07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46

Analysis

max time kernel
154s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe
Size

122KB
MD5

45a3f764928cd419befef5afcb73b160
SHA1

40716a9a500da92b851a173399784ebf6db90662
SHA256

07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46
SHA512

1bd974875dfd18e9ce84118bd2b5c7f5a3d5a51ef9f9ac6c0d690b561519d6eb6ca6f8756a4a6129d677234105783693aacb72f63d4beee3dede518f0a9fb804
SSDEEP

1536:nnyzF9MFVCujlsQoeQZZ86ukpj0nGGF9v+4DRP:nyzQVCujl71QZZ4kp4F9XtP

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1936	explorer.exe
1148	spoolsv.exe
1916	svchost.exe
1760	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
1992	07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe
1992	07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe
1936	explorer.exe
1936	explorer.exe
1148	spoolsv.exe
1148	spoolsv.exe
1916	svchost.exe
1916	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\System\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1916	svchost.exe
1916	svchost.exe
1916	svchost.exe
1936	explorer.exe
1936	explorer.exe
1916	svchost.exe
1916	svchost.exe
1936	explorer.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1916	svchost.exe
1936	explorer.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1916	svchost.exe
1936	explorer.exe
1936	explorer.exe
1916	svchost.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe
1936	explorer.exe
1916	svchost.exe
1916	svchost.exe
1936	explorer.exe
1936	explorer.exe
1916	svchost.exe
1936	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1936	explorer.exe
1916	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1992	07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe
1992	07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe
1936	explorer.exe
1936	explorer.exe
1148	spoolsv.exe
1148	spoolsv.exe
1916	svchost.exe
1916	svchost.exe
1760	spoolsv.exe
1760	spoolsv.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1936	1992	07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe	26
PID 1992 wrote to memory of 1936	1992	07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe	26
PID 1992 wrote to memory of 1936	1992	07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe	26
PID 1992 wrote to memory of 1936	1992	07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe	26
PID 1936 wrote to memory of 1148	1936	explorer.exe	27
PID 1936 wrote to memory of 1148	1936	explorer.exe	27
PID 1936 wrote to memory of 1148	1936	explorer.exe	27
PID 1936 wrote to memory of 1148	1936	explorer.exe	27
PID 1148 wrote to memory of 1916	1148	spoolsv.exe	28
PID 1148 wrote to memory of 1916	1148	spoolsv.exe	28
PID 1148 wrote to memory of 1916	1148	spoolsv.exe	28
PID 1148 wrote to memory of 1916	1148	spoolsv.exe	28
PID 1916 wrote to memory of 1760	1916	svchost.exe	29
PID 1916 wrote to memory of 1760	1916	svchost.exe	29
PID 1916 wrote to memory of 1760	1916	svchost.exe	29
PID 1916 wrote to memory of 1760	1916	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe
"C:\Users\Admin\AppData\Local\Temp\07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1936
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Modifies Installed Components in the registry
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
122KB

MD5
668e7cb728a382e6b3e038a6c06e00cc

SHA1
5d61fe04ba7431acc78b277e45e906e7d101dd15

SHA256
0cd315dd92e8789cc012293ff85834012cea6d491ef9484ef980fe4c07e0c366

SHA512
5b6e426eec8a83b325e5d54e2551d955d74b466da5999b5de56f090eb9457ba9a7f462e9b9564351e30b2d6f8ee461ee7cb1b00136ea8135800728358330f2aa

Download Submit
C:\Windows\system\explorer.exe

Filesize
122KB

MD5
70f9f6cf3c45b6ebe7675626e8dab7a0

SHA1
f0d9132ef7228031390c0ebc5650359ef366e6f6

SHA256
85539d223b959bccf2830059f052a8330e2a9958d0a4678a24cbd8a3a99fa769

SHA512
675673f0960dbefaeddd4a0ac3e1bef27ded3d11b62430057c8524b5e2de94835c857f2b8caa76bd48609dff9e68b45608ec6cc52773ea1b37975be254cc6b54

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
122KB

MD5
fc64e091b72c09307b8d341029a9f66b

SHA1
87a767060bf7171163c39b9f452472bd4484a00f

SHA256
a2e421a63397d9d5e070763f50a881152f9e15415ef9621fa5dd418246f67969

SHA512
3174e9a30ba9d500575d221f5b3a8e8927aac1be9227d1717503edc1dfe4383d92ca1a34339a95e0717d0e78cbb9ccedeff5c004bdeddc0556aee200612e24d1

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
122KB

MD5
fc64e091b72c09307b8d341029a9f66b

SHA1
87a767060bf7171163c39b9f452472bd4484a00f

SHA256
a2e421a63397d9d5e070763f50a881152f9e15415ef9621fa5dd418246f67969

SHA512
3174e9a30ba9d500575d221f5b3a8e8927aac1be9227d1717503edc1dfe4383d92ca1a34339a95e0717d0e78cbb9ccedeff5c004bdeddc0556aee200612e24d1

Download Submit
C:\Windows\system\svchost.exe

Filesize
122KB

MD5
68f485878df95429566f4d1a60f68838

SHA1
5e58facd6ca3a94bff0a6c3ab8e479a825c5deaf

SHA256
3a98876c5a9e455bbc5b564f3c14a22027d0d079c08a0367b20f59e4dd6abaf9

SHA512
9e66c05a78a088a67c3e7d2463d0c3118a67ac95f25fb13a58658964492eca8da424a968cabf442c59393fda1108336f47ad246aba7c590faeafc00a75cc72fb

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
122KB

MD5
70f9f6cf3c45b6ebe7675626e8dab7a0

SHA1
f0d9132ef7228031390c0ebc5650359ef366e6f6

SHA256
85539d223b959bccf2830059f052a8330e2a9958d0a4678a24cbd8a3a99fa769

SHA512
675673f0960dbefaeddd4a0ac3e1bef27ded3d11b62430057c8524b5e2de94835c857f2b8caa76bd48609dff9e68b45608ec6cc52773ea1b37975be254cc6b54

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
122KB

MD5
fc64e091b72c09307b8d341029a9f66b

SHA1
87a767060bf7171163c39b9f452472bd4484a00f

SHA256
a2e421a63397d9d5e070763f50a881152f9e15415ef9621fa5dd418246f67969

SHA512
3174e9a30ba9d500575d221f5b3a8e8927aac1be9227d1717503edc1dfe4383d92ca1a34339a95e0717d0e78cbb9ccedeff5c004bdeddc0556aee200612e24d1

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
122KB

MD5
68f485878df95429566f4d1a60f68838

SHA1
5e58facd6ca3a94bff0a6c3ab8e479a825c5deaf

SHA256
3a98876c5a9e455bbc5b564f3c14a22027d0d079c08a0367b20f59e4dd6abaf9

SHA512
9e66c05a78a088a67c3e7d2463d0c3118a67ac95f25fb13a58658964492eca8da424a968cabf442c59393fda1108336f47ad246aba7c590faeafc00a75cc72fb

Download Submit
\Windows\system\explorer.exe

Filesize
122KB

MD5
70f9f6cf3c45b6ebe7675626e8dab7a0

SHA1
f0d9132ef7228031390c0ebc5650359ef366e6f6

SHA256
85539d223b959bccf2830059f052a8330e2a9958d0a4678a24cbd8a3a99fa769

SHA512
675673f0960dbefaeddd4a0ac3e1bef27ded3d11b62430057c8524b5e2de94835c857f2b8caa76bd48609dff9e68b45608ec6cc52773ea1b37975be254cc6b54

Download Submit
\Windows\system\explorer.exe

Filesize
122KB

MD5
70f9f6cf3c45b6ebe7675626e8dab7a0

SHA1
f0d9132ef7228031390c0ebc5650359ef366e6f6

SHA256
85539d223b959bccf2830059f052a8330e2a9958d0a4678a24cbd8a3a99fa769

SHA512
675673f0960dbefaeddd4a0ac3e1bef27ded3d11b62430057c8524b5e2de94835c857f2b8caa76bd48609dff9e68b45608ec6cc52773ea1b37975be254cc6b54

Download Submit
\Windows\system\spoolsv.exe

Filesize
122KB

MD5
fc64e091b72c09307b8d341029a9f66b

SHA1
87a767060bf7171163c39b9f452472bd4484a00f

SHA256
a2e421a63397d9d5e070763f50a881152f9e15415ef9621fa5dd418246f67969

SHA512
3174e9a30ba9d500575d221f5b3a8e8927aac1be9227d1717503edc1dfe4383d92ca1a34339a95e0717d0e78cbb9ccedeff5c004bdeddc0556aee200612e24d1

Download Submit
\Windows\system\spoolsv.exe

Filesize
122KB

MD5
fc64e091b72c09307b8d341029a9f66b

SHA1
87a767060bf7171163c39b9f452472bd4484a00f

SHA256
a2e421a63397d9d5e070763f50a881152f9e15415ef9621fa5dd418246f67969

SHA512
3174e9a30ba9d500575d221f5b3a8e8927aac1be9227d1717503edc1dfe4383d92ca1a34339a95e0717d0e78cbb9ccedeff5c004bdeddc0556aee200612e24d1

Download Submit
\Windows\system\spoolsv.exe

Filesize
122KB

MD5
fc64e091b72c09307b8d341029a9f66b

SHA1
87a767060bf7171163c39b9f452472bd4484a00f

SHA256
a2e421a63397d9d5e070763f50a881152f9e15415ef9621fa5dd418246f67969

SHA512
3174e9a30ba9d500575d221f5b3a8e8927aac1be9227d1717503edc1dfe4383d92ca1a34339a95e0717d0e78cbb9ccedeff5c004bdeddc0556aee200612e24d1

Download Submit
\Windows\system\spoolsv.exe

Filesize
122KB

MD5
fc64e091b72c09307b8d341029a9f66b

SHA1
87a767060bf7171163c39b9f452472bd4484a00f

SHA256
a2e421a63397d9d5e070763f50a881152f9e15415ef9621fa5dd418246f67969

SHA512
3174e9a30ba9d500575d221f5b3a8e8927aac1be9227d1717503edc1dfe4383d92ca1a34339a95e0717d0e78cbb9ccedeff5c004bdeddc0556aee200612e24d1

Download Submit
\Windows\system\svchost.exe

Filesize
122KB

MD5
68f485878df95429566f4d1a60f68838

SHA1
5e58facd6ca3a94bff0a6c3ab8e479a825c5deaf

SHA256
3a98876c5a9e455bbc5b564f3c14a22027d0d079c08a0367b20f59e4dd6abaf9

SHA512
9e66c05a78a088a67c3e7d2463d0c3118a67ac95f25fb13a58658964492eca8da424a968cabf442c59393fda1108336f47ad246aba7c590faeafc00a75cc72fb

Download Submit
\Windows\system\svchost.exe

Filesize
122KB

MD5
68f485878df95429566f4d1a60f68838

SHA1
5e58facd6ca3a94bff0a6c3ab8e479a825c5deaf

SHA256
3a98876c5a9e455bbc5b564f3c14a22027d0d079c08a0367b20f59e4dd6abaf9

SHA512
9e66c05a78a088a67c3e7d2463d0c3118a67ac95f25fb13a58658964492eca8da424a968cabf442c59393fda1108336f47ad246aba7c590faeafc00a75cc72fb

Download Submit
memory/1992-57-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download