Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 05:12
Static task
static1
Behavioral task
behavioral1
Sample
e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe
Resource
win10v2004-20240508-en
General
-
Target
e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe
-
Size
66KB
-
MD5
f2eb0d01d52d396195df508764cb2977
-
SHA1
73d4d0bb392f682af090408196f3c1d2d8d3b772
-
SHA256
e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8
-
SHA512
bc585e4bc517c3bff4be4e30edf53ee9aa1374f9c8ad374704a0eadd13a97bf3ca0eafaad3decadfca8edd0ebb769e4cc5e5b1fd9f6226cd60c381afd215e6bb
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiR:IeklMMYJhqezw/pXzH9iR
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1944 explorer.exe 2764 spoolsv.exe 2072 svchost.exe 2536 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1180 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 1180 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 1944 explorer.exe 1944 explorer.exe 2764 spoolsv.exe 2764 spoolsv.exe 2072 svchost.exe 2072 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1180 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 2072 svchost.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe 1944 explorer.exe 2072 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1944 explorer.exe 2072 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1180 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 1180 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 1944 explorer.exe 1944 explorer.exe 2764 spoolsv.exe 2764 spoolsv.exe 2072 svchost.exe 2072 svchost.exe 2536 spoolsv.exe 2536 spoolsv.exe 1944 explorer.exe 1944 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1180 wrote to memory of 1944 1180 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 28 PID 1180 wrote to memory of 1944 1180 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 28 PID 1180 wrote to memory of 1944 1180 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 28 PID 1180 wrote to memory of 1944 1180 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 28 PID 1944 wrote to memory of 2764 1944 explorer.exe 29 PID 1944 wrote to memory of 2764 1944 explorer.exe 29 PID 1944 wrote to memory of 2764 1944 explorer.exe 29 PID 1944 wrote to memory of 2764 1944 explorer.exe 29 PID 2764 wrote to memory of 2072 2764 spoolsv.exe 30 PID 2764 wrote to memory of 2072 2764 spoolsv.exe 30 PID 2764 wrote to memory of 2072 2764 spoolsv.exe 30 PID 2764 wrote to memory of 2072 2764 spoolsv.exe 30 PID 2072 wrote to memory of 2536 2072 svchost.exe 31 PID 2072 wrote to memory of 2536 2072 svchost.exe 31 PID 2072 wrote to memory of 2536 2072 svchost.exe 31 PID 2072 wrote to memory of 2536 2072 svchost.exe 31 PID 2072 wrote to memory of 1980 2072 svchost.exe 32 PID 2072 wrote to memory of 1980 2072 svchost.exe 32 PID 2072 wrote to memory of 1980 2072 svchost.exe 32 PID 2072 wrote to memory of 1980 2072 svchost.exe 32 PID 2072 wrote to memory of 1520 2072 svchost.exe 36 PID 2072 wrote to memory of 1520 2072 svchost.exe 36 PID 2072 wrote to memory of 1520 2072 svchost.exe 36 PID 2072 wrote to memory of 1520 2072 svchost.exe 36 PID 2072 wrote to memory of 1296 2072 svchost.exe 38 PID 2072 wrote to memory of 1296 2072 svchost.exe 38 PID 2072 wrote to memory of 1296 2072 svchost.exe 38 PID 2072 wrote to memory of 1296 2072 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe"C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2536
-
-
C:\Windows\SysWOW64\at.exeat 05:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1980
-
-
C:\Windows\SysWOW64\at.exeat 05:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1520
-
-
C:\Windows\SysWOW64\at.exeat 05:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1296
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5be91e41eb919b0ef6d275764423602ef
SHA1702217142fe21aa7da585e11db0a0cbeb7fd6e41
SHA256c2e6ddff89e3bcda6e525b22893914d9f64959a81e17d036f5cb430970739980
SHA5126a842d8b1bd2e3704259889c14a30f3325cbbec2c7ef59b923529781e463e772edf5989f566134184caa181eef79f8d4612b26d9429adedadd12bebc5d142fab
-
Filesize
66KB
MD539c09e1b4054629ade1f8ba089a80ff4
SHA1095fd1dfa807d93adc20c9b18c3f45b251ea10db
SHA256e04c973616935e1faad0a5bf39b664b01bf0cec1caf1b3ec32d29935aaf3fed6
SHA512f96c7eae62f2db5404252501df91e5ec8ed245838b6b64817bb4a40b99325c6f94b7945f6c7330fce3e5834abbed02bf898090f4d01ec9aab4d60ec32880a228
-
Filesize
66KB
MD5d51d896d23934341373e8a006fc4cd88
SHA1061f510a937e70aa010d512c6713fc9daf150884
SHA25614a9a6e6ee8775ce8ad81b7580febd4af8e834cc03928e33e8f5d107c63392fe
SHA5123833cf34528461b4fe81df9304ddad2b9ba5cf0b8a841cc06ef0cfc94c97b4425c1d826c796a7bb5be195696790eb6b29b6a90bf45e44f61485185be4b859496
-
Filesize
66KB
MD5514a1fa33ccb6467a27d2af9425f6c4d
SHA185f7e34a3300021f95ba92904e069f03829e7a67
SHA256d9efd3203a7af0f89536d2625f75486851f5c35b3c149dd9c14b8b0f058f40fa
SHA512aacf8b9546c2220e27f9345e329620fa02c2c7b875223e9d0cc5ccbbd8188845ff471f255edbd679cd30b8694d59ec0fab9cef749ada14ffa7093fd026fb3d9b