16bcbe22b0e671c478bb092bdb22f43a811a06d1e101c3e3428243849e1da6b9

Analysis

max time kernel
156s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16bcbe22b0e671c478bb092bdb22f43a811a06d1e101c3e3428243849e1da6b9.exe
Size

206KB
MD5

7b6610873a942a19ac3e87417d608122
SHA1

aa9f84ebef971e394f994a45367ca3e3f0309e99
SHA256

16bcbe22b0e671c478bb092bdb22f43a811a06d1e101c3e3428243849e1da6b9
SHA512

218e07927a305a0bc1c5379e0e7dd05ae029465317c5866564eb7b2d541d22528cb94ac54339dffd8f19ceeab02c32f333b49198d1b75dfba6a8836989d3ef6f
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unpC:zvEN2U+T6i5LirrllHy4HUcMQY6UC

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4364	explorer.exe
4132	spoolsv.exe
532	svchost.exe
5016	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	16bcbe22b0e671c478bb092bdb22f43a811a06d1e101c3e3428243849e1da6b9.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	16bcbe22b0e671c478bb092bdb22f43a811a06d1e101c3e3428243849e1da6b9.exe
2232	16bcbe22b0e671c478bb092bdb22f43a811a06d1e101c3e3428243849e1da6b9.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
532	svchost.exe
532	svchost.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe
4364	explorer.exe
532	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4364	explorer.exe
532	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2232	16bcbe22b0e671c478bb092bdb22f43a811a06d1e101c3e3428243849e1da6b9.exe
2232	16bcbe22b0e671c478bb092bdb22f43a811a06d1e101c3e3428243849e1da6b9.exe
4364	explorer.exe
4364	explorer.exe
4132	spoolsv.exe
4132	spoolsv.exe
4364	explorer.exe
4364	explorer.exe
532	svchost.exe
532	svchost.exe
5016	spoolsv.exe
5016	spoolsv.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 4364	2232	16bcbe22b0e671c478bb092bdb22f43a811a06d1e101c3e3428243849e1da6b9.exe	81
PID 2232 wrote to memory of 4364	2232	16bcbe22b0e671c478bb092bdb22f43a811a06d1e101c3e3428243849e1da6b9.exe	81
PID 2232 wrote to memory of 4364	2232	16bcbe22b0e671c478bb092bdb22f43a811a06d1e101c3e3428243849e1da6b9.exe	81
PID 4364 wrote to memory of 4132	4364	explorer.exe	82
PID 4364 wrote to memory of 4132	4364	explorer.exe	82
PID 4364 wrote to memory of 4132	4364	explorer.exe	82
PID 4132 wrote to memory of 532	4132	spoolsv.exe	83
PID 4132 wrote to memory of 532	4132	spoolsv.exe	83
PID 4132 wrote to memory of 532	4132	spoolsv.exe	83
PID 532 wrote to memory of 5016	532	svchost.exe	85
PID 532 wrote to memory of 5016	532	svchost.exe	85
PID 532 wrote to memory of 5016	532	svchost.exe	85
PID 532 wrote to memory of 3596	532	svchost.exe	86
PID 532 wrote to memory of 3596	532	svchost.exe	86
PID 532 wrote to memory of 3596	532	svchost.exe	86
PID 532 wrote to memory of 3720	532	svchost.exe	93
PID 532 wrote to memory of 3720	532	svchost.exe	93
PID 532 wrote to memory of 3720	532	svchost.exe	93
PID 532 wrote to memory of 2620	532	svchost.exe	96
PID 532 wrote to memory of 2620	532	svchost.exe	96
PID 532 wrote to memory of 2620	532	svchost.exe	96

C:\Users\Admin\AppData\Local\Temp\16bcbe22b0e671c478bb092bdb22f43a811a06d1e101c3e3428243849e1da6b9.exe
"C:\Users\Admin\AppData\Local\Temp\16bcbe22b0e671c478bb092bdb22f43a811a06d1e101c3e3428243849e1da6b9.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4364
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5016
    - - C:\Windows\SysWOW64\at.exe
        
        at 16:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:3596
    - - C:\Windows\SysWOW64\at.exe
        
        at 16:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:3720
    - - C:\Windows\SysWOW64\at.exe
        
        at 16:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
207KB

MD5
0ea38632f8bec2b8ebc79f47c6555a68

SHA1
3fa2dbc69ab4e623b3002d16d1643dc83bfa522e

SHA256
832ba2c6cd7efbef55ffa1a81afbff8454ecbd4d24d6451f577d40ffdd3a1fb1

SHA512
81a7841f725394b9747ad65b442b49ff28e48516d314d09ec5c210a51997ea8a86ce64263350d373e0ed346989be2a961ed4823f44bb2593d641e98ef7f473b5

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
032d1a428263b10f8661776b6d146d6f

SHA1
f6782a23b92e700f5399f0fa35d59fda1ec2cb86

SHA256
3edbc9fc65fc2972f38aeee91b5fe531cd6da5ffe141991551a320c269e8d40c

SHA512
d8a0c2c8e03e44d66dbefac79f8ad009267d56f25f524d7fee97038e072c38b3b60fb6618e3bf606e2982f3db288661e411cefd2f6a2ba558f3e28ef1b39479e

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
ce2be5d81b1ad3a143f497d28f4a8a26

SHA1
920b7621316876b29dce06bf4d208a091e533fb9

SHA256
197175200792c1d5571f8e53a7a2016fb8a964e2aa5b709bc666f19c2d4b4b2b

SHA512
57cde727100fc107f7657683ed4ea45ebe993a0f1fdd05a0d61bbc02714a5e7602e62669d1343882a2d796a419a2b1b45b754b8b9b728c06746e5248ab690a64

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
ce2be5d81b1ad3a143f497d28f4a8a26

SHA1
920b7621316876b29dce06bf4d208a091e533fb9

SHA256
197175200792c1d5571f8e53a7a2016fb8a964e2aa5b709bc666f19c2d4b4b2b

SHA512
57cde727100fc107f7657683ed4ea45ebe993a0f1fdd05a0d61bbc02714a5e7602e62669d1343882a2d796a419a2b1b45b754b8b9b728c06746e5248ab690a64

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
143ea5d1e62127b3ccd638e91493c3ad

SHA1
4aa7e936f67043fcb7c5cda13badfdb5a7241e1d

SHA256
2195a0feb16fa07b5df9ed16a72951e88f816572ff1b7f3b2f16fe39ea66a9b7

SHA512
50bd5207b8865f5101c33eafe540d8658754b74ba53999749019569c6f84c4d271b1a091ca56522989c0b9460e9792529cebcbd21a2d1321dae56b651a2c4774

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
032d1a428263b10f8661776b6d146d6f

SHA1
f6782a23b92e700f5399f0fa35d59fda1ec2cb86

SHA256
3edbc9fc65fc2972f38aeee91b5fe531cd6da5ffe141991551a320c269e8d40c

SHA512
d8a0c2c8e03e44d66dbefac79f8ad009267d56f25f524d7fee97038e072c38b3b60fb6618e3bf606e2982f3db288661e411cefd2f6a2ba558f3e28ef1b39479e

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
ce2be5d81b1ad3a143f497d28f4a8a26

SHA1
920b7621316876b29dce06bf4d208a091e533fb9

SHA256
197175200792c1d5571f8e53a7a2016fb8a964e2aa5b709bc666f19c2d4b4b2b

SHA512
57cde727100fc107f7657683ed4ea45ebe993a0f1fdd05a0d61bbc02714a5e7602e62669d1343882a2d796a419a2b1b45b754b8b9b728c06746e5248ab690a64

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
206KB

MD5
143ea5d1e62127b3ccd638e91493c3ad

SHA1
4aa7e936f67043fcb7c5cda13badfdb5a7241e1d

SHA256
2195a0feb16fa07b5df9ed16a72951e88f816572ff1b7f3b2f16fe39ea66a9b7

SHA512
50bd5207b8865f5101c33eafe540d8658754b74ba53999749019569c6f84c4d271b1a091ca56522989c0b9460e9792529cebcbd21a2d1321dae56b651a2c4774

Download Submit