fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8

Analysis

max time kernel
220s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8.exe
Size

206KB
MD5

7e88cad59757e36a738e4adbfe87f2c7
SHA1

b60a3c4ca6661b461c72bf5bffc8c911973c9082
SHA256

fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8
SHA512

42636da5a0df71d423b6826551db8730a646f3885b2a4bcc89d2a59780b23e87d840fb8c690ead5c67fbf7e737add2a0b5187dce328d38f09e300b32fda85375
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6une:zvEN2U+T6i5LirrllHy4HUcMQY6D

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1872	explorer.exe
284	spoolsv.exe
1880	svchost.exe
824	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
1496	fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8.exe
1496	fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8.exe
1872	explorer.exe
1872	explorer.exe
284	spoolsv.exe
284	spoolsv.exe
1880	svchost.exe
1880	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1496	fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1880	svchost.exe
1880	svchost.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1880	svchost.exe
1872	explorer.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1872	explorer.exe
1880	svchost.exe
1880	svchost.exe
1872	explorer.exe
1872	explorer.exe
1880	svchost.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1880	svchost.exe
1872	explorer.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe
1880	svchost.exe
1872	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1872	explorer.exe
1880	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1496	fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8.exe
1496	fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8.exe
1872	explorer.exe
1872	explorer.exe
284	spoolsv.exe
284	spoolsv.exe
1880	svchost.exe
1880	svchost.exe
824	spoolsv.exe
824	spoolsv.exe
1872	explorer.exe
1872	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1872	1496	fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8.exe	28
PID 1496 wrote to memory of 1872	1496	fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8.exe	28
PID 1496 wrote to memory of 1872	1496	fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8.exe	28
PID 1496 wrote to memory of 1872	1496	fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8.exe	28
PID 1872 wrote to memory of 284	1872	explorer.exe	29
PID 1872 wrote to memory of 284	1872	explorer.exe	29
PID 1872 wrote to memory of 284	1872	explorer.exe	29
PID 1872 wrote to memory of 284	1872	explorer.exe	29
PID 284 wrote to memory of 1880	284	spoolsv.exe	30
PID 284 wrote to memory of 1880	284	spoolsv.exe	30
PID 284 wrote to memory of 1880	284	spoolsv.exe	30
PID 284 wrote to memory of 1880	284	spoolsv.exe	30
PID 1880 wrote to memory of 824	1880	svchost.exe	31
PID 1880 wrote to memory of 824	1880	svchost.exe	31
PID 1880 wrote to memory of 824	1880	svchost.exe	31
PID 1880 wrote to memory of 824	1880	svchost.exe	31
PID 1880 wrote to memory of 1696	1880	svchost.exe	32
PID 1880 wrote to memory of 1696	1880	svchost.exe	32
PID 1880 wrote to memory of 1696	1880	svchost.exe	32
PID 1880 wrote to memory of 1696	1880	svchost.exe	32
PID 1880 wrote to memory of 1668	1880	svchost.exe	34
PID 1880 wrote to memory of 1668	1880	svchost.exe	34
PID 1880 wrote to memory of 1668	1880	svchost.exe	34
PID 1880 wrote to memory of 1668	1880	svchost.exe	34

C:\Users\Admin\AppData\Local\Temp\fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8.exe
"C:\Users\Admin\AppData\Local\Temp\fb59dbdf8eb0a17e43b4c0fb88778d5a095afc18a15a5c57dec0a4470f335dd8.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1872
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:284
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Modifies Installed Components in the registry
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:824
    - - C:\Windows\SysWOW64\at.exe
        
        at 18:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\at.exe
        
        at 18:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1668

C:\Windows\system32\taskeng.exe
taskeng.exe {22528B5C-A32A-4702-A072-3C2EDC4CD215} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
e7c3077b7227b60cf991eace2232315d

SHA1
4258156803f5a52a2bb2707e0d65ae097e403ee8

SHA256
b8061229b4eefd323e71d2a1e0048a1aff4685668bb46d870ed4cc86a4a65e34

SHA512
835fc214da69210a0f9784fcf72717092b25fda38d02775401fc6376c5c99d0088ff584f6596145a0171579baf21065fd009132de72f51296d7736d58448c05c

Download Submit
C:\Windows\system\explorer.exe

Filesize
207KB

MD5
fd31bc5221132fcab4d346766453dd01

SHA1
adc121eb84de90259f421bda7fd76e7c9cebfe2f

SHA256
fdd64a78a2c0c13d63bfc1f2a7ec3793eb2b5ea52c22d9ffcaca467a42ac37b2

SHA512
02d2686099764b59f5b8ec8318686e155c6ffe69b8ce390018162d95509e970da4fdb0b77a0a829b96840eb1205dbbed1968cc9421c082cb95b9e643c05fdb78

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
92a04ea09c6c29593cf8df44d50d81be

SHA1
aeed3320eb984c50799b775a21d3e9dd77320f52

SHA256
734027efb532ddacdc4bf6cdcfc92c4b4eb44fb3abfdb5ee00b9b02296519b6a

SHA512
4b3374be39825e2acabd14ac399b215cad5f4625f5b72df8a7febe024dbdc1e2c9104eebba1653ee5f23ded957fb16e3fd9e3703a3050dbcc7458f4a326eecfd

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
92a04ea09c6c29593cf8df44d50d81be

SHA1
aeed3320eb984c50799b775a21d3e9dd77320f52

SHA256
734027efb532ddacdc4bf6cdcfc92c4b4eb44fb3abfdb5ee00b9b02296519b6a

SHA512
4b3374be39825e2acabd14ac399b215cad5f4625f5b72df8a7febe024dbdc1e2c9104eebba1653ee5f23ded957fb16e3fd9e3703a3050dbcc7458f4a326eecfd

Download Submit
C:\Windows\system\svchost.exe

Filesize
206KB

MD5
f957831a74916ef49041e39142cee7c8

SHA1
541002db566a838a1bbaeecea44bc3f6ac3d5c6e

SHA256
68d64713129705af673b2d374ef0f39c22fd99301540ad67f8eddc4d59e9249e

SHA512
395681f0257d657e344da2b447300c8597b46c5ed08f40713ad741f13a4796a8db0c11fcc1dbd4d6a03de0daca82bd4439cc3a635168d251fef11df60b7f5428

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
207KB

MD5
fd31bc5221132fcab4d346766453dd01

SHA1
adc121eb84de90259f421bda7fd76e7c9cebfe2f

SHA256
fdd64a78a2c0c13d63bfc1f2a7ec3793eb2b5ea52c22d9ffcaca467a42ac37b2

SHA512
02d2686099764b59f5b8ec8318686e155c6ffe69b8ce390018162d95509e970da4fdb0b77a0a829b96840eb1205dbbed1968cc9421c082cb95b9e643c05fdb78

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
92a04ea09c6c29593cf8df44d50d81be

SHA1
aeed3320eb984c50799b775a21d3e9dd77320f52

SHA256
734027efb532ddacdc4bf6cdcfc92c4b4eb44fb3abfdb5ee00b9b02296519b6a

SHA512
4b3374be39825e2acabd14ac399b215cad5f4625f5b72df8a7febe024dbdc1e2c9104eebba1653ee5f23ded957fb16e3fd9e3703a3050dbcc7458f4a326eecfd

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
206KB

MD5
f957831a74916ef49041e39142cee7c8

SHA1
541002db566a838a1bbaeecea44bc3f6ac3d5c6e

SHA256
68d64713129705af673b2d374ef0f39c22fd99301540ad67f8eddc4d59e9249e

SHA512
395681f0257d657e344da2b447300c8597b46c5ed08f40713ad741f13a4796a8db0c11fcc1dbd4d6a03de0daca82bd4439cc3a635168d251fef11df60b7f5428

Download Submit
\Windows\system\explorer.exe

Filesize
207KB

MD5
fd31bc5221132fcab4d346766453dd01

SHA1
adc121eb84de90259f421bda7fd76e7c9cebfe2f

SHA256
fdd64a78a2c0c13d63bfc1f2a7ec3793eb2b5ea52c22d9ffcaca467a42ac37b2

SHA512
02d2686099764b59f5b8ec8318686e155c6ffe69b8ce390018162d95509e970da4fdb0b77a0a829b96840eb1205dbbed1968cc9421c082cb95b9e643c05fdb78

Download Submit
\Windows\system\explorer.exe

Filesize
207KB

MD5
fd31bc5221132fcab4d346766453dd01

SHA1
adc121eb84de90259f421bda7fd76e7c9cebfe2f

SHA256
fdd64a78a2c0c13d63bfc1f2a7ec3793eb2b5ea52c22d9ffcaca467a42ac37b2

SHA512
02d2686099764b59f5b8ec8318686e155c6ffe69b8ce390018162d95509e970da4fdb0b77a0a829b96840eb1205dbbed1968cc9421c082cb95b9e643c05fdb78

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
92a04ea09c6c29593cf8df44d50d81be

SHA1
aeed3320eb984c50799b775a21d3e9dd77320f52

SHA256
734027efb532ddacdc4bf6cdcfc92c4b4eb44fb3abfdb5ee00b9b02296519b6a

SHA512
4b3374be39825e2acabd14ac399b215cad5f4625f5b72df8a7febe024dbdc1e2c9104eebba1653ee5f23ded957fb16e3fd9e3703a3050dbcc7458f4a326eecfd

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
92a04ea09c6c29593cf8df44d50d81be

SHA1
aeed3320eb984c50799b775a21d3e9dd77320f52

SHA256
734027efb532ddacdc4bf6cdcfc92c4b4eb44fb3abfdb5ee00b9b02296519b6a

SHA512
4b3374be39825e2acabd14ac399b215cad5f4625f5b72df8a7febe024dbdc1e2c9104eebba1653ee5f23ded957fb16e3fd9e3703a3050dbcc7458f4a326eecfd

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
92a04ea09c6c29593cf8df44d50d81be

SHA1
aeed3320eb984c50799b775a21d3e9dd77320f52

SHA256
734027efb532ddacdc4bf6cdcfc92c4b4eb44fb3abfdb5ee00b9b02296519b6a

SHA512
4b3374be39825e2acabd14ac399b215cad5f4625f5b72df8a7febe024dbdc1e2c9104eebba1653ee5f23ded957fb16e3fd9e3703a3050dbcc7458f4a326eecfd

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
92a04ea09c6c29593cf8df44d50d81be

SHA1
aeed3320eb984c50799b775a21d3e9dd77320f52

SHA256
734027efb532ddacdc4bf6cdcfc92c4b4eb44fb3abfdb5ee00b9b02296519b6a

SHA512
4b3374be39825e2acabd14ac399b215cad5f4625f5b72df8a7febe024dbdc1e2c9104eebba1653ee5f23ded957fb16e3fd9e3703a3050dbcc7458f4a326eecfd

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
f957831a74916ef49041e39142cee7c8

SHA1
541002db566a838a1bbaeecea44bc3f6ac3d5c6e

SHA256
68d64713129705af673b2d374ef0f39c22fd99301540ad67f8eddc4d59e9249e

SHA512
395681f0257d657e344da2b447300c8597b46c5ed08f40713ad741f13a4796a8db0c11fcc1dbd4d6a03de0daca82bd4439cc3a635168d251fef11df60b7f5428

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
f957831a74916ef49041e39142cee7c8

SHA1
541002db566a838a1bbaeecea44bc3f6ac3d5c6e

SHA256
68d64713129705af673b2d374ef0f39c22fd99301540ad67f8eddc4d59e9249e

SHA512
395681f0257d657e344da2b447300c8597b46c5ed08f40713ad741f13a4796a8db0c11fcc1dbd4d6a03de0daca82bd4439cc3a635168d251fef11df60b7f5428

Download Submit
memory/1496-57-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download