Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 02:14
Static task
static1
Behavioral task
behavioral1
Sample
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe
Resource
win10v2004-20240508-en
General
-
Target
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe
-
Size
66KB
-
MD5
c0ddf2d11b817b0f2367fae38b852ffe
-
SHA1
cc2c460b329550973d77274934b4625370f80654
-
SHA256
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6
-
SHA512
c2f68be2ee178f54245128d45e6df68e411ad3dd14ae0bfbe55f766b69c3c65fa0886bd6b48f13fb0b02d17fe7a5255da71ba63b07c5691da7a89a761af74fe7
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXif:IeklMMYJhqezw/pXzH9if
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 1680 explorer.exe 408 spoolsv.exe 4572 svchost.exe 1652 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
explorer.exespoolsv.exesvchost.exea693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exedescription ioc process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exeexplorer.exesvchost.exepid process 5076 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe 5076 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe 1680 explorer.exe 1680 explorer.exe 1680 explorer.exe 1680 explorer.exe 1680 explorer.exe 1680 explorer.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe 4572 svchost.exe 4572 svchost.exe 4572 svchost.exe 1680 explorer.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe 4572 svchost.exe 1680 explorer.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe 4572 svchost.exe 1680 explorer.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe 4572 svchost.exe 1680 explorer.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe 4572 svchost.exe 1680 explorer.exe 1680 explorer.exe 4572 svchost.exe 1680 explorer.exe 4572 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1680 explorer.exe 4572 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 5076 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe 5076 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe 1680 explorer.exe 1680 explorer.exe 408 spoolsv.exe 408 spoolsv.exe 4572 svchost.exe 4572 svchost.exe 1652 spoolsv.exe 1652 spoolsv.exe 1680 explorer.exe 1680 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 5076 wrote to memory of 1680 5076 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe explorer.exe PID 5076 wrote to memory of 1680 5076 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe explorer.exe PID 5076 wrote to memory of 1680 5076 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe explorer.exe PID 1680 wrote to memory of 408 1680 explorer.exe spoolsv.exe PID 1680 wrote to memory of 408 1680 explorer.exe spoolsv.exe PID 1680 wrote to memory of 408 1680 explorer.exe spoolsv.exe PID 408 wrote to memory of 4572 408 spoolsv.exe svchost.exe PID 408 wrote to memory of 4572 408 spoolsv.exe svchost.exe PID 408 wrote to memory of 4572 408 spoolsv.exe svchost.exe PID 4572 wrote to memory of 1652 4572 svchost.exe spoolsv.exe PID 4572 wrote to memory of 1652 4572 svchost.exe spoolsv.exe PID 4572 wrote to memory of 1652 4572 svchost.exe spoolsv.exe PID 4572 wrote to memory of 4128 4572 svchost.exe at.exe PID 4572 wrote to memory of 4128 4572 svchost.exe at.exe PID 4572 wrote to memory of 4128 4572 svchost.exe at.exe PID 4572 wrote to memory of 2092 4572 svchost.exe at.exe PID 4572 wrote to memory of 2092 4572 svchost.exe at.exe PID 4572 wrote to memory of 2092 4572 svchost.exe at.exe PID 4572 wrote to memory of 3752 4572 svchost.exe at.exe PID 4572 wrote to memory of 3752 4572 svchost.exe at.exe PID 4572 wrote to memory of 3752 4572 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe"C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1652
-
-
C:\Windows\SysWOW64\at.exeat 02:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4128
-
-
C:\Windows\SysWOW64\at.exeat 02:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2092
-
-
C:\Windows\SysWOW64\at.exeat 02:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3752
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD50103845767a62053863a1bf06eee5712
SHA14403dfeeb27e50074dd3b4670d2140261f6030b1
SHA256d6cb7c9d450e3f8b58f3d0aa235a0739782d70bf4acbf967f75f2a992d9cc969
SHA5121efaccff0e86ac6a6b800dce8f30c46b7dfb2c8a7a59fbfa13d86cd94e06801746b976cb63f6476e1b8f8bf2da784d5d6b7d18569c365c7d37385fabbeb5cf20
-
Filesize
66KB
MD54e91b4d262032edcae9eebeae738aa70
SHA1a2c3e7691d7e05ba385ccb4351e47adfc41b6600
SHA2564a5d9092d4d5e5e0e57b7a2fda086b7857bf7ec10ad81d9dc9f76f8f0663e20f
SHA5129f295f0edc4e6f61aba2c28d5ada6cc98a1a5e1178d139b648ebf343e7edd5106fb2003072b0c6c42215ccab6b79b2c1d19381f3b65fb66ed721d4b0b97e1a2b
-
Filesize
66KB
MD5e0ff28ba8a1a34612d241653d875954b
SHA108828d6a15c76c93eae9c5e73b8d85ed77c682bb
SHA2566cf7d356f5bc31122022ca0fae533b3046469806dc79b3708e9644d4f049ee66
SHA512598532d1eebf5b6dfe9b855f4139b33ccd8cf7396afb653e51ad2c57a4d905139e527dad516e2db94032752eaad558966957d2c8cc29a816a78ae973bece65d7
-
Filesize
66KB
MD580c8187a04679aa1f3bc0ff9c45dbb29
SHA104d95cb6ef1fcd66a48543bd03bd2d1c6038951f
SHA256f8321a7aef4fa3160921ec6234a7bf3091989ae806eeafdb45c8594b37e8893e
SHA512b81476437e7ecdd8b7fc6f279ef31bd790c02779600afa3f2ef6f2c72f0f8ca30c6eac6f555ec53bafd7a024bd3b06e7b93b9a4a52a03e7ceb2bfc86124091c0