Overview

overview

10

Static

static

3

a45ea63908...54.exe

windows7-x64

10

a45ea63908...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/06/2024, 00:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a45ea63908dd8c9f74db9bc0f7545e761f75b88cb419038b8cd7d6913600d354.exe

  • Size

    66KB

  • MD5

    4f8746db3b5170d082656e89422d85da

  • SHA1

    7157abb3d3a9cce696c441dc880d46ea6a053fc3

  • SHA256

    a45ea63908dd8c9f74db9bc0f7545e761f75b88cb419038b8cd7d6913600d354

  • SHA512

    0dd334085b12b9c8aa91c4f58d8f55d7d58ac2946cc1ab942e5d16c87cac185d84a9ba0edc4036068cc5bf55d68c50cb6b3fdf3eff2a6a06719d8062b4a9d965

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi3nnnnnnnnnnnnnnnnnnnnr:IeklMMYJhqezw/pXzH9i3nnnnnnnnnnr

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a45ea63908dd8c9f74db9bc0f7545e761f75b88cb419038b8cd7d6913600d354.exe
    "C:\Users\Admin\AppData\Local\Temp\a45ea63908dd8c9f74db9bc0f7545e761f75b88cb419038b8cd7d6913600d354.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2192
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3040
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2840
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2212
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2396
          • C:\Windows\SysWOW64\at.exe
            at 00:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1992
            • C:\Windows\SysWOW64\at.exe
              at 00:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1312
              • C:\Windows\SysWOW64\at.exe
                at 00:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1556

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe
                Filesize

                66KB

                MD5

                b016c055d0fa921853ce4533d387f73b

                SHA1

                360d180ba6a35b850ffb481633552290ac033eee

                SHA256

                59bd91c10ac9b5c41dc115a63e9b4c6dd564ae2864b55addc02764b2a608e4e7

                SHA512

                ce7a04cdbb72dbc2fe3de4f1163b733be2a5efd7c589b85da976e1e5afee22e13b80045a2d460b8cd1b12b4af6013082924a2bc450d62f623e72491bc0e2c553

                Download Submit

              • \Windows\system\explorer.exe
                Filesize

                66KB

                MD5

                4597f7339a6e85ba09173714f84d6dab

                SHA1

                1191678b89d9d4943596ccfb501b18c104ecb702

                SHA256

                936a52d56f61d0f25c5a8ffb6a4dedc8b54f8c5c059eefe64c98d09fb002bea3

                SHA512

                b0142022f2921e44021edb69fae843828692a068a7125add4c71d1ee8171ceabf4a75d40db1a2f35b5d2deaacda14f6fc1658dff4309265050b15d75838bcb31

                Download Submit

              • \Windows\system\spoolsv.exe
                Filesize

                66KB

                MD5

                39bf02e9b57d96f94dae261dcd1a8317

                SHA1

                38aa9b482e96386cf3c62cd4e78700f33f6e4da0

                SHA256

                3bbcea579cd17653c93791b860522a53ad1a0b31f9a5157e2755171b1094a604

                SHA512

                d9cc8bd74aea04bec3dc523c6da61e79d96c081877a491f13273307514bb031197ba523d7512323694b7227717b89699f2d34f10bd4acd509c7b1107753cc784

                Download Submit

              • \Windows\system\svchost.exe
                Filesize

                66KB

                MD5

                842b32452f058053fe9c22ae98aa6604

                SHA1

                58b0c2ebf7c1879c4a97d886ad4596861d1ee6da

                SHA256

                28d4158f1ed422abf6390d6594d587862a389430d5d53d5ea18b06e2cd3949e2

                SHA512

                b320d4b702693cfa7cba0886c9943f18b8430ef0cf6145a05bb596f101eca35d7c8641e7ef2da311829883d30d4688a9bdadcc43f7be0bfc6a552b18ef07e207

                Download Submit

              • memory/2192-3-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2192-4-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2192-13-0x0000000003250000-0x0000000003281000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2192-0-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2192-79-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2192-53-0x0000000000020000-0x0000000000024000-memory.dmp

                Filesize

                16KB

                Download

              • memory/2192-2-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2192-58-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2192-80-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2192-1-0x0000000000020000-0x0000000000024000-memory.dmp

                Filesize

                16KB

                Download

              • memory/2212-59-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2212-54-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2212-63-0x0000000002C80000-0x0000000002CB1000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2212-83-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2396-67-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2396-75-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2840-51-0x0000000002760000-0x0000000002791000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2840-50-0x0000000002760000-0x0000000002791000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2840-39-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2840-35-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2840-77-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3040-18-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3040-65-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3040-34-0x0000000002370000-0x00000000023A1000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3040-82-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3040-22-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3040-92-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download