d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2022, 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe
Size

207KB
MD5

f642efb542e01bcac68b865878971816
SHA1

e0487e035e0988f4abcf540466e0ba5f1a95dac8
SHA256

d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c
SHA512

6948e12981147ab0233ee59f681b837f75761a1574c83f297b15f0edab7148bd886adb7c975c3aaaa3f746ba4869d2a0229ca596c808169b6cec1b0df4cf4864
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unMo:zvEN2U+T6i5LirrllHy4HUcMQY6e

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
860	explorer.exe
2296	spoolsv.exe
3180	svchost.exe
3504	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3168	d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe
3168	d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
3180	svchost.exe
3180	svchost.exe
3180	svchost.exe
3180	svchost.exe
860	explorer.exe
860	explorer.exe
3180	svchost.exe
3180	svchost.exe
860	explorer.exe
860	explorer.exe
3180	svchost.exe
3180	svchost.exe
860	explorer.exe
860	explorer.exe
3180	svchost.exe
3180	svchost.exe
860	explorer.exe
860	explorer.exe
3180	svchost.exe
3180	svchost.exe
860	explorer.exe
860	explorer.exe
3180	svchost.exe
3180	svchost.exe
860	explorer.exe
860	explorer.exe
3180	svchost.exe
3180	svchost.exe
860	explorer.exe
860	explorer.exe
3180	svchost.exe
3180	svchost.exe
860	explorer.exe
860	explorer.exe
3180	svchost.exe
3180	svchost.exe
860	explorer.exe
860	explorer.exe
3180	svchost.exe
3180	svchost.exe
860	explorer.exe
860	explorer.exe
3180	svchost.exe
3180	svchost.exe
860	explorer.exe
860	explorer.exe
3180	svchost.exe
3180	svchost.exe
860	explorer.exe
860	explorer.exe
3180	svchost.exe
3180	svchost.exe
860	explorer.exe
860	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
860	explorer.exe
3180	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3168	d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe
3168	d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe
860	explorer.exe
860	explorer.exe
2296	spoolsv.exe
2296	spoolsv.exe
3180	svchost.exe
3180	svchost.exe
3504	spoolsv.exe
3504	spoolsv.exe
860	explorer.exe
860	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 860	3168	d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe	81
PID 3168 wrote to memory of 860	3168	d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe	81
PID 3168 wrote to memory of 860	3168	d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe	81
PID 860 wrote to memory of 2296	860	explorer.exe	82
PID 860 wrote to memory of 2296	860	explorer.exe	82
PID 860 wrote to memory of 2296	860	explorer.exe	82
PID 2296 wrote to memory of 3180	2296	spoolsv.exe	83
PID 2296 wrote to memory of 3180	2296	spoolsv.exe	83
PID 2296 wrote to memory of 3180	2296	spoolsv.exe	83
PID 3180 wrote to memory of 3504	3180	svchost.exe	84
PID 3180 wrote to memory of 3504	3180	svchost.exe	84
PID 3180 wrote to memory of 3504	3180	svchost.exe	84
PID 3180 wrote to memory of 3044	3180	svchost.exe	85
PID 3180 wrote to memory of 3044	3180	svchost.exe	85
PID 3180 wrote to memory of 3044	3180	svchost.exe	85
PID 3180 wrote to memory of 4972	3180	svchost.exe	94
PID 3180 wrote to memory of 4972	3180	svchost.exe	94
PID 3180 wrote to memory of 4972	3180	svchost.exe	94
PID 3180 wrote to memory of 4960	3180	svchost.exe	96
PID 3180 wrote to memory of 4960	3180	svchost.exe	96
PID 3180 wrote to memory of 4960	3180	svchost.exe	96

C:\Users\Admin\AppData\Local\Temp\d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe
"C:\Users\Admin\AppData\Local\Temp\d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:860
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3504
    - - C:\Windows\SysWOW64\at.exe
        
        at 13:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\at.exe
        
        at 13:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\at.exe
        
        at 13:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
ea4c1ad7b0870ee19353fd4ae68a526f

SHA1
3677abff6d06ba17184aedfe1824cc9d13aa6887

SHA256
efbff312bb661aee03d99328cd581e54474ff4fc08d7919a202f957b752f95bd

SHA512
2b15cc5d6d0db28ff38b56b1cc50b1312b5c0753d763de7eef7b06bdac17489c4364a6940add1cef5ab4c1dc7eab149a537d8b7a3ab78e10a49aa4062366409e

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
9b7eaa9cde0ceb7f613d8a5b2ffbed27

SHA1
61ad73b469fb889abb2da30c3d613b89392ba458

SHA256
4bfcfd35e8ca3651e1832d6bf17f638f143883f81d40efef756e5a7c755ef290

SHA512
d39bd2ce9842d5e45b5f84e62b3a373723f25bb1d47c54ba376b71795fdb1593defc23a5c84ee18735eb917f522f695d0a4e3ff2b5fbc771ae8901d758bc48ab

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
2c8d50f521d8d94113c2cd28ba540513

SHA1
9d0d5273ab3b2405df2292cab85a7026c8c2bee4

SHA256
2cd94383d6091adafeb77d14f67ea0786177e3d9bc08790a4e5aeab9da69a94b

SHA512
9e657fac15b7dd7b4b1ccca966cc016fc86cd302f878531b05976a14171c5c5dfcd63cfb6af0cacec662d455b27adff8fbe6dca6a70ff1a8999bf025c300c524

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
2c8d50f521d8d94113c2cd28ba540513

SHA1
9d0d5273ab3b2405df2292cab85a7026c8c2bee4

SHA256
2cd94383d6091adafeb77d14f67ea0786177e3d9bc08790a4e5aeab9da69a94b

SHA512
9e657fac15b7dd7b4b1ccca966cc016fc86cd302f878531b05976a14171c5c5dfcd63cfb6af0cacec662d455b27adff8fbe6dca6a70ff1a8999bf025c300c524

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
90d46586f4880f7488c7dc6579b6f21a

SHA1
f8868e95627392220347eab9e1fea728c74f2a2e

SHA256
0f79eb4bff133d4721cef0f322b042e7a27ceb56e93505cdd279938442c382fe

SHA512
beb35ad9a95d7f58b2bed51d18f6969dc8c9bd2d69dffd9db75ed37f53fc0f73b461d4cbb99af33f08f4c557c8820df3ddc974961c50b81157acda498cee4b6b

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
9b7eaa9cde0ceb7f613d8a5b2ffbed27

SHA1
61ad73b469fb889abb2da30c3d613b89392ba458

SHA256
4bfcfd35e8ca3651e1832d6bf17f638f143883f81d40efef756e5a7c755ef290

SHA512
d39bd2ce9842d5e45b5f84e62b3a373723f25bb1d47c54ba376b71795fdb1593defc23a5c84ee18735eb917f522f695d0a4e3ff2b5fbc771ae8901d758bc48ab

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
2c8d50f521d8d94113c2cd28ba540513

SHA1
9d0d5273ab3b2405df2292cab85a7026c8c2bee4

SHA256
2cd94383d6091adafeb77d14f67ea0786177e3d9bc08790a4e5aeab9da69a94b

SHA512
9e657fac15b7dd7b4b1ccca966cc016fc86cd302f878531b05976a14171c5c5dfcd63cfb6af0cacec662d455b27adff8fbe6dca6a70ff1a8999bf025c300c524

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
206KB

MD5
90d46586f4880f7488c7dc6579b6f21a

SHA1
f8868e95627392220347eab9e1fea728c74f2a2e

SHA256
0f79eb4bff133d4721cef0f322b042e7a27ceb56e93505cdd279938442c382fe

SHA512
beb35ad9a95d7f58b2bed51d18f6969dc8c9bd2d69dffd9db75ed37f53fc0f73b461d4cbb99af33f08f4c557c8820df3ddc974961c50b81157acda498cee4b6b

Download Submit