Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 05:12
Static task
static1
Behavioral task
behavioral1
Sample
e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe
Resource
win10v2004-20240508-en
General
-
Target
e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe
-
Size
66KB
-
MD5
f2eb0d01d52d396195df508764cb2977
-
SHA1
73d4d0bb392f682af090408196f3c1d2d8d3b772
-
SHA256
e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8
-
SHA512
bc585e4bc517c3bff4be4e30edf53ee9aa1374f9c8ad374704a0eadd13a97bf3ca0eafaad3decadfca8edd0ebb769e4cc5e5b1fd9f6226cd60c381afd215e6bb
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiR:IeklMMYJhqezw/pXzH9iR
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4400 explorer.exe 1928 spoolsv.exe 3924 svchost.exe 5060 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4028 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 4028 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 4400 explorer.exe 4400 explorer.exe 4400 explorer.exe 4400 explorer.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe 3924 svchost.exe 3924 svchost.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe 4400 explorer.exe 4400 explorer.exe 3924 svchost.exe 3924 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4400 explorer.exe 3924 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4028 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 4028 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 4400 explorer.exe 4400 explorer.exe 1928 spoolsv.exe 1928 spoolsv.exe 3924 svchost.exe 3924 svchost.exe 5060 spoolsv.exe 5060 spoolsv.exe 4400 explorer.exe 4400 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4028 wrote to memory of 4400 4028 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 82 PID 4028 wrote to memory of 4400 4028 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 82 PID 4028 wrote to memory of 4400 4028 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe 82 PID 4400 wrote to memory of 1928 4400 explorer.exe 83 PID 4400 wrote to memory of 1928 4400 explorer.exe 83 PID 4400 wrote to memory of 1928 4400 explorer.exe 83 PID 1928 wrote to memory of 3924 1928 spoolsv.exe 84 PID 1928 wrote to memory of 3924 1928 spoolsv.exe 84 PID 1928 wrote to memory of 3924 1928 spoolsv.exe 84 PID 3924 wrote to memory of 5060 3924 svchost.exe 86 PID 3924 wrote to memory of 5060 3924 svchost.exe 86 PID 3924 wrote to memory of 5060 3924 svchost.exe 86 PID 3924 wrote to memory of 4992 3924 svchost.exe 87 PID 3924 wrote to memory of 4992 3924 svchost.exe 87 PID 3924 wrote to memory of 4992 3924 svchost.exe 87 PID 3924 wrote to memory of 3628 3924 svchost.exe 98 PID 3924 wrote to memory of 3628 3924 svchost.exe 98 PID 3924 wrote to memory of 3628 3924 svchost.exe 98 PID 3924 wrote to memory of 4428 3924 svchost.exe 100 PID 3924 wrote to memory of 4428 3924 svchost.exe 100 PID 3924 wrote to memory of 4428 3924 svchost.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe"C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5060
-
-
C:\Windows\SysWOW64\at.exeat 05:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4992
-
-
C:\Windows\SysWOW64\at.exeat 05:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3628
-
-
C:\Windows\SysWOW64\at.exeat 05:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4428
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD58675441fe48540f0876fb8100c0571ce
SHA15354e38fc89976591113b793a3fee530bddbb28d
SHA25609f5432976e6e426254e82ce6f13b375747dc40e66b3af88613cf3f01f24c3ba
SHA51266fd12cee2d206f16a306abd347453f2faf4789a91eb668a62b8712c196ad8465c8f351823bc895620da9cca16fde753e0163d3a8233be3d71b763c42ead204e
-
Filesize
66KB
MD5b063f4906f019c7179f9c31a79a78792
SHA16d5c67e568b8cec023190d944d572b0a56310772
SHA2563bf17da7e412c31dc28fb37d974f9b59f5ac9d4df3590b1e244c51f45275587f
SHA5126b7060b5a4bcef0bfc3718d75092ab14bba9be8de82dc4cfba7c5bd469f8be1f5b9595870ed504783ef345780ed03e8487f7c0c9ec2d6c2b1f2a00ab4472325a
-
Filesize
66KB
MD5c7a369e9109ec88dd58402e2fad8f3b1
SHA171bf3cf7898d4a701d7044ae4e7e0ab93be6078b
SHA256e1848bd79115a9350b4c97cfe1e9277a324c1524a3647c91d545d8ac8fa2797c
SHA5120170b06412d86c9d0890baf64541bcd72fb1bc3c306555fa89f4b81f1193f7a8d9da177feb52191603cb27db8cd2984df204b420b4ba891018b7a5414b5ae05e
-
Filesize
66KB
MD5137e69fa90ee3b9eda8ac002d9cd73d0
SHA19532c5f1d3282d4fb066dddd76b03650233bf8e1
SHA2562325b47e5f579ac3138cf0d51c0b7cc7291651f0e7d6f063f463ecbf1e3e3467
SHA5120d1a978b130d1b2e6e96fe770b62c392ee549799a8db70aa8da362d18ab0c4608f0a5e0186f32cbc4aebda1f3d9c26dbb47b8309b08f049828c513ef3c2278d3