Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 02:20

General

  • Target

    a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe

  • Size

    206KB

  • MD5

    0b5b4c2966f8fd334a85b47c2a65b3f2

  • SHA1

    9fe1f6f86bb93d017c187fae2b11e532ac940a52

  • SHA256

    a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83

  • SHA512

    4686a72af4b93bf21c816f94b385b37941f896f86498c75745c759a7935f7ad477939ed7a1ad4809ab36d5dd09ca719ae179ceacaa8b4db7f9de55b0159383bd

  • SSDEEP

    3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unr:5vEN2U+T6i5LirrllHy4HUcMQY6C

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe
    "C:\Users\Admin\AppData\Local\Temp\a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3216
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4940
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4808
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2412
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3984
          • C:\Windows\SysWOW64\at.exe
            at 02:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:628
            • C:\Windows\SysWOW64\at.exe
              at 02:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2776
              • C:\Windows\SysWOW64\at.exe
                at 02:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3768
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4492,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8
          1⤵
            PID:4432

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\mrsys.exe

            Filesize

            206KB

            MD5

            d1a371c52828aad31ac676473a94e431

            SHA1

            441a865fa9cd6ab717bf01279b9c842092787249

            SHA256

            a1a2c792bab98d7d50ec8affc57868fdd88865b96da33703359c8fba9110d870

            SHA512

            4b2d62ea694bb6a4a4f81caf1c08cd47f0a9c6a7ef905fcc2dd0181e80a393776bf2dfa26240f00c310811fe7cbe0d3a7d0cd2b402f7a6ba1b0e339e60571c2a

          • C:\Windows\System\explorer.exe

            Filesize

            206KB

            MD5

            70c6b73030b3a2721a32f00936b6a8e2

            SHA1

            8678fabc324d5ec3c26e979f88062445238d1aa2

            SHA256

            1eb0e76eb9c16baee2936a3bbc7dc47a4a3f21a5ec660ed60f1d3a33929f810b

            SHA512

            c3f6a9d8ed02b10a0024f7aece3e2e220f5d581bb91c06dbf21b5e43d619f2e40810f8648aac554b07841c692f8b9687bd6237f2c527a564fc8709d0d37a591f

          • C:\Windows\System\spoolsv.exe

            Filesize

            206KB

            MD5

            bb67d611a648bd6e7ac0daaf2e10bb6d

            SHA1

            579bfc0d8bc13de7b01f968e2cd96297b3b4ee80

            SHA256

            ecd0306ae548cebbbe73db52bf45f17e12cc6c19b5f060fca169758cfa6f8e53

            SHA512

            f004fdee2becd5e63fdfbfabdb5a0b79fe510b55ffff7887a23936598aa744cfcdec916d43f19ca04336232df55d152df4548b4a5a9bc95398e143e5197a2de0

          • C:\Windows\System\svchost.exe

            Filesize

            207KB

            MD5

            c146fff8b80f3f945d85b5837de6e9d6

            SHA1

            f6b9a61aa79ca9a81665bdfca92d37892a5ff1e6

            SHA256

            c32840b0b5bb13e25de120627d326feb367b5eba5be2b58883232a7629f062de

            SHA512

            407a8dbed74697e26738279a3319748e8efe61f4ffae50c7c8de54ff26db05e664eda405d3d48aacd96f0c1b9fbf158fbac9d7f65d67cd2cbb9eeadf9b649439

          • \??\PIPE\atsvc

            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          • memory/2412-25-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3216-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3216-37-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3984-33-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/4808-36-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB