Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 02:03
Static task
static1
Behavioral task
behavioral1
Sample
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe
Resource
win10v2004-20240611-en
General
-
Target
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe
-
Size
65KB
-
MD5
c53fa85582f85ce804c246badb499ea4
-
SHA1
4760927447e6acc5c6cc77d58ef68a3a11f4ba86
-
SHA256
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa
-
SHA512
e09af3fd843e3d621efff48e3b824bad2678024fc4deb4cc022d55b527b6028294f48e7f4e6f0cd87756631a444037d855db2f562e4ab1735a1f83ef4a01e394
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ou1:7WNqkOJWmo1HpM0MkTUmu1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2916 explorer.exe 3636 spoolsv.exe 2060 svchost.exe 5088 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exeexplorer.exesvchost.exepid process 760 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe 760 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe 2060 svchost.exe 2060 svchost.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe 2916 explorer.exe 2916 explorer.exe 2060 svchost.exe 2060 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2916 explorer.exe 2060 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 760 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe 760 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe 2916 explorer.exe 2916 explorer.exe 3636 spoolsv.exe 3636 spoolsv.exe 2060 svchost.exe 2060 svchost.exe 5088 spoolsv.exe 5088 spoolsv.exe 2916 explorer.exe 2916 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 760 wrote to memory of 2916 760 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe explorer.exe PID 760 wrote to memory of 2916 760 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe explorer.exe PID 760 wrote to memory of 2916 760 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe explorer.exe PID 2916 wrote to memory of 3636 2916 explorer.exe spoolsv.exe PID 2916 wrote to memory of 3636 2916 explorer.exe spoolsv.exe PID 2916 wrote to memory of 3636 2916 explorer.exe spoolsv.exe PID 3636 wrote to memory of 2060 3636 spoolsv.exe svchost.exe PID 3636 wrote to memory of 2060 3636 spoolsv.exe svchost.exe PID 3636 wrote to memory of 2060 3636 spoolsv.exe svchost.exe PID 2060 wrote to memory of 5088 2060 svchost.exe spoolsv.exe PID 2060 wrote to memory of 5088 2060 svchost.exe spoolsv.exe PID 2060 wrote to memory of 5088 2060 svchost.exe spoolsv.exe PID 2060 wrote to memory of 2356 2060 svchost.exe at.exe PID 2060 wrote to memory of 2356 2060 svchost.exe at.exe PID 2060 wrote to memory of 2356 2060 svchost.exe at.exe PID 2060 wrote to memory of 3056 2060 svchost.exe at.exe PID 2060 wrote to memory of 3056 2060 svchost.exe at.exe PID 2060 wrote to memory of 3056 2060 svchost.exe at.exe PID 2060 wrote to memory of 3928 2060 svchost.exe at.exe PID 2060 wrote to memory of 3928 2060 svchost.exe at.exe PID 2060 wrote to memory of 3928 2060 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe"C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5088
-
-
C:\Windows\SysWOW64\at.exeat 02:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2356
-
-
C:\Windows\SysWOW64\at.exeat 02:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3056
-
-
C:\Windows\SysWOW64\at.exeat 02:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3928
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD55bd6fc5307542083818d481b6c34bf6d
SHA13a27084eaf88119de944231d30b5ce98f10f3c42
SHA25648a0e0aba059532b24256672f3f7d9ddb3ff3272e905dedcc19b81d86e88f899
SHA512985d34b2d26f102e886aa52c4075329760fecdfa25e69253a3a2f1a3c148a146835de750f13c54873bc172cc103bbbdf8fc110d0a642f58e582cb730d92444ae
-
Filesize
65KB
MD5d197c11203794adc0d132fa6282bf908
SHA1dc70723a4119165aca63dfe65422b79175ea2c11
SHA256a34a75af886e2c0d70d969692a53d7e70a7d0418c2163cc293b6f563feb6dcab
SHA512e12dfd77e2010e2994c714d580eee4368770f19cbe75ebe314e600ff2537dbd2a5e3ae692e9925cf0657a461e50ca786744022ab7fd04b710e63e7444108157b
-
Filesize
65KB
MD5816cdcc3720ee48da8f1f6e261cd9665
SHA1b1d4cc0bb9b6909986c51cff8b0709180b329492
SHA256d6e21b12415a4d314e1b83bef21dabc848a928674eaf995267e5a62774584fee
SHA5125bfd916266d5d650ef17ada31ab379ca909078b5599b0c5aba2a8ca08fa84045c6b2ab342b46ab28cd2b755134aa522a583a811201cbb85b2b5eb7f7429e4dd2
-
Filesize
65KB
MD55f963ee6e49d6c01ad1435169b61c7f6
SHA1e34486a554ea58031e0e59c0a2bacdaef199652d
SHA25628b135c7739f0a67c5f02cc828d9ab8b428f4e037c2a0aa3d71d96f5a51d2a94
SHA5123352f7128e096f83ddb141e22b165c85f7a4a2f14e5cb9af8017d13c2fc2dd5f2fdf8b873551b4049830f84dc9a5d54b79a296978d42d0a8796e1b8de28d962d