Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 02:20
Static task
static1
Behavioral task
behavioral1
Sample
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe
Resource
win10v2004-20240611-en
General
-
Target
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe
-
Size
206KB
-
MD5
0b5b4c2966f8fd334a85b47c2a65b3f2
-
SHA1
9fe1f6f86bb93d017c187fae2b11e532ac940a52
-
SHA256
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83
-
SHA512
4686a72af4b93bf21c816f94b385b37941f896f86498c75745c759a7935f7ad477939ed7a1ad4809ab36d5dd09ca719ae179ceacaa8b4db7f9de55b0159383bd
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unr:5vEN2U+T6i5LirrllHy4HUcMQY6C
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2708 explorer.exe 2720 spoolsv.exe 2776 svchost.exe 2860 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exeexplorer.exespoolsv.exesvchost.exepid process 1688 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe 1688 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe 2708 explorer.exe 2708 explorer.exe 2720 spoolsv.exe 2720 spoolsv.exe 2776 svchost.exe 2776 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
explorer.exea7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exespoolsv.exesvchost.exedescription ioc process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exeexplorer.exesvchost.exepid process 1688 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2708 explorer.exe 2776 svchost.exe 2708 explorer.exe 2708 explorer.exe 2776 svchost.exe 2776 svchost.exe 2708 explorer.exe 2708 explorer.exe 2776 svchost.exe 2776 svchost.exe 2708 explorer.exe 2708 explorer.exe 2776 svchost.exe 2708 explorer.exe 2776 svchost.exe 2776 svchost.exe 2708 explorer.exe 2708 explorer.exe 2776 svchost.exe 2776 svchost.exe 2708 explorer.exe 2776 svchost.exe 2708 explorer.exe 2776 svchost.exe 2708 explorer.exe 2776 svchost.exe 2708 explorer.exe 2776 svchost.exe 2708 explorer.exe 2776 svchost.exe 2708 explorer.exe 2708 explorer.exe 2776 svchost.exe 2776 svchost.exe 2708 explorer.exe 2708 explorer.exe 2776 svchost.exe 2776 svchost.exe 2708 explorer.exe 2776 svchost.exe 2708 explorer.exe 2776 svchost.exe 2708 explorer.exe 2708 explorer.exe 2776 svchost.exe 2708 explorer.exe 2776 svchost.exe 2708 explorer.exe 2776 svchost.exe 2776 svchost.exe 2708 explorer.exe 2776 svchost.exe 2708 explorer.exe 2708 explorer.exe 2776 svchost.exe 2708 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2708 explorer.exe 2776 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1688 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe 1688 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe 2708 explorer.exe 2708 explorer.exe 2720 spoolsv.exe 2720 spoolsv.exe 2776 svchost.exe 2776 svchost.exe 2860 spoolsv.exe 2860 spoolsv.exe 2708 explorer.exe 2708 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1688 wrote to memory of 2708 1688 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe explorer.exe PID 1688 wrote to memory of 2708 1688 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe explorer.exe PID 1688 wrote to memory of 2708 1688 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe explorer.exe PID 1688 wrote to memory of 2708 1688 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe explorer.exe PID 2708 wrote to memory of 2720 2708 explorer.exe spoolsv.exe PID 2708 wrote to memory of 2720 2708 explorer.exe spoolsv.exe PID 2708 wrote to memory of 2720 2708 explorer.exe spoolsv.exe PID 2708 wrote to memory of 2720 2708 explorer.exe spoolsv.exe PID 2720 wrote to memory of 2776 2720 spoolsv.exe svchost.exe PID 2720 wrote to memory of 2776 2720 spoolsv.exe svchost.exe PID 2720 wrote to memory of 2776 2720 spoolsv.exe svchost.exe PID 2720 wrote to memory of 2776 2720 spoolsv.exe svchost.exe PID 2776 wrote to memory of 2860 2776 svchost.exe spoolsv.exe PID 2776 wrote to memory of 2860 2776 svchost.exe spoolsv.exe PID 2776 wrote to memory of 2860 2776 svchost.exe spoolsv.exe PID 2776 wrote to memory of 2860 2776 svchost.exe spoolsv.exe PID 2776 wrote to memory of 2536 2776 svchost.exe at.exe PID 2776 wrote to memory of 2536 2776 svchost.exe at.exe PID 2776 wrote to memory of 2536 2776 svchost.exe at.exe PID 2776 wrote to memory of 2536 2776 svchost.exe at.exe PID 2776 wrote to memory of 1808 2776 svchost.exe at.exe PID 2776 wrote to memory of 1808 2776 svchost.exe at.exe PID 2776 wrote to memory of 1808 2776 svchost.exe at.exe PID 2776 wrote to memory of 1808 2776 svchost.exe at.exe PID 2776 wrote to memory of 2208 2776 svchost.exe at.exe PID 2776 wrote to memory of 2208 2776 svchost.exe at.exe PID 2776 wrote to memory of 2208 2776 svchost.exe at.exe PID 2776 wrote to memory of 2208 2776 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe"C:\Users\Admin\AppData\Local\Temp\a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2860
-
-
C:\Windows\SysWOW64\at.exeat 02:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2536
-
-
C:\Windows\SysWOW64\at.exeat 02:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1808
-
-
C:\Windows\SysWOW64\at.exeat 02:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2208
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5f23fb36750d1809dad6d9129461feef3
SHA145d3a6f7c1b3353152ffbca7b041b263213e2947
SHA25611f703d9b2b3437ff2a0c9188c453ea4fd147f92ddd6944d1472ba382cbb966f
SHA51273936a297fac55ca81149f8300de979af3d76d4d668daf1388b99088b22384637395cf80914b0e27881324c788fff351d38c1ec4f1eb632534c4e2183798d2cc
-
Filesize
206KB
MD590ce4bca841760c918e9795df602faa8
SHA165ada5c6596d1d8909e42d94f690c8f2f7db4de0
SHA2562ad3afd922b663f5b7269e9425496304000f451db1ea6dc580760396533e5771
SHA512550ec609ac958f341f7c31cfb860df26b0914c0844612e0236849941f53aa08a53515124f99e2abeaebaba55e1bcfeb9c0a16592c891fd73fb31ccd638469272
-
Filesize
207KB
MD5677b2a204a8253d30f38c8d75968b64d
SHA13b8ca85577d31cd1dabf14590d24ec7e7495d7d4
SHA256bfff25cf71030714aece8058e03e585d684462e5f45c6c92d001b207359b6b19
SHA5129fbc5c6fb3c0c783c5cca9449f319ddc7d9386d8fd11779449dbeb022722bac6df11a21b069330feb69516d46cd0e2abdcf7c968a3e8fcca3a0362b6378fc7cb
-
Filesize
206KB
MD5d8a9f332f588bef0ea088f8869966c1c
SHA1c724e033fb45740b37c32562f756b2c27d90b073
SHA256977e0882cf19560caf1675608c6cf86979e2ddaa865c9bc62f6d03e7017eaf92
SHA512889e4948d78f4613cc1df5a8c3d3347663b0ffc0be8ea8a587ffdf07ff70cb66cab2caca14ee483f392833af7751b6daa6a8316bfdff79731bb93c6864d5276c