Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 05:01
Static task
static1
Behavioral task
behavioral1
Sample
de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe
Resource
win10v2004-20240508-en
General
-
Target
de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe
-
Size
66KB
-
MD5
0cd879162cdd7710c44cfbb1695a7ea3
-
SHA1
186fac979e1e45849bbb528e55c315058a275ca2
-
SHA256
de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66
-
SHA512
6f5d06febfc489bd7a129d42db111b01b046e1e7e7877766f52a81af4b96716bb824f9c6bf49a203f8cc040730845d2852d9d14d769f609c528b35dfbc774a23
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXie:IeklMMYJhqezw/pXzH9ie
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2696 explorer.exe 2804 spoolsv.exe 2508 svchost.exe 2488 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 920 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 920 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 2696 explorer.exe 2696 explorer.exe 2804 spoolsv.exe 2804 spoolsv.exe 2508 svchost.exe 2508 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 920 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 2696 explorer.exe 2696 explorer.exe 2696 explorer.exe 2696 explorer.exe 2696 explorer.exe 2508 svchost.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe 2696 explorer.exe 2508 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2696 explorer.exe 2508 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 920 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 920 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 2696 explorer.exe 2696 explorer.exe 2804 spoolsv.exe 2804 spoolsv.exe 2508 svchost.exe 2508 svchost.exe 2488 spoolsv.exe 2488 spoolsv.exe 2696 explorer.exe 2696 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 920 wrote to memory of 2696 920 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 28 PID 920 wrote to memory of 2696 920 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 28 PID 920 wrote to memory of 2696 920 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 28 PID 920 wrote to memory of 2696 920 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 28 PID 2696 wrote to memory of 2804 2696 explorer.exe 29 PID 2696 wrote to memory of 2804 2696 explorer.exe 29 PID 2696 wrote to memory of 2804 2696 explorer.exe 29 PID 2696 wrote to memory of 2804 2696 explorer.exe 29 PID 2804 wrote to memory of 2508 2804 spoolsv.exe 30 PID 2804 wrote to memory of 2508 2804 spoolsv.exe 30 PID 2804 wrote to memory of 2508 2804 spoolsv.exe 30 PID 2804 wrote to memory of 2508 2804 spoolsv.exe 30 PID 2508 wrote to memory of 2488 2508 svchost.exe 31 PID 2508 wrote to memory of 2488 2508 svchost.exe 31 PID 2508 wrote to memory of 2488 2508 svchost.exe 31 PID 2508 wrote to memory of 2488 2508 svchost.exe 31 PID 2508 wrote to memory of 1880 2508 svchost.exe 32 PID 2508 wrote to memory of 1880 2508 svchost.exe 32 PID 2508 wrote to memory of 1880 2508 svchost.exe 32 PID 2508 wrote to memory of 1880 2508 svchost.exe 32 PID 2508 wrote to memory of 1340 2508 svchost.exe 36 PID 2508 wrote to memory of 1340 2508 svchost.exe 36 PID 2508 wrote to memory of 1340 2508 svchost.exe 36 PID 2508 wrote to memory of 1340 2508 svchost.exe 36 PID 2508 wrote to memory of 1468 2508 svchost.exe 38 PID 2508 wrote to memory of 1468 2508 svchost.exe 38 PID 2508 wrote to memory of 1468 2508 svchost.exe 38 PID 2508 wrote to memory of 1468 2508 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe"C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2488
-
-
C:\Windows\SysWOW64\at.exeat 05:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1880
-
-
C:\Windows\SysWOW64\at.exeat 05:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1340
-
-
C:\Windows\SysWOW64\at.exeat 05:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1468
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5ac2008410eb3b12f1ad96fc0c6a84248
SHA1fb2a56b2776ba9911cbc6d3a3e18b7dc09184fff
SHA25637ae97573409a91bf3dc846fbfde547db98cdae22ba54c9561aa55c4354c9624
SHA512df8bd04dc91ebb7102d0d5f925fa5f759bf57c6e5e737e728f09de76faadb7088c7c901a2e3db8a714853f191214cfcfdd1eb5b1c164b89140b6f472330a9447
-
Filesize
66KB
MD54fefff25025a5b9dc3f0ad3cd21fc79d
SHA15e5899a1d8493977e0cb4460bd9452915cab5167
SHA256a28ca682561ab23b41bc114f8f6acc88244cc8615a861e9bd31781984639973a
SHA512ff2c95d2956f34bd20ee9fb8b882616312b905138205042aaafbc30c71be7070228db25ad2b2e419e7c18514c9786be2a73600a8fa52fd713a92eaf313511f60
-
Filesize
66KB
MD51091748622669af5aaf1d6a2dda2f934
SHA1b7dca01a55ecbde7229bfcd4cbc336d4ab2e542d
SHA2569aefb0ee6afc4aaa4743f0a9ce8b3bc6db3c2e294be45137c64273ece786ed62
SHA5120e1631d86be6674c6af32ba5de46e2151608230a687c85cc50ff0b0ff0ee6310d5ff5868be978cd366842bbe86c4fa681316a5fbb7839d7ab36ff4155277dcac
-
Filesize
66KB
MD5eaa12232e59e03609f8ab5ac67b0e162
SHA1d1c11e6d0d7fad76cb5df7945afd72b2e502b9e9
SHA25630af236c4d9bbe6dc64cc9f57a3eec7eaa11f17a07cfea9cc643149f2a827944
SHA51203dc211e7791591ac3fcf66818d569c47e961ce122ead4b7444435bf7d50cd62f2f9500dbe58bb20d60012de952bee0a72ab08b06143f4ae1f07e941ada9fe2c