7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 14:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898.exe
Size

206KB
MD5

5560aed7422ebe3f5cc2f85a84b24e64
SHA1

70b6ae1534ddf8ad3b2c02ca2d47c115f75bcc81
SHA256

7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898
SHA512

d20d1e059bd0cd2164f8406b331d35b0736d1f3b691871e93a84f4294c55ebdbbfea7e59780fe004897fa66aa8ee2e148c91da44e03345a28434c863ea73efc2
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unaOs:zvEN2U+T6i5LirrllHy4HUcMQY6ys

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1776	explorer.exe
1128	spoolsv.exe
1112	svchost.exe
1960	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
1184	7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898.exe
1184	7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898.exe
1776	explorer.exe
1776	explorer.exe
1128	spoolsv.exe
1128	spoolsv.exe
1112	svchost.exe
1112	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1184	7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1112	svchost.exe
1112	svchost.exe
1112	svchost.exe
1776	explorer.exe
1776	explorer.exe
1112	svchost.exe
1112	svchost.exe
1776	explorer.exe
1112	svchost.exe
1776	explorer.exe
1776	explorer.exe
1112	svchost.exe
1776	explorer.exe
1112	svchost.exe
1776	explorer.exe
1112	svchost.exe
1112	svchost.exe
1776	explorer.exe
1112	svchost.exe
1776	explorer.exe
1776	explorer.exe
1112	svchost.exe
1112	svchost.exe
1776	explorer.exe
1112	svchost.exe
1776	explorer.exe
1776	explorer.exe
1112	svchost.exe
1776	explorer.exe
1112	svchost.exe
1112	svchost.exe
1776	explorer.exe
1112	svchost.exe
1776	explorer.exe
1776	explorer.exe
1112	svchost.exe
1112	svchost.exe
1776	explorer.exe
1112	svchost.exe
1776	explorer.exe
1776	explorer.exe
1112	svchost.exe
1776	explorer.exe
1112	svchost.exe
1112	svchost.exe
1776	explorer.exe
1112	svchost.exe
1776	explorer.exe
1112	svchost.exe
1776	explorer.exe
1776	explorer.exe
1112	svchost.exe
1112	svchost.exe
1776	explorer.exe
1776	explorer.exe
1112	svchost.exe
1112	svchost.exe
1776	explorer.exe
1776	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1776	explorer.exe
1112	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1184	7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898.exe
1184	7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898.exe
1776	explorer.exe
1776	explorer.exe
1128	spoolsv.exe
1128	spoolsv.exe
1112	svchost.exe
1112	svchost.exe
1960	spoolsv.exe
1960	spoolsv.exe
1776	explorer.exe
1776	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1776	1184	7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898.exe	26
PID 1184 wrote to memory of 1776	1184	7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898.exe	26
PID 1184 wrote to memory of 1776	1184	7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898.exe	26
PID 1184 wrote to memory of 1776	1184	7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898.exe	26
PID 1776 wrote to memory of 1128	1776	explorer.exe	27
PID 1776 wrote to memory of 1128	1776	explorer.exe	27
PID 1776 wrote to memory of 1128	1776	explorer.exe	27
PID 1776 wrote to memory of 1128	1776	explorer.exe	27
PID 1128 wrote to memory of 1112	1128	spoolsv.exe	28
PID 1128 wrote to memory of 1112	1128	spoolsv.exe	28
PID 1128 wrote to memory of 1112	1128	spoolsv.exe	28
PID 1128 wrote to memory of 1112	1128	spoolsv.exe	28
PID 1112 wrote to memory of 1960	1112	svchost.exe	29
PID 1112 wrote to memory of 1960	1112	svchost.exe	29
PID 1112 wrote to memory of 1960	1112	svchost.exe	29
PID 1112 wrote to memory of 1960	1112	svchost.exe	29
PID 1112 wrote to memory of 1740	1112	svchost.exe	30
PID 1112 wrote to memory of 1740	1112	svchost.exe	30
PID 1112 wrote to memory of 1740	1112	svchost.exe	30
PID 1112 wrote to memory of 1740	1112	svchost.exe	30
PID 1112 wrote to memory of 1516	1112	svchost.exe	32
PID 1112 wrote to memory of 1516	1112	svchost.exe	32
PID 1112 wrote to memory of 1516	1112	svchost.exe	32
PID 1112 wrote to memory of 1516	1112	svchost.exe	32
PID 1112 wrote to memory of 1992	1112	svchost.exe	34
PID 1112 wrote to memory of 1992	1112	svchost.exe	34
PID 1112 wrote to memory of 1992	1112	svchost.exe	34
PID 1112 wrote to memory of 1992	1112	svchost.exe	34

C:\Users\Admin\AppData\Local\Temp\7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898.exe
"C:\Users\Admin\AppData\Local\Temp\7fd9804219168d38e73a12f27e9560d82501d63ba142bc16fef6a044cf0dc898.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1776
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Modifies Installed Components in the registry
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1516
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
62ce2775b265e88d2af6328761974130

SHA1
006036271fee97100166357a7f9d4bb258b16d6c

SHA256
2dc59f727eea60d68c186877619067e30af07f3a47021605dd3a93197f726f84

SHA512
a2f8b58e831120ca24dd45cf8d6ce5de6110276a09bf610a9a82e61446e5b111ae430571037142a0e18d1dc7325d4dc0059fc2f7388e6ef8a9199732a3f48ed3

Download Submit
C:\Windows\system\explorer.exe

Filesize
206KB

MD5
6aa4cd254876ea0cb1981f75d456e157

SHA1
d4f099fa2ad68eeb7173f12008196a814768b207

SHA256
64a905826d47b7df1c3a7a5aed812565cc3fc488ca925420d1a562d9673067d3

SHA512
c0b91817372a80a32a5069cd84fad0f1b9b4c408c73e36a292774d924b23fb27361a59645c9f692106170391559640319601da76b71f8a226165d3fb6d73200c

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
3b9748d7cd49e4ed3363386ddccc4e8f

SHA1
baeee8c5e7b8a169c8fafee76b94c4007188c603

SHA256
543018b9db887e7913a30a3568b68ee1f43b327d8095f3ea66dafeb9ef36b209

SHA512
7d9f4d2b222e69e9c4873d87b23787eef6763a29ee2f18dd53459b31ebd9637eb555f3063f273e686a269a8e555cae9d6032688c45204a3aad62e0b1252a67b0

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
3b9748d7cd49e4ed3363386ddccc4e8f

SHA1
baeee8c5e7b8a169c8fafee76b94c4007188c603

SHA256
543018b9db887e7913a30a3568b68ee1f43b327d8095f3ea66dafeb9ef36b209

SHA512
7d9f4d2b222e69e9c4873d87b23787eef6763a29ee2f18dd53459b31ebd9637eb555f3063f273e686a269a8e555cae9d6032688c45204a3aad62e0b1252a67b0

Download Submit
C:\Windows\system\svchost.exe

Filesize
206KB

MD5
8bfdc6d1959ec6c2470936bc7569914c

SHA1
2f271d8c5a96a6c7217675b69e3fed178293fad5

SHA256
b4babefffeb2deb80361765a1153ce67e4b5c53383fb7e280062cb47cb98c0d9

SHA512
a6064d4148d1650552c653223e0b2e1d5ace51fe28691702b20bb23ee610d887e5cc2b240f532981be7188e46a17ae68799189beeb6bb9dc09ecf1fbb42edfc2

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
6aa4cd254876ea0cb1981f75d456e157

SHA1
d4f099fa2ad68eeb7173f12008196a814768b207

SHA256
64a905826d47b7df1c3a7a5aed812565cc3fc488ca925420d1a562d9673067d3

SHA512
c0b91817372a80a32a5069cd84fad0f1b9b4c408c73e36a292774d924b23fb27361a59645c9f692106170391559640319601da76b71f8a226165d3fb6d73200c

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
3b9748d7cd49e4ed3363386ddccc4e8f

SHA1
baeee8c5e7b8a169c8fafee76b94c4007188c603

SHA256
543018b9db887e7913a30a3568b68ee1f43b327d8095f3ea66dafeb9ef36b209

SHA512
7d9f4d2b222e69e9c4873d87b23787eef6763a29ee2f18dd53459b31ebd9637eb555f3063f273e686a269a8e555cae9d6032688c45204a3aad62e0b1252a67b0

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
206KB

MD5
8bfdc6d1959ec6c2470936bc7569914c

SHA1
2f271d8c5a96a6c7217675b69e3fed178293fad5

SHA256
b4babefffeb2deb80361765a1153ce67e4b5c53383fb7e280062cb47cb98c0d9

SHA512
a6064d4148d1650552c653223e0b2e1d5ace51fe28691702b20bb23ee610d887e5cc2b240f532981be7188e46a17ae68799189beeb6bb9dc09ecf1fbb42edfc2

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
6aa4cd254876ea0cb1981f75d456e157

SHA1
d4f099fa2ad68eeb7173f12008196a814768b207

SHA256
64a905826d47b7df1c3a7a5aed812565cc3fc488ca925420d1a562d9673067d3

SHA512
c0b91817372a80a32a5069cd84fad0f1b9b4c408c73e36a292774d924b23fb27361a59645c9f692106170391559640319601da76b71f8a226165d3fb6d73200c

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
6aa4cd254876ea0cb1981f75d456e157

SHA1
d4f099fa2ad68eeb7173f12008196a814768b207

SHA256
64a905826d47b7df1c3a7a5aed812565cc3fc488ca925420d1a562d9673067d3

SHA512
c0b91817372a80a32a5069cd84fad0f1b9b4c408c73e36a292774d924b23fb27361a59645c9f692106170391559640319601da76b71f8a226165d3fb6d73200c

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
3b9748d7cd49e4ed3363386ddccc4e8f

SHA1
baeee8c5e7b8a169c8fafee76b94c4007188c603

SHA256
543018b9db887e7913a30a3568b68ee1f43b327d8095f3ea66dafeb9ef36b209

SHA512
7d9f4d2b222e69e9c4873d87b23787eef6763a29ee2f18dd53459b31ebd9637eb555f3063f273e686a269a8e555cae9d6032688c45204a3aad62e0b1252a67b0

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
3b9748d7cd49e4ed3363386ddccc4e8f

SHA1
baeee8c5e7b8a169c8fafee76b94c4007188c603

SHA256
543018b9db887e7913a30a3568b68ee1f43b327d8095f3ea66dafeb9ef36b209

SHA512
7d9f4d2b222e69e9c4873d87b23787eef6763a29ee2f18dd53459b31ebd9637eb555f3063f273e686a269a8e555cae9d6032688c45204a3aad62e0b1252a67b0

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
3b9748d7cd49e4ed3363386ddccc4e8f

SHA1
baeee8c5e7b8a169c8fafee76b94c4007188c603

SHA256
543018b9db887e7913a30a3568b68ee1f43b327d8095f3ea66dafeb9ef36b209

SHA512
7d9f4d2b222e69e9c4873d87b23787eef6763a29ee2f18dd53459b31ebd9637eb555f3063f273e686a269a8e555cae9d6032688c45204a3aad62e0b1252a67b0

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
3b9748d7cd49e4ed3363386ddccc4e8f

SHA1
baeee8c5e7b8a169c8fafee76b94c4007188c603

SHA256
543018b9db887e7913a30a3568b68ee1f43b327d8095f3ea66dafeb9ef36b209

SHA512
7d9f4d2b222e69e9c4873d87b23787eef6763a29ee2f18dd53459b31ebd9637eb555f3063f273e686a269a8e555cae9d6032688c45204a3aad62e0b1252a67b0

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
8bfdc6d1959ec6c2470936bc7569914c

SHA1
2f271d8c5a96a6c7217675b69e3fed178293fad5

SHA256
b4babefffeb2deb80361765a1153ce67e4b5c53383fb7e280062cb47cb98c0d9

SHA512
a6064d4148d1650552c653223e0b2e1d5ace51fe28691702b20bb23ee610d887e5cc2b240f532981be7188e46a17ae68799189beeb6bb9dc09ecf1fbb42edfc2

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
8bfdc6d1959ec6c2470936bc7569914c

SHA1
2f271d8c5a96a6c7217675b69e3fed178293fad5

SHA256
b4babefffeb2deb80361765a1153ce67e4b5c53383fb7e280062cb47cb98c0d9

SHA512
a6064d4148d1650552c653223e0b2e1d5ace51fe28691702b20bb23ee610d887e5cc2b240f532981be7188e46a17ae68799189beeb6bb9dc09ecf1fbb42edfc2

Download Submit
memory/1184-57-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download