dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe
Size

122KB
MD5

129d8a368f0c4ef256879fe99e84a6d4
SHA1

4bd2f36f72d2121512592bfad48df4ed3dd80e3e
SHA256

dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7
SHA512

cc37d82bae81820e12be79e8cfd0d06ede1cc8b8d917fcb66fb73e1ef89a52b4a484dfaa78abefd918c51d3aaa559b8a4a8a3596366877a7c027496a770e1850
SSDEEP

1536:nyyzF9MFVCujlsQoeQZZ86ukpj0nGGF9v+4DRwS8GX:yyzQVCujl71QZZ4kp4F9Xt+GX

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1248	explorer.exe
624	spoolsv.exe
892	svchost.exe
580	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
1836	dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe
1836	dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe
1248	explorer.exe
1248	explorer.exe
624	spoolsv.exe
624	spoolsv.exe
892	svchost.exe
892	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\System\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1836	dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
892	svchost.exe
892	svchost.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
1248	explorer.exe
892	svchost.exe
892	svchost.exe
1248	explorer.exe
1248	explorer.exe
892	svchost.exe
892	svchost.exe
1248	explorer.exe
1248	explorer.exe
892	svchost.exe
892	svchost.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
892	svchost.exe
892	svchost.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
892	svchost.exe
892	svchost.exe
1248	explorer.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
892	svchost.exe
892	svchost.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
1248	explorer.exe
892	svchost.exe
892	svchost.exe
1248	explorer.exe
892	svchost.exe
1248	explorer.exe
1248	explorer.exe
892	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
892	svchost.exe
1248	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1836	dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe
1836	dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe
1248	explorer.exe
1248	explorer.exe
624	spoolsv.exe
624	spoolsv.exe
892	svchost.exe
892	svchost.exe
580	spoolsv.exe
580	spoolsv.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1248	1836	dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe	28
PID 1836 wrote to memory of 1248	1836	dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe	28
PID 1836 wrote to memory of 1248	1836	dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe	28
PID 1836 wrote to memory of 1248	1836	dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe	28
PID 1248 wrote to memory of 624	1248	explorer.exe	29
PID 1248 wrote to memory of 624	1248	explorer.exe	29
PID 1248 wrote to memory of 624	1248	explorer.exe	29
PID 1248 wrote to memory of 624	1248	explorer.exe	29
PID 624 wrote to memory of 892	624	spoolsv.exe	30
PID 624 wrote to memory of 892	624	spoolsv.exe	30
PID 624 wrote to memory of 892	624	spoolsv.exe	30
PID 624 wrote to memory of 892	624	spoolsv.exe	30
PID 892 wrote to memory of 580	892	svchost.exe	31
PID 892 wrote to memory of 580	892	svchost.exe	31
PID 892 wrote to memory of 580	892	svchost.exe	31
PID 892 wrote to memory of 580	892	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe
"C:\Users\Admin\AppData\Local\Temp\dd3592f1872886994f1f5faa35e570889ff8d0cc75dcb81db1626e2cad523de7.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1248
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:624
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Modifies Installed Components in the registry
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
122KB

MD5
ecbd45111b47e4f472f86cf241abc28c

SHA1
b60f4302fa1f4bc007f9791f4dd0c9085d05432f

SHA256
214a619e7dd892163afc3bfca48335295cad676a91ecc5423ebcadf73cf8b6a7

SHA512
d884c472c4df4bb31b4fc18b5b88e090282a3ecb0b4bdea0686718c64ad0913e97d174c8311807ef77a99f9c0d5b91fe6bc6672aa8894c5f0c493f98bf07fc6c

Download Submit
C:\Windows\system\explorer.exe

Filesize
122KB

MD5
a4841150bf62681c1479f6e605d5c91b

SHA1
c6bebb65eb66535ad47e3710f9dafa0823da3186

SHA256
9b7f2127f1491565cd3902c8b054fa7195c780a23eabac0d5d8ee18bec3361a7

SHA512
e4e9b81910f9e21d96ad68244bc6d882d08c9bc8dc448ce324b704511884bb889ce178f350718ac1eb8ba1551ff8d4af4c689077b0df3388be0b3375ac619973

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
122KB

MD5
12c8fcba7e460bf4efe66e404e379252

SHA1
d883fb5fe89fb2dfd525623a5b546001e3e4204a

SHA256
8c26816afa2e0c2b7383d721fcae5d97fba5a0f5bc12419c664e650fd273aa6a

SHA512
70d45984724630395ffc00936bfc50a936e000ad2d8eaddbeb1bae1ce00b8c022346666ed7c6f9ee24d4cb63a1873662b3a1f0caec5f8d8a7a145b04493d6165

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
122KB

MD5
12c8fcba7e460bf4efe66e404e379252

SHA1
d883fb5fe89fb2dfd525623a5b546001e3e4204a

SHA256
8c26816afa2e0c2b7383d721fcae5d97fba5a0f5bc12419c664e650fd273aa6a

SHA512
70d45984724630395ffc00936bfc50a936e000ad2d8eaddbeb1bae1ce00b8c022346666ed7c6f9ee24d4cb63a1873662b3a1f0caec5f8d8a7a145b04493d6165

Download Submit
C:\Windows\system\svchost.exe

Filesize
122KB

MD5
aca1549e2c574830e1f6d479ea99244d

SHA1
851503c72c5949b38137462b7375e2c9440fca07

SHA256
5d67accc699a7d5e55921435b209321e97e409da40ae9fc68fd7b0ae667fb7e8

SHA512
71ec67163bf189e692a0883facf70bcdff1189d51f8773611fd79c10727f2dec64aaecd2e9beca262e2c0f7215d391398089b25ec241e305d438ca0b47e5bded

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
122KB

MD5
a4841150bf62681c1479f6e605d5c91b

SHA1
c6bebb65eb66535ad47e3710f9dafa0823da3186

SHA256
9b7f2127f1491565cd3902c8b054fa7195c780a23eabac0d5d8ee18bec3361a7

SHA512
e4e9b81910f9e21d96ad68244bc6d882d08c9bc8dc448ce324b704511884bb889ce178f350718ac1eb8ba1551ff8d4af4c689077b0df3388be0b3375ac619973

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
122KB

MD5
12c8fcba7e460bf4efe66e404e379252

SHA1
d883fb5fe89fb2dfd525623a5b546001e3e4204a

SHA256
8c26816afa2e0c2b7383d721fcae5d97fba5a0f5bc12419c664e650fd273aa6a

SHA512
70d45984724630395ffc00936bfc50a936e000ad2d8eaddbeb1bae1ce00b8c022346666ed7c6f9ee24d4cb63a1873662b3a1f0caec5f8d8a7a145b04493d6165

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
122KB

MD5
aca1549e2c574830e1f6d479ea99244d

SHA1
851503c72c5949b38137462b7375e2c9440fca07

SHA256
5d67accc699a7d5e55921435b209321e97e409da40ae9fc68fd7b0ae667fb7e8

SHA512
71ec67163bf189e692a0883facf70bcdff1189d51f8773611fd79c10727f2dec64aaecd2e9beca262e2c0f7215d391398089b25ec241e305d438ca0b47e5bded

Download Submit
\Windows\system\explorer.exe

Filesize
122KB

MD5
a4841150bf62681c1479f6e605d5c91b

SHA1
c6bebb65eb66535ad47e3710f9dafa0823da3186

SHA256
9b7f2127f1491565cd3902c8b054fa7195c780a23eabac0d5d8ee18bec3361a7

SHA512
e4e9b81910f9e21d96ad68244bc6d882d08c9bc8dc448ce324b704511884bb889ce178f350718ac1eb8ba1551ff8d4af4c689077b0df3388be0b3375ac619973

Download Submit
\Windows\system\explorer.exe

Filesize
122KB

MD5
a4841150bf62681c1479f6e605d5c91b

SHA1
c6bebb65eb66535ad47e3710f9dafa0823da3186

SHA256
9b7f2127f1491565cd3902c8b054fa7195c780a23eabac0d5d8ee18bec3361a7

SHA512
e4e9b81910f9e21d96ad68244bc6d882d08c9bc8dc448ce324b704511884bb889ce178f350718ac1eb8ba1551ff8d4af4c689077b0df3388be0b3375ac619973

Download Submit
\Windows\system\spoolsv.exe

Filesize
122KB

MD5
12c8fcba7e460bf4efe66e404e379252

SHA1
d883fb5fe89fb2dfd525623a5b546001e3e4204a

SHA256
8c26816afa2e0c2b7383d721fcae5d97fba5a0f5bc12419c664e650fd273aa6a

SHA512
70d45984724630395ffc00936bfc50a936e000ad2d8eaddbeb1bae1ce00b8c022346666ed7c6f9ee24d4cb63a1873662b3a1f0caec5f8d8a7a145b04493d6165

Download Submit
\Windows\system\spoolsv.exe

Filesize
122KB

MD5
12c8fcba7e460bf4efe66e404e379252

SHA1
d883fb5fe89fb2dfd525623a5b546001e3e4204a

SHA256
8c26816afa2e0c2b7383d721fcae5d97fba5a0f5bc12419c664e650fd273aa6a

SHA512
70d45984724630395ffc00936bfc50a936e000ad2d8eaddbeb1bae1ce00b8c022346666ed7c6f9ee24d4cb63a1873662b3a1f0caec5f8d8a7a145b04493d6165

Download Submit
\Windows\system\spoolsv.exe

Filesize
122KB

MD5
12c8fcba7e460bf4efe66e404e379252

SHA1
d883fb5fe89fb2dfd525623a5b546001e3e4204a

SHA256
8c26816afa2e0c2b7383d721fcae5d97fba5a0f5bc12419c664e650fd273aa6a

SHA512
70d45984724630395ffc00936bfc50a936e000ad2d8eaddbeb1bae1ce00b8c022346666ed7c6f9ee24d4cb63a1873662b3a1f0caec5f8d8a7a145b04493d6165

Download Submit
\Windows\system\spoolsv.exe

Filesize
122KB

MD5
12c8fcba7e460bf4efe66e404e379252

SHA1
d883fb5fe89fb2dfd525623a5b546001e3e4204a

SHA256
8c26816afa2e0c2b7383d721fcae5d97fba5a0f5bc12419c664e650fd273aa6a

SHA512
70d45984724630395ffc00936bfc50a936e000ad2d8eaddbeb1bae1ce00b8c022346666ed7c6f9ee24d4cb63a1873662b3a1f0caec5f8d8a7a145b04493d6165

Download Submit
\Windows\system\svchost.exe

Filesize
122KB

MD5
aca1549e2c574830e1f6d479ea99244d

SHA1
851503c72c5949b38137462b7375e2c9440fca07

SHA256
5d67accc699a7d5e55921435b209321e97e409da40ae9fc68fd7b0ae667fb7e8

SHA512
71ec67163bf189e692a0883facf70bcdff1189d51f8773611fd79c10727f2dec64aaecd2e9beca262e2c0f7215d391398089b25ec241e305d438ca0b47e5bded

Download Submit
\Windows\system\svchost.exe

Filesize
122KB

MD5
aca1549e2c574830e1f6d479ea99244d

SHA1
851503c72c5949b38137462b7375e2c9440fca07

SHA256
5d67accc699a7d5e55921435b209321e97e409da40ae9fc68fd7b0ae667fb7e8

SHA512
71ec67163bf189e692a0883facf70bcdff1189d51f8773611fd79c10727f2dec64aaecd2e9beca262e2c0f7215d391398089b25ec241e305d438ca0b47e5bded

Download Submit
memory/1836-57-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download