Overview

overview

10

Static

static

3

c983dd7341...3N.exe

windows7-x64

10

c983dd7341...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 21:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c983dd7341ee70efcddc66491abfa5567c75d562d7990c876fd84dc3ec9dc163N.exe

  • Size

    2.3MB

  • MD5

    42f31f98028cfe21c7d37450a4c07200

  • SHA1

    b2f96d230aef8e883e843e3f2f46d09855ccd996

  • SHA256

    c983dd7341ee70efcddc66491abfa5567c75d562d7990c876fd84dc3ec9dc163

  • SHA512

    a7b562a1b0941ff6d98e4bf01f2951d3f0c307ec3eaa0642a732a5acc841eb192214eaa754a81cc0481b1966dbf36da62fb1c52dca2aca39d36223be557fa235

  • SSDEEP

    49152:SLHEfWcnLJ6I3BUz8fsK5CdoQmTZMCpylljl:ZXnL73XHdFHpql

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 31 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c983dd7341ee70efcddc66491abfa5567c75d562d7990c876fd84dc3ec9dc163N.exe
    "C:\Users\Admin\AppData\Local\Temp\c983dd7341ee70efcddc66491abfa5567c75d562d7990c876fd84dc3ec9dc163N.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1680
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1384
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2244
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2776
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2844
          • C:\Windows\SysWOW64\at.exe
            at 21:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2680
          • C:\Windows\SysWOW64\at.exe
            at 21:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1076

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          2.3MB

          MD5

          488912527ffe35a42823f1751192dbe1

          SHA1

          63751d9e17787d575126b72d99efbb6c74558b68

          SHA256

          a289fa7720261fc93925ac287f0f086c39d0c5152c35bafefd8177d333fe370d

          SHA512

          44a6e1ad253e639573d18d7e48842e1b30032992e31aa7c85a4c47d2f752043dda4c48b5b58fdab1b4fc45992db20c072e9fab7a91d4b82c3ca95fd840efd0a7

          Download Submit

        • C:\Windows\system\explorer.exe
          Filesize

          2.3MB

          MD5

          e20ad8a68cb05ada6869deb89dd92169

          SHA1

          d5605c43ff4f544ab6171f8ab334d5a866f238a4

          SHA256

          199157faf5857831446accb2e2172a4edb31fe6ad6e31a65838d7c85201fb3c4

          SHA512

          0554d2d83bf79be04db874c454e0471a3fb90b12ac9c99a5c9d7d3db72b6ca612cc839e073691023dedfba422fcd9b2ed7f6ec57f89552c10a9251c528da4804

          Download Submit

        • \Windows\system\spoolsv.exe
          Filesize

          2.3MB

          MD5

          6f730f5471daff4dddc8504e08c103d9

          SHA1

          ee3e0bafe9872ab83745224f7f7e76334283eb91

          SHA256

          4770dbe7cdc7caa135bd3f5c7f39a9cda45078a14ca9ecd7e22fdd278c3aa06f

          SHA512

          35a3704f85c6e4ad45cfd02bc7a9f6508e364c44d15cae237d29087f298ef099cc310952ad081a690692c32176b4969bf905875ab2dbddef6fe3674e53752c90

          Download Submit

        • \Windows\system\svchost.exe
          Filesize

          2.3MB

          MD5

          417914e5cfdb7f9d3c14164373eaac94

          SHA1

          d2b5470ece4777447ca79d459283dd0a1300fc62

          SHA256

          80b43e678f144b3cda4a1c42549c0079d8dd9b5723c091f3af956f431b57aa62

          SHA512

          12bc1c0d0383a2bc6a9a4b6ee6530f8dc7c95f64d92ceb1838dba9ad2aa64d6ba9a4930d78bb5adf18036938001bd542cd175f5a40ac3327c319f9b7aa5300b5

          Download Submit

        • memory/1384-71-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/1384-86-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-94-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-17-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-30-0x0000000004880000-0x000000000510A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-33-0x0000000004880000-0x000000000510A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-92-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-90-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-88-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-84-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-82-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-80-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-78-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-76-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-18-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/1384-72-0x0000000004880000-0x000000000510A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1384-70-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1680-54-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1680-0-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1680-68-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1680-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/1680-14-0x00000000047E0000-0x000000000506A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1680-16-0x00000000047E0000-0x000000000506A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/1680-67-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/2244-34-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2244-49-0x0000000004950000-0x00000000051DA000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2244-65-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2244-47-0x0000000004950000-0x00000000051DA000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2776-85-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2776-79-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2776-83-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2776-77-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2776-87-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2776-50-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2776-89-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2776-74-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2776-91-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2776-93-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2776-81-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2776-95-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download

        • memory/2844-61-0x0000000000400000-0x0000000000C8A000-memory.dmp

          Filesize

          8.5MB

          Download