Overview

overview

10

Static

static

3

01135d1cf6...34.exe

windows7-x64

10

01135d1cf6...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2024, 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01135d1cf63f250c023ff209d643e38893ac3ea28fa92e68a3b4905c2d3bf434.exe

  • Size

    66KB

  • MD5

    00cfdaf02d05e7e54723e44f1779768b

  • SHA1

    58a6c9696a49c988639dc8a5c87d545a49a3fbdc

  • SHA256

    01135d1cf63f250c023ff209d643e38893ac3ea28fa92e68a3b4905c2d3bf434

  • SHA512

    b22618323a16fa83ba5c67eb1f30e28d64b86e1cef9fee12f6e3f337ab5f1f5d3819f66af2b7778033e2f772436da47695dadc75183ba2b97162de62a0f23dbc

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiH:IeklMMYJhqezw/pXzH9iH

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01135d1cf63f250c023ff209d643e38893ac3ea28fa92e68a3b4905c2d3bf434.exe
    "C:\Users\Admin\AppData\Local\Temp\01135d1cf63f250c023ff209d643e38893ac3ea28fa92e68a3b4905c2d3bf434.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4252
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4688
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2816
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:376
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1676
          • C:\Windows\SysWOW64\at.exe
            at 18:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2132
            • C:\Windows\SysWOW64\at.exe
              at 18:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4076
              • C:\Windows\SysWOW64\at.exe
                at 18:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4500

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          376ea4a527331b122bd1acb0c239d797

          SHA1

          b7ffa2f98768d3e6c589f2014eb8d8d0ce8b0fef

          SHA256

          0b260e39175230f4bcbbc5d0e161d55371d6f5d1cb2cd47761b3714922815d15

          SHA512

          69cafafef5e3067ffea407c41ed3cf152213e49fb39d7d686ea2e92e268be8f80a77a9482328f2e661afd6a765c91ae8c6d412d0c4ace6a7c360d2880789c897

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          727bbbb1f57d0883db8214d41901a251

          SHA1

          8278c9b7bd16188bcca54951d7d66f98008dc86d

          SHA256

          e29fb5384b7d611c0ad27812ebf3a8dc52e794de213edae194419d69867fa580

          SHA512

          3a1d2f1b594e7468f802657f6c37d9c2f47d0d7ca894de681ed8b9bac7b149e9c8935b6a2cff761fdb0097c641cabdf3565c3413ed6163b4a7c37f4dd4971a20

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          cb919c80bd7b315ea5cfbe982e523dfd

          SHA1

          090ac4813fd4d8f8bc966d1c5e10a739c9bc32dd

          SHA256

          9ac89f374f8a813064b2e79663dbd732558d956d58c25b16e760e59b31ad9079

          SHA512

          4189da640fcbbfab417193a90ed7f2cd9ebda8407aa088618593f20f2fa36f138f6dfb9854349770bd51f6fc4916cfaaa47605cfa629d0a33672e89e450b4a5d

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          9992408a82aea07daf7497545a55333c

          SHA1

          9829ccdcc54755ebce9c66f81ce5ae843bd46af9

          SHA256

          00400ff1c2bf53b7e55f096f5937ac3958f43928eef9734637eec4a03ffd7731

          SHA512

          2d77b5cbefcf94bc051e8504977920c2f30b9ccea28fba1d1be145cc0cb9670423f122d4fd1e860a608637a0afba6f1eb3f0f0be8c4d077d9800a9427701fcaa

          Download Submit

        • memory/376-62-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/376-41-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/376-37-0x00000000759F0000-0x0000000075B4D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1676-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1676-45-0x00000000759F0000-0x0000000075B4D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2816-26-0x00000000759F0000-0x0000000075B4D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2816-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2816-30-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4252-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4252-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/4252-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4252-58-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4252-44-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4252-2-0x00000000759F0000-0x0000000075B4D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4252-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4252-57-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4688-15-0x00000000759F0000-0x0000000075B4D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4688-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4688-18-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4688-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4688-14-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4688-71-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download