Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 02:14
Static task
static1
Behavioral task
behavioral1
Sample
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe
Resource
win10v2004-20240508-en
General
-
Target
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe
-
Size
66KB
-
MD5
c0ddf2d11b817b0f2367fae38b852ffe
-
SHA1
cc2c460b329550973d77274934b4625370f80654
-
SHA256
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6
-
SHA512
c2f68be2ee178f54245128d45e6df68e411ad3dd14ae0bfbe55f766b69c3c65fa0886bd6b48f13fb0b02d17fe7a5255da71ba63b07c5691da7a89a761af74fe7
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXif:IeklMMYJhqezw/pXzH9if
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2956 explorer.exe 2512 spoolsv.exe 2468 svchost.exe 2416 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exeexplorer.exespoolsv.exesvchost.exepid process 2452 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe 2452 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe 2956 explorer.exe 2956 explorer.exe 2512 spoolsv.exe 2512 spoolsv.exe 2468 svchost.exe 2468 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
explorer.exespoolsv.exesvchost.exea693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exedescription ioc process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exeexplorer.exesvchost.exepid process 2452 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2468 svchost.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2956 explorer.exe 2468 svchost.exe 2468 svchost.exe 2956 explorer.exe 2956 explorer.exe 2468 svchost.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2956 explorer.exe 2468 svchost.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2468 svchost.exe 2956 explorer.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe 2468 svchost.exe 2956 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2956 explorer.exe 2468 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2452 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe 2452 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe 2956 explorer.exe 2956 explorer.exe 2512 spoolsv.exe 2512 spoolsv.exe 2468 svchost.exe 2468 svchost.exe 2416 spoolsv.exe 2416 spoolsv.exe 2956 explorer.exe 2956 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2452 wrote to memory of 2956 2452 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe explorer.exe PID 2452 wrote to memory of 2956 2452 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe explorer.exe PID 2452 wrote to memory of 2956 2452 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe explorer.exe PID 2452 wrote to memory of 2956 2452 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe explorer.exe PID 2956 wrote to memory of 2512 2956 explorer.exe spoolsv.exe PID 2956 wrote to memory of 2512 2956 explorer.exe spoolsv.exe PID 2956 wrote to memory of 2512 2956 explorer.exe spoolsv.exe PID 2956 wrote to memory of 2512 2956 explorer.exe spoolsv.exe PID 2512 wrote to memory of 2468 2512 spoolsv.exe svchost.exe PID 2512 wrote to memory of 2468 2512 spoolsv.exe svchost.exe PID 2512 wrote to memory of 2468 2512 spoolsv.exe svchost.exe PID 2512 wrote to memory of 2468 2512 spoolsv.exe svchost.exe PID 2468 wrote to memory of 2416 2468 svchost.exe spoolsv.exe PID 2468 wrote to memory of 2416 2468 svchost.exe spoolsv.exe PID 2468 wrote to memory of 2416 2468 svchost.exe spoolsv.exe PID 2468 wrote to memory of 2416 2468 svchost.exe spoolsv.exe PID 2468 wrote to memory of 1956 2468 svchost.exe at.exe PID 2468 wrote to memory of 1956 2468 svchost.exe at.exe PID 2468 wrote to memory of 1956 2468 svchost.exe at.exe PID 2468 wrote to memory of 1956 2468 svchost.exe at.exe PID 2468 wrote to memory of 2708 2468 svchost.exe at.exe PID 2468 wrote to memory of 2708 2468 svchost.exe at.exe PID 2468 wrote to memory of 2708 2468 svchost.exe at.exe PID 2468 wrote to memory of 2708 2468 svchost.exe at.exe PID 2468 wrote to memory of 3068 2468 svchost.exe at.exe PID 2468 wrote to memory of 3068 2468 svchost.exe at.exe PID 2468 wrote to memory of 3068 2468 svchost.exe at.exe PID 2468 wrote to memory of 3068 2468 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe"C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2416
-
-
C:\Windows\SysWOW64\at.exeat 02:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1956
-
-
C:\Windows\SysWOW64\at.exeat 02:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2708
-
-
C:\Windows\SysWOW64\at.exeat 02:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3068
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD59e61bdb7a3896af1f3472d16f6b08c17
SHA1f99a553652b6ef4195bbfa0478a9a743eec4936e
SHA2565e154d1569d4bd4b5bd509ee047b40b9e38e012b99e17bbafe3903fe9ba2f31e
SHA51258747aa83a9a6f3865263c1bf819da4304d03594e639cf20af405ac40e05e753080f5ecfdae9eb5007d8f8eb40a7e3cbcddf248b975e90745934e4d438d0aa87
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
66KB
MD56d6000d8340d52075a77fc4538c61634
SHA133e45c5852f9a448e5152420c9f47951ed47b084
SHA256e810cda46edeb2f0b175d58ef1bbb2274a7026666ce695ef6d1d644e0e40d608
SHA5121dd06d3197ea3e1060a3245065283f387bb0c34fd7334310a5c8c98056c9bc4db763fb8cf3311403ce261946dbe27ab31572f7c9cc5598181e2d7fcee153c560
-
Filesize
66KB
MD57c8a684bfb8d828778ead8b3bf36f2fd
SHA11f9479fa42467ecd30b17555e7d6e119a5d67602
SHA2562e4afbe778824e150077b3d1ec854161fb69b1364fc941d2006a0ea070d84955
SHA51209abae03a31cc95ef59de263d835dee621cb1195727f2dfd0a0fb110f8bd661b5eae23045aa6244afb1bbe4343fd471193086c4b803390f0b2b7a44784f97513
-
Filesize
66KB
MD5c6c2e9400e656ccc61985b6454021e19
SHA1a939cd9831ed2b0afd913ac1655c5dee63837fc1
SHA25656ceee886b567c4527d27ebbe8277804dd75f671533e75b3c4ea60bbbc1d0f21
SHA512fe920cd4c201611803c9637ac8bb936ecab9dac4ad6aec28fbadf31c99115994e30600f297136e527e8be2ab34b9641fe360396e9647f84cfa1c752cbe9a2dcf