Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 05:12

General

  • Target

    e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe

  • Size

    66KB

  • MD5

    f2eb0d01d52d396195df508764cb2977

  • SHA1

    73d4d0bb392f682af090408196f3c1d2d8d3b772

  • SHA256

    e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8

  • SHA512

    bc585e4bc517c3bff4be4e30edf53ee9aa1374f9c8ad374704a0eadd13a97bf3ca0eafaad3decadfca8edd0ebb769e4cc5e5b1fd9f6226cd60c381afd215e6bb

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiR:IeklMMYJhqezw/pXzH9iR

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe
    "C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1180
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1944
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2764
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2072
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2536
          • C:\Windows\SysWOW64\at.exe
            at 05:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1980
            • C:\Windows\SysWOW64\at.exe
              at 05:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1520
              • C:\Windows\SysWOW64\at.exe
                at 05:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1296

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          66KB

          MD5

          be91e41eb919b0ef6d275764423602ef

          SHA1

          702217142fe21aa7da585e11db0a0cbeb7fd6e41

          SHA256

          c2e6ddff89e3bcda6e525b22893914d9f64959a81e17d036f5cb430970739980

          SHA512

          6a842d8b1bd2e3704259889c14a30f3325cbbec2c7ef59b923529781e463e772edf5989f566134184caa181eef79f8d4612b26d9429adedadd12bebc5d142fab

        • \Windows\system\explorer.exe

          Filesize

          66KB

          MD5

          39c09e1b4054629ade1f8ba089a80ff4

          SHA1

          095fd1dfa807d93adc20c9b18c3f45b251ea10db

          SHA256

          e04c973616935e1faad0a5bf39b664b01bf0cec1caf1b3ec32d29935aaf3fed6

          SHA512

          f96c7eae62f2db5404252501df91e5ec8ed245838b6b64817bb4a40b99325c6f94b7945f6c7330fce3e5834abbed02bf898090f4d01ec9aab4d60ec32880a228

        • \Windows\system\spoolsv.exe

          Filesize

          66KB

          MD5

          d51d896d23934341373e8a006fc4cd88

          SHA1

          061f510a937e70aa010d512c6713fc9daf150884

          SHA256

          14a9a6e6ee8775ce8ad81b7580febd4af8e834cc03928e33e8f5d107c63392fe

          SHA512

          3833cf34528461b4fe81df9304ddad2b9ba5cf0b8a841cc06ef0cfc94c97b4425c1d826c796a7bb5be195696790eb6b29b6a90bf45e44f61485185be4b859496

        • \Windows\system\svchost.exe

          Filesize

          66KB

          MD5

          514a1fa33ccb6467a27d2af9425f6c4d

          SHA1

          85f7e34a3300021f95ba92904e069f03829e7a67

          SHA256

          d9efd3203a7af0f89536d2625f75486851f5c35b3c149dd9c14b8b0f058f40fa

          SHA512

          aacf8b9546c2220e27f9345e329620fa02c2c7b875223e9d0cc5ccbbd8188845ff471f255edbd679cd30b8694d59ec0fab9cef749ada14ffa7093fd026fb3d9b

        • memory/1180-17-0x0000000003110000-0x0000000003141000-memory.dmp

          Filesize

          196KB

        • memory/1180-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

        • memory/1180-58-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

        • memory/1180-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

        • memory/1180-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1180-76-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/1180-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/1180-77-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

        • memory/1180-51-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

        • memory/1180-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/1944-18-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1944-79-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/1944-91-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/1944-80-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/1944-29-0x0000000002650000-0x0000000002681000-memory.dmp

          Filesize

          196KB

        • memory/1944-22-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2072-52-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2072-57-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2072-82-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2536-64-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2536-70-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2764-35-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2764-39-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2764-74-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2764-56-0x00000000025C0000-0x00000000025F1000-memory.dmp

          Filesize

          196KB