  • Target

    51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe

  • Size

    65KB

  • MD5

    398dd1e0b169bd264f59437fcdc8ce96

  • SHA1

    323f022e6b734875afa6f74e5765787092dc6717

  • SHA256

    51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870

  • SHA512

    6c89d4ae1b20660e8a7c460395290698bc6fc10a9ab564ff8c0948f725f7897ced02121a968e7c75d0fca2f4647ee1b00a68b007740e583f7be3797a873f8518

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuF:7WNqkOJWmo1HpM0MkTUmuF

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe
    "C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1424
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:816
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2004
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3228
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4788
          • C:\Windows\SysWOW64\at.exe
            at 22:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:3276
            • C:\Windows\SysWOW64\at.exe
              at 22:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:568
              • C:\Windows\SysWOW64\at.exe
                at 22:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4332
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:3704

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Persistence

          Boot or Logon Autostart Execution

          3
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Privilege Escalation

          Boot or Logon Autostart Execution

          3
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Defense Evasion

          Modify Registry

          4
          T1112

          Hide Artifacts

          1
          T1564

          Hidden Files and Directories

          1
          T1564.001

          Discovery

          System Information Discovery

          1
          T1082

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\mrsys.exe
            Filesize

            65KB

            MD5

            9e6b1c19ce222b1ef9478486ddc8b4d2

            SHA1

            55f22d8cba77af269ce3186582835790180c0ce3

            SHA256

            ba3161f698581fab77ec1c5f4bb87f354c6ca16513cbe76eadf2afc2d9615ba5

            SHA512

            a9295b89e9788f2623741bdc0e7f87b4406c6f27970f9c83cd0f3cb4d2f6df4a8b3b76ae4ed969f9bfb7269078597ed3383c32155099e8f9e3d8aa684ea34073

          • C:\Windows\System\explorer.exe
            Filesize

            65KB

            MD5

            2f1c660eae189a2b14806e59906e0bf8

            SHA1

            786861354f4983e0cd501f4cd597048eae031f20

            SHA256

            d340d5dfaa5d9af4fa137241fe105a5ac1d4b9f3e400026fe60ed9aa0a4bf4f9

            SHA512

            711f4027d59d3895e7ef70c5fbea1f5711f0637050f795f9d9f43572cc91936ebf0424a38c2b8c8e718d6f83312fa45e270adc6d3950970a0752754c74b09b17

          • C:\Windows\System\spoolsv.exe
            Filesize

            65KB

            MD5

            d739877da042b07d851865a11711b8d9

            SHA1

            85f6ece84364738bab9b0a05675c9ea5a519508e

            SHA256

            c8021e4dfd69349c7c71a1e09c395a419c7642d9509ee8e8a40376ddd0e7aa49

            SHA512

            3a3cad3531e52ce56a1a4e3f9964f92b707afca22d2d2e4739cca2bd938cf02a8bdffdf92630b49391cbfb7dfea6f75636ba84195a7c1d7ae5cf5edb9f5d8af2

          • C:\Windows\System\svchost.exe
            Filesize

            65KB

            MD5

            1fa376fc91ae42dc9785449116a39e4f

            SHA1

            af1e1d14c4fa5e9177d67e7e64d826d00adfc620

            SHA256

            eb849d2b2682b78ed400b795bc4d6b3ea33d0fd1c2ff255563632f8d1b7d5d05

            SHA512

            b8a5bafefc01357cacc7474c9dea71ee085a550baf4d2438593c06f8e8074a4aebddbbd085bca0987c187a83a0e48f0a5d60c01ebfa78fde8ee6dc379be99133

          • \??\PIPE\atsvc
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          • memory/816-73-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/816-60-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/816-13-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/816-14-0x0000000075480000-0x00000000755DD000-memory.dmp
            Filesize

            1.4MB

          • memory/816-16-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/1424-36-0x00000000001C0000-0x00000000001C4000-memory.dmp
            Filesize

            16KB

          • memory/1424-57-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/1424-1-0x00000000001C0000-0x00000000001C4000-memory.dmp
            Filesize

            16KB

          • memory/1424-0-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/1424-3-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/1424-43-0x0000000000401000-0x000000000042E000-memory.dmp
            Filesize

            180KB

          • memory/1424-46-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/1424-2-0x0000000075480000-0x00000000755DD000-memory.dmp
            Filesize

            1.4MB

          • memory/1424-4-0x0000000000401000-0x000000000042E000-memory.dmp
            Filesize

            180KB

          • memory/1424-58-0x0000000000401000-0x000000000042E000-memory.dmp
            Filesize

            180KB

          • memory/2004-25-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/2004-26-0x0000000075480000-0x00000000755DD000-memory.dmp
            Filesize

            1.4MB

          • memory/2004-55-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/3228-38-0x0000000075480000-0x00000000755DD000-memory.dmp
            Filesize

            1.4MB

          • memory/3228-62-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/3228-44-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/3228-37-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/4788-52-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

          • memory/4788-47-0x0000000075480000-0x00000000755DD000-memory.dmp
            Filesize

            1.4MB