Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 02:20
Static task
static1
Behavioral task
behavioral1
Sample
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe
Resource
win10v2004-20240611-en
General
-
Target
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe
-
Size
206KB
-
MD5
0b5b4c2966f8fd334a85b47c2a65b3f2
-
SHA1
9fe1f6f86bb93d017c187fae2b11e532ac940a52
-
SHA256
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83
-
SHA512
4686a72af4b93bf21c816f94b385b37941f896f86498c75745c759a7935f7ad477939ed7a1ad4809ab36d5dd09ca719ae179ceacaa8b4db7f9de55b0159383bd
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unr:5vEN2U+T6i5LirrllHy4HUcMQY6C
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 4940 explorer.exe 4808 spoolsv.exe 2412 svchost.exe 3984 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exeexplorer.exesvchost.exepid process 3216 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe 3216 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe 4940 explorer.exe 4940 explorer.exe 4940 explorer.exe 4940 explorer.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe 4940 explorer.exe 4940 explorer.exe 2412 svchost.exe 2412 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 4940 explorer.exe 2412 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3216 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe 3216 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe 4940 explorer.exe 4940 explorer.exe 4808 spoolsv.exe 4808 spoolsv.exe 2412 svchost.exe 2412 svchost.exe 3984 spoolsv.exe 3984 spoolsv.exe 4940 explorer.exe 4940 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3216 wrote to memory of 4940 3216 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe explorer.exe PID 3216 wrote to memory of 4940 3216 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe explorer.exe PID 3216 wrote to memory of 4940 3216 a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe explorer.exe PID 4940 wrote to memory of 4808 4940 explorer.exe spoolsv.exe PID 4940 wrote to memory of 4808 4940 explorer.exe spoolsv.exe PID 4940 wrote to memory of 4808 4940 explorer.exe spoolsv.exe PID 4808 wrote to memory of 2412 4808 spoolsv.exe svchost.exe PID 4808 wrote to memory of 2412 4808 spoolsv.exe svchost.exe PID 4808 wrote to memory of 2412 4808 spoolsv.exe svchost.exe PID 2412 wrote to memory of 3984 2412 svchost.exe spoolsv.exe PID 2412 wrote to memory of 3984 2412 svchost.exe spoolsv.exe PID 2412 wrote to memory of 3984 2412 svchost.exe spoolsv.exe PID 2412 wrote to memory of 628 2412 svchost.exe at.exe PID 2412 wrote to memory of 628 2412 svchost.exe at.exe PID 2412 wrote to memory of 628 2412 svchost.exe at.exe PID 2412 wrote to memory of 2776 2412 svchost.exe at.exe PID 2412 wrote to memory of 2776 2412 svchost.exe at.exe PID 2412 wrote to memory of 2776 2412 svchost.exe at.exe PID 2412 wrote to memory of 3768 2412 svchost.exe at.exe PID 2412 wrote to memory of 3768 2412 svchost.exe at.exe PID 2412 wrote to memory of 3768 2412 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe"C:\Users\Admin\AppData\Local\Temp\a7b91e4908a474a7066ea76871b347ed2bdacb29d04b02aecfdb12b04c539d83.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3984
-
-
C:\Windows\SysWOW64\at.exeat 02:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:628
-
-
C:\Windows\SysWOW64\at.exeat 02:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2776
-
-
C:\Windows\SysWOW64\at.exeat 02:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3768
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4492,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:81⤵PID:4432
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5d1a371c52828aad31ac676473a94e431
SHA1441a865fa9cd6ab717bf01279b9c842092787249
SHA256a1a2c792bab98d7d50ec8affc57868fdd88865b96da33703359c8fba9110d870
SHA5124b2d62ea694bb6a4a4f81caf1c08cd47f0a9c6a7ef905fcc2dd0181e80a393776bf2dfa26240f00c310811fe7cbe0d3a7d0cd2b402f7a6ba1b0e339e60571c2a
-
Filesize
206KB
MD570c6b73030b3a2721a32f00936b6a8e2
SHA18678fabc324d5ec3c26e979f88062445238d1aa2
SHA2561eb0e76eb9c16baee2936a3bbc7dc47a4a3f21a5ec660ed60f1d3a33929f810b
SHA512c3f6a9d8ed02b10a0024f7aece3e2e220f5d581bb91c06dbf21b5e43d619f2e40810f8648aac554b07841c692f8b9687bd6237f2c527a564fc8709d0d37a591f
-
Filesize
206KB
MD5bb67d611a648bd6e7ac0daaf2e10bb6d
SHA1579bfc0d8bc13de7b01f968e2cd96297b3b4ee80
SHA256ecd0306ae548cebbbe73db52bf45f17e12cc6c19b5f060fca169758cfa6f8e53
SHA512f004fdee2becd5e63fdfbfabdb5a0b79fe510b55ffff7887a23936598aa744cfcdec916d43f19ca04336232df55d152df4548b4a5a9bc95398e143e5197a2de0
-
Filesize
207KB
MD5c146fff8b80f3f945d85b5837de6e9d6
SHA1f6b9a61aa79ca9a81665bdfca92d37892a5ff1e6
SHA256c32840b0b5bb13e25de120627d326feb367b5eba5be2b58883232a7629f062de
SHA512407a8dbed74697e26738279a3319748e8efe61f4ffae50c7c8de54ff26db05e664eda405d3d48aacd96f0c1b9fbf158fbac9d7f65d67cd2cbb9eeadf9b649439
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e