Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 05:01
Static task
static1
Behavioral task
behavioral1
Sample
de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe
Resource
win10v2004-20240508-en
General
-
Target
de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe
-
Size
66KB
-
MD5
0cd879162cdd7710c44cfbb1695a7ea3
-
SHA1
186fac979e1e45849bbb528e55c315058a275ca2
-
SHA256
de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66
-
SHA512
6f5d06febfc489bd7a129d42db111b01b046e1e7e7877766f52a81af4b96716bb824f9c6bf49a203f8cc040730845d2852d9d14d769f609c528b35dfbc774a23
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXie:IeklMMYJhqezw/pXzH9ie
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 1600 explorer.exe 4212 spoolsv.exe 1364 svchost.exe 3800 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4244 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 4244 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1600 explorer.exe 1600 explorer.exe 1364 svchost.exe 1364 svchost.exe 1600 explorer.exe 1600 explorer.exe 1364 svchost.exe 1364 svchost.exe 1600 explorer.exe 1600 explorer.exe 1364 svchost.exe 1364 svchost.exe 1600 explorer.exe 1600 explorer.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe 1600 explorer.exe 1364 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1364 svchost.exe 1600 explorer.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4244 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 4244 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 1600 explorer.exe 1600 explorer.exe 4212 spoolsv.exe 4212 spoolsv.exe 1364 svchost.exe 1364 svchost.exe 3800 spoolsv.exe 3800 spoolsv.exe 1600 explorer.exe 1600 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4244 wrote to memory of 1600 4244 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 83 PID 4244 wrote to memory of 1600 4244 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 83 PID 4244 wrote to memory of 1600 4244 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe 83 PID 1600 wrote to memory of 4212 1600 explorer.exe 84 PID 1600 wrote to memory of 4212 1600 explorer.exe 84 PID 1600 wrote to memory of 4212 1600 explorer.exe 84 PID 4212 wrote to memory of 1364 4212 spoolsv.exe 85 PID 4212 wrote to memory of 1364 4212 spoolsv.exe 85 PID 4212 wrote to memory of 1364 4212 spoolsv.exe 85 PID 1364 wrote to memory of 3800 1364 svchost.exe 86 PID 1364 wrote to memory of 3800 1364 svchost.exe 86 PID 1364 wrote to memory of 3800 1364 svchost.exe 86 PID 1364 wrote to memory of 2888 1364 svchost.exe 87 PID 1364 wrote to memory of 2888 1364 svchost.exe 87 PID 1364 wrote to memory of 2888 1364 svchost.exe 87 PID 1364 wrote to memory of 4912 1364 svchost.exe 96 PID 1364 wrote to memory of 4912 1364 svchost.exe 96 PID 1364 wrote to memory of 4912 1364 svchost.exe 96 PID 1364 wrote to memory of 4404 1364 svchost.exe 98 PID 1364 wrote to memory of 4404 1364 svchost.exe 98 PID 1364 wrote to memory of 4404 1364 svchost.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe"C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3800
-
-
C:\Windows\SysWOW64\at.exeat 05:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2888
-
-
C:\Windows\SysWOW64\at.exeat 05:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4912
-
-
C:\Windows\SysWOW64\at.exeat 05:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4404
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5c47ec858a589450d8c2468e174c7c140
SHA186fe0f5ba2792606762cbb96f49f55437c9f5736
SHA25622ae54d5afefa08628b6ba3363c32ecfa820d8a3be2454a23ac35c9b1fb6880f
SHA512064c69de0a4a6ff63fe71d14d7da2b18a70793b5e257ec41ed9c7ad2500b5180477d0102a86da879313760e62643a5f4a27085694eaa5dd409b51d7a0476adb5
-
Filesize
66KB
MD5d6aa79ac6471299ab40e90a2074a2655
SHA16b0e759719ef9d0209a6cb92b642a46ab4391c00
SHA2564c4865383091d86906fbe291de76c6c222c8e74da3348cb138495813a9013c09
SHA51217e6d460091502e37cc52675cc23d9ea35235dec813dc39d7a07d5291f6aecd1b03cbd6b4b85814b2ac20af619ada0e00778ae49db7d2f7608f348831632772f
-
Filesize
66KB
MD575e6135afde03df38a10ae82a06ef572
SHA17c3c60c9eebee01f13d855e88b58dd7c2764a849
SHA256c0a4a3b452410ba49350b5ab9bb0a0797b1333b3e49fab275b85b228fb1b6693
SHA512c8f942e852f1fe51301f0b06b6f6997aad4d07bd44cf6493c4a99254c51d12579e2c7ac88aaf6a1b46a026deb78ecd622e5b9c93dac55b56319fa6cc9db22714
-
Filesize
66KB
MD5d3953365851d4ed574df59ebf35d7964
SHA13c5abb69594fee6456c3e0fcc7f81785cf1eca7a
SHA2567106e5c4f4ce775df797997d4ec97541241ce291a89bdd6a55379d67679c0619
SHA5127ae4c6e45548e1c019272854319941b774e248d8cb298ecbc29e0af877cf9caefae3a13b787e699e59c15091315617c34c6de1083a2669f4b9c903a0403a00ce