Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 02:03
Static task
static1
Behavioral task
behavioral1
Sample
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe
Resource
win10v2004-20240611-en
General
-
Target
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe
-
Size
65KB
-
MD5
c53fa85582f85ce804c246badb499ea4
-
SHA1
4760927447e6acc5c6cc77d58ef68a3a11f4ba86
-
SHA256
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa
-
SHA512
e09af3fd843e3d621efff48e3b824bad2678024fc4deb4cc022d55b527b6028294f48e7f4e6f0cd87756631a444037d855db2f562e4ab1735a1f83ef4a01e394
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ou1:7WNqkOJWmo1HpM0MkTUmu1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2912 explorer.exe 2584 spoolsv.exe 2708 svchost.exe 2496 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exeexplorer.exespoolsv.exesvchost.exepid process 2180 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe 2180 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe 2912 explorer.exe 2912 explorer.exe 2584 spoolsv.exe 2584 spoolsv.exe 2708 svchost.exe 2708 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exeexplorer.exesvchost.exepid process 2180 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe 2912 explorer.exe 2912 explorer.exe 2912 explorer.exe 2912 explorer.exe 2708 svchost.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe 2708 svchost.exe 2912 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2912 explorer.exe 2708 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2180 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe 2180 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe 2912 explorer.exe 2912 explorer.exe 2584 spoolsv.exe 2584 spoolsv.exe 2708 svchost.exe 2708 svchost.exe 2496 spoolsv.exe 2496 spoolsv.exe 2912 explorer.exe 2912 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2180 wrote to memory of 2912 2180 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe explorer.exe PID 2180 wrote to memory of 2912 2180 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe explorer.exe PID 2180 wrote to memory of 2912 2180 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe explorer.exe PID 2180 wrote to memory of 2912 2180 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe explorer.exe PID 2912 wrote to memory of 2584 2912 explorer.exe spoolsv.exe PID 2912 wrote to memory of 2584 2912 explorer.exe spoolsv.exe PID 2912 wrote to memory of 2584 2912 explorer.exe spoolsv.exe PID 2912 wrote to memory of 2584 2912 explorer.exe spoolsv.exe PID 2584 wrote to memory of 2708 2584 spoolsv.exe svchost.exe PID 2584 wrote to memory of 2708 2584 spoolsv.exe svchost.exe PID 2584 wrote to memory of 2708 2584 spoolsv.exe svchost.exe PID 2584 wrote to memory of 2708 2584 spoolsv.exe svchost.exe PID 2708 wrote to memory of 2496 2708 svchost.exe spoolsv.exe PID 2708 wrote to memory of 2496 2708 svchost.exe spoolsv.exe PID 2708 wrote to memory of 2496 2708 svchost.exe spoolsv.exe PID 2708 wrote to memory of 2496 2708 svchost.exe spoolsv.exe PID 2708 wrote to memory of 2888 2708 svchost.exe at.exe PID 2708 wrote to memory of 2888 2708 svchost.exe at.exe PID 2708 wrote to memory of 2888 2708 svchost.exe at.exe PID 2708 wrote to memory of 2888 2708 svchost.exe at.exe PID 2708 wrote to memory of 2872 2708 svchost.exe at.exe PID 2708 wrote to memory of 2872 2708 svchost.exe at.exe PID 2708 wrote to memory of 2872 2708 svchost.exe at.exe PID 2708 wrote to memory of 2872 2708 svchost.exe at.exe PID 2708 wrote to memory of 3032 2708 svchost.exe at.exe PID 2708 wrote to memory of 3032 2708 svchost.exe at.exe PID 2708 wrote to memory of 3032 2708 svchost.exe at.exe PID 2708 wrote to memory of 3032 2708 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe"C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Windows\SysWOW64\at.exeat 02:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2888
-
-
C:\Windows\SysWOW64\at.exeat 02:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2872
-
-
C:\Windows\SysWOW64\at.exeat 02:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3032
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD538bcc36708d37b18f663ab913f1a1513
SHA165877c9c6054baff9d5f2526c874a64563aea1d0
SHA256c549a990d2ae4dedd502630228eb3c4ac686baa691b9651b71061a6fcb59d206
SHA512f05b6f5d923246b50c9fd77b4fe2c421f7707a3fa7a19f79866eacd6b539f4960382f1d06944b1a3a3fd888ef2cd5b00de2b52f97898e81050264bcf79ad9a5e
-
Filesize
65KB
MD5dcab432f3492b1156f84044fbca06543
SHA116a23a23dc12e070ef757eddb6eb27b7e9eddf42
SHA256f4fe6f0f95c9687d9a1907e595324290deebf24532dda88b9b90f4d6fd6fd2cc
SHA512075ae8bd738e0c3873e38c2eb90dcfa37b566db5495b0bab1c3a50ee89ee3e57465fa94507e25c12d0eb37b3ad0d884cd8e79d94c98483298d4f8b9a86d450a0
-
Filesize
65KB
MD5ec0ccef008996062226f8904f44e9f4b
SHA1ad0d3e5673321c23e51de38fa95edd67460618b0
SHA256cbf4b45ee62c383f9c51dd1a0fe5d40828ef3e3487175f34f51eb5e60ef3daaa
SHA512c63fb3cf6b9eb2809da5770964a5176e21ff70af652a81f0f6162bd8a850df9a7aa23c5fc2472cc768232b107f7889980004150731abd715329350193135bf36
-
Filesize
65KB
MD531a000085e08abafbbb5c12413be0517
SHA1f7db5b46983de5da14d84801952dd97eeeda3f91
SHA256622857b77cb6a465bd86a2f336f03cdabeda2cf0b15a0ddc54a38667017d6a4d
SHA512bdc26532227b4da15cbe5c92728f32f34a8550a030004f5ccf0431b58b86e276d8d471f646f946a4debe959d3af2402e955ea7ec9a32194a7c5fbba8508e47da