Overview

overview

10

Static

static

3

01f1d58f0a...37.exe

windows7-x64

10

01f1d58f0a...37.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01f1d58f0a432ef693b1f7c78e10bdb490c1d3533c9f2ca487e2183bf0352837.exe

  • Size

    66KB

  • MD5

    5f5926a6a95556b9d29ac14cee9cb370

  • SHA1

    e22a2ad1ccfd8a9b9763c3b4325fa50a20c57134

  • SHA256

    01f1d58f0a432ef693b1f7c78e10bdb490c1d3533c9f2ca487e2183bf0352837

  • SHA512

    789d7e3748e4df9fcc32b4ef1f41b2cb6905154efe2138071530f133b4a4cd62661132e049fedfba2c40e289ac9f86b92809531feb09f2c68969cbbe7a5795c8

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi9:IeklMMYJhqezw/pXzH9i9

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01f1d58f0a432ef693b1f7c78e10bdb490c1d3533c9f2ca487e2183bf0352837.exe
    "C:\Users\Admin\AppData\Local\Temp\01f1d58f0a432ef693b1f7c78e10bdb490c1d3533c9f2ca487e2183bf0352837.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3352
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3464
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1576
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3632
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4512
          • C:\Windows\SysWOW64\at.exe
            at 19:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2012
            • C:\Windows\SysWOW64\at.exe
              at 19:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1612
              • C:\Windows\SysWOW64\at.exe
                at 19:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4860
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:3912

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\mrsys.exe
            Filesize

            66KB

            MD5

            782ad92a242fb514ffe4ac4bc5cd7024

            SHA1

            ce5a2d267b22b790b35e5363fedefab758bb384b

            SHA256

            f98df4aa4b12aa6b24cfa042256866924f92eb5a26c8fdf557bfbe87ea185625

            SHA512

            5b0ccc37d52ed43dafe0e6d51200039959ce63fc84ec602085b1005c18c47f5c99e71bfc87fcc3db8005b3f17dc52670b61d4dfe2ad3425ee493a62cb3300e66

            Download Submit

          • C:\Windows\System\explorer.exe
            Filesize

            66KB

            MD5

            8d39dbe8892550056e62c31203549f33

            SHA1

            2318c24836eaa0756e81a1015210222301cfb43a

            SHA256

            51c8d51d4e800d5d921f439306cbb65f777a5b497d9b8fe50cf8953aae597070

            SHA512

            a6ac64eef40c0f1db7b9061b1f2d4365cd57ce7a3568250577b757ec554bfafcb1e1d333f9ed444735119cb4fe38070c6138b05f8d60c9ca61345fcda7b03018

            Download Submit

          • C:\Windows\System\spoolsv.exe
            Filesize

            66KB

            MD5

            f97961431822b770894b3ad570018f8b

            SHA1

            e5dfb651c2a20a38999662098f1e96d4398e8932

            SHA256

            c34065a508339ed75c1f5a4331867f0c9f5dfa3310d70e88d3ed442f83007b61

            SHA512

            922c3ae37d21258e7dae6e7f99311e76159b800f7a0bbef4265588ff0062d309b7c716eedc14441009ce664f33fa782510a69a5fe7a5ee764e0872adc3aa904d

            Download Submit

          • C:\Windows\System\svchost.exe
            Filesize

            66KB

            MD5

            6d61ee1ad05468ac13f0c4c924e4e173

            SHA1

            a51c7fb34dcf5200b86b7e62ed136e8a9957c062

            SHA256

            a79322087d31855382dab42a7e792627bba0889d7129e4f1b87fe3ebe002e43b

            SHA512

            e2f608b7c6c6399bf7a01871c9f0005d577d933ace66b91b98352555a2fe30d2414eac94a2bf76694f5e484230a45a4789a79488365122b8f3d0900d6234ba48

            Download Submit

          • memory/1576-25-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/1576-26-0x00000000755A0000-0x00000000756FD000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1576-55-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3352-0-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3352-4-0x0000000000401000-0x000000000042E000-memory.dmp

            Filesize

            180KB

            Download

          • memory/3352-3-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3352-1-0x00000000001D0000-0x00000000001D4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/3352-2-0x00000000755A0000-0x00000000756FD000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3352-57-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3352-40-0x00000000001D0000-0x00000000001D4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/3352-58-0x0000000000401000-0x000000000042E000-memory.dmp

            Filesize

            180KB

            Download

          • memory/3352-44-0x0000000000401000-0x000000000042E000-memory.dmp

            Filesize

            180KB

            Download

          • memory/3464-13-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3464-16-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3464-60-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3464-73-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3464-14-0x00000000755A0000-0x00000000756FD000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3632-37-0x00000000755A0000-0x00000000756FD000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3632-36-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3632-62-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4512-51-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4512-45-0x00000000755A0000-0x00000000756FD000-memory.dmp

            Filesize

            1.4MB

            Download