8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb.exe
Size

206KB
MD5

83474b43d264b7f69a0569f19b732c6a
SHA1

275d72ddafa5b8e65d52b0d439fa8ebfb9be6255
SHA256

8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb
SHA512

267ba76ae75221b220041e0ac66a4a14f4116485f20299f76c36c66c017dcb3b62b0d2cf091b26bf38341f43ffa53dee187a1c0d5c4b45c77b441ab202988df2
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6un8N:zvEN2U+T6i5LirrllHy4HUcMQY6dN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
900	explorer.exe
1304	spoolsv.exe
1224	svchost.exe
588	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
1200	8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb.exe
1200	8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb.exe
900	explorer.exe
900	explorer.exe
1304	spoolsv.exe
1304	spoolsv.exe
1224	svchost.exe
1224	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1200	8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
1224	svchost.exe
1224	svchost.exe
1224	svchost.exe
900	explorer.exe
900	explorer.exe
1224	svchost.exe
1224	svchost.exe
900	explorer.exe
900	explorer.exe
1224	svchost.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe
900	explorer.exe
900	explorer.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe
900	explorer.exe
900	explorer.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe
1224	svchost.exe
900	explorer.exe
900	explorer.exe
1224	svchost.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe
900	explorer.exe
900	explorer.exe
1224	svchost.exe
1224	svchost.exe
900	explorer.exe
900	explorer.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe
1224	svchost.exe
900	explorer.exe
1224	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
900	explorer.exe
1224	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1200	8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb.exe
1200	8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb.exe
900	explorer.exe
900	explorer.exe
1304	spoolsv.exe
1304	spoolsv.exe
1224	svchost.exe
1224	svchost.exe
588	spoolsv.exe
588	spoolsv.exe
900	explorer.exe
900	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 900	1200	8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb.exe	27
PID 1200 wrote to memory of 900	1200	8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb.exe	27
PID 1200 wrote to memory of 900	1200	8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb.exe	27
PID 1200 wrote to memory of 900	1200	8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb.exe	27
PID 900 wrote to memory of 1304	900	explorer.exe	28
PID 900 wrote to memory of 1304	900	explorer.exe	28
PID 900 wrote to memory of 1304	900	explorer.exe	28
PID 900 wrote to memory of 1304	900	explorer.exe	28
PID 1304 wrote to memory of 1224	1304	spoolsv.exe	29
PID 1304 wrote to memory of 1224	1304	spoolsv.exe	29
PID 1304 wrote to memory of 1224	1304	spoolsv.exe	29
PID 1304 wrote to memory of 1224	1304	spoolsv.exe	29
PID 1224 wrote to memory of 588	1224	svchost.exe	30
PID 1224 wrote to memory of 588	1224	svchost.exe	30
PID 1224 wrote to memory of 588	1224	svchost.exe	30
PID 1224 wrote to memory of 588	1224	svchost.exe	30
PID 1224 wrote to memory of 1876	1224	svchost.exe	31
PID 1224 wrote to memory of 1876	1224	svchost.exe	31
PID 1224 wrote to memory of 1876	1224	svchost.exe	31
PID 1224 wrote to memory of 1876	1224	svchost.exe	31
PID 1224 wrote to memory of 1904	1224	svchost.exe	33
PID 1224 wrote to memory of 1904	1224	svchost.exe	33
PID 1224 wrote to memory of 1904	1224	svchost.exe	33
PID 1224 wrote to memory of 1904	1224	svchost.exe	33
PID 1224 wrote to memory of 1996	1224	svchost.exe	35
PID 1224 wrote to memory of 1996	1224	svchost.exe	35
PID 1224 wrote to memory of 1996	1224	svchost.exe	35
PID 1224 wrote to memory of 1996	1224	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb.exe
"C:\Users\Admin\AppData\Local\Temp\8fa94bb51113e2a5d2575e317dc86647ff54c730f44334cfecad05317d7998fb.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:900
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Modifies Installed Components in the registry
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:588
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
d15ea296a6b01c3a967eed64d9cebc3f

SHA1
6dde89c6e6c7d73193018d25800d1c85b0e744a2

SHA256
cd9c0b252632536dbcf515f427c645057b98d1f6f05dac3b933bd9c7c2e89eda

SHA512
2ecb4e36a0f473e907865ef3a609b65c00b3cc8f46fc93f39d4577a0e64d7ce809dfe4ff8256ebeebb72ceba4c3f466183d6c24615baa91cc8556c873e7b5490

Download Submit
C:\Windows\system\explorer.exe

Filesize
206KB

MD5
106432d58ce168b01c0b7b51b7162af9

SHA1
c949bc634be8262ead6218bd873ac27e25a1ba35

SHA256
67bc978290854e76c07d1ca1bfaafdd8b9704baaf232597ece75efac67b92bb8

SHA512
a21fb3c28d30245ebaa9e692e1fdb557a1ae0dabc7177b47ad1ba0f11cc73f75b86b4180e220fef340cd9a7702ffeda479a4bac2bf4ad24df5da2a6546060f08

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
79286b1d8f9dfd38f414e818a65d5b45

SHA1
41f18f1e0fc83783337811193c90f26baa13b396

SHA256
2f2ac2cf439f49fd52182a82a131184f2906d94ecb07da65a60f4c06835db556

SHA512
bc6b787892a44d1607217da4f3ca4043250a626f09e6e0d89b4cf800fc43d11bc9d101c9c794802e0f6dd509cd938f5e1bcca1469f15aabdb2f4aeef2d66ecf6

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
79286b1d8f9dfd38f414e818a65d5b45

SHA1
41f18f1e0fc83783337811193c90f26baa13b396

SHA256
2f2ac2cf439f49fd52182a82a131184f2906d94ecb07da65a60f4c06835db556

SHA512
bc6b787892a44d1607217da4f3ca4043250a626f09e6e0d89b4cf800fc43d11bc9d101c9c794802e0f6dd509cd938f5e1bcca1469f15aabdb2f4aeef2d66ecf6

Download Submit
C:\Windows\system\svchost.exe

Filesize
206KB

MD5
fb14ba2e4082a4c421f6c8b118bfc48c

SHA1
0c214ff60195d3c3c23556918fa0499b6a0e70b3

SHA256
6eac688ac3fd27cc04cb59da48ce015e35586621f2215ac042b50822d365db18

SHA512
76e070d74245e827ac08d74fb3ddaecefe74a488e2fc842b072c64ba5ded0121dc010ee46a6197ebdcade299364d0e97d96d5ae90707ff997a4e0f24ad59aeb7

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
106432d58ce168b01c0b7b51b7162af9

SHA1
c949bc634be8262ead6218bd873ac27e25a1ba35

SHA256
67bc978290854e76c07d1ca1bfaafdd8b9704baaf232597ece75efac67b92bb8

SHA512
a21fb3c28d30245ebaa9e692e1fdb557a1ae0dabc7177b47ad1ba0f11cc73f75b86b4180e220fef340cd9a7702ffeda479a4bac2bf4ad24df5da2a6546060f08

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
79286b1d8f9dfd38f414e818a65d5b45

SHA1
41f18f1e0fc83783337811193c90f26baa13b396

SHA256
2f2ac2cf439f49fd52182a82a131184f2906d94ecb07da65a60f4c06835db556

SHA512
bc6b787892a44d1607217da4f3ca4043250a626f09e6e0d89b4cf800fc43d11bc9d101c9c794802e0f6dd509cd938f5e1bcca1469f15aabdb2f4aeef2d66ecf6

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
206KB

MD5
fb14ba2e4082a4c421f6c8b118bfc48c

SHA1
0c214ff60195d3c3c23556918fa0499b6a0e70b3

SHA256
6eac688ac3fd27cc04cb59da48ce015e35586621f2215ac042b50822d365db18

SHA512
76e070d74245e827ac08d74fb3ddaecefe74a488e2fc842b072c64ba5ded0121dc010ee46a6197ebdcade299364d0e97d96d5ae90707ff997a4e0f24ad59aeb7

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
106432d58ce168b01c0b7b51b7162af9

SHA1
c949bc634be8262ead6218bd873ac27e25a1ba35

SHA256
67bc978290854e76c07d1ca1bfaafdd8b9704baaf232597ece75efac67b92bb8

SHA512
a21fb3c28d30245ebaa9e692e1fdb557a1ae0dabc7177b47ad1ba0f11cc73f75b86b4180e220fef340cd9a7702ffeda479a4bac2bf4ad24df5da2a6546060f08

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
106432d58ce168b01c0b7b51b7162af9

SHA1
c949bc634be8262ead6218bd873ac27e25a1ba35

SHA256
67bc978290854e76c07d1ca1bfaafdd8b9704baaf232597ece75efac67b92bb8

SHA512
a21fb3c28d30245ebaa9e692e1fdb557a1ae0dabc7177b47ad1ba0f11cc73f75b86b4180e220fef340cd9a7702ffeda479a4bac2bf4ad24df5da2a6546060f08

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
79286b1d8f9dfd38f414e818a65d5b45

SHA1
41f18f1e0fc83783337811193c90f26baa13b396

SHA256
2f2ac2cf439f49fd52182a82a131184f2906d94ecb07da65a60f4c06835db556

SHA512
bc6b787892a44d1607217da4f3ca4043250a626f09e6e0d89b4cf800fc43d11bc9d101c9c794802e0f6dd509cd938f5e1bcca1469f15aabdb2f4aeef2d66ecf6

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
79286b1d8f9dfd38f414e818a65d5b45

SHA1
41f18f1e0fc83783337811193c90f26baa13b396

SHA256
2f2ac2cf439f49fd52182a82a131184f2906d94ecb07da65a60f4c06835db556

SHA512
bc6b787892a44d1607217da4f3ca4043250a626f09e6e0d89b4cf800fc43d11bc9d101c9c794802e0f6dd509cd938f5e1bcca1469f15aabdb2f4aeef2d66ecf6

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
79286b1d8f9dfd38f414e818a65d5b45

SHA1
41f18f1e0fc83783337811193c90f26baa13b396

SHA256
2f2ac2cf439f49fd52182a82a131184f2906d94ecb07da65a60f4c06835db556

SHA512
bc6b787892a44d1607217da4f3ca4043250a626f09e6e0d89b4cf800fc43d11bc9d101c9c794802e0f6dd509cd938f5e1bcca1469f15aabdb2f4aeef2d66ecf6

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
79286b1d8f9dfd38f414e818a65d5b45

SHA1
41f18f1e0fc83783337811193c90f26baa13b396

SHA256
2f2ac2cf439f49fd52182a82a131184f2906d94ecb07da65a60f4c06835db556

SHA512
bc6b787892a44d1607217da4f3ca4043250a626f09e6e0d89b4cf800fc43d11bc9d101c9c794802e0f6dd509cd938f5e1bcca1469f15aabdb2f4aeef2d66ecf6

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
fb14ba2e4082a4c421f6c8b118bfc48c

SHA1
0c214ff60195d3c3c23556918fa0499b6a0e70b3

SHA256
6eac688ac3fd27cc04cb59da48ce015e35586621f2215ac042b50822d365db18

SHA512
76e070d74245e827ac08d74fb3ddaecefe74a488e2fc842b072c64ba5ded0121dc010ee46a6197ebdcade299364d0e97d96d5ae90707ff997a4e0f24ad59aeb7

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
fb14ba2e4082a4c421f6c8b118bfc48c

SHA1
0c214ff60195d3c3c23556918fa0499b6a0e70b3

SHA256
6eac688ac3fd27cc04cb59da48ce015e35586621f2215ac042b50822d365db18

SHA512
76e070d74245e827ac08d74fb3ddaecefe74a488e2fc842b072c64ba5ded0121dc010ee46a6197ebdcade299364d0e97d96d5ae90707ff997a4e0f24ad59aeb7

Download Submit
memory/1200-57-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download