25dda001be45839c985f0db2a1b60a3399aa2ad4079c15fa429ebd08f9e0a7bd

Analysis

max time kernel
268s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MRT.exe
Size

182.3MB
MD5

acfdc6a3a039cfb1462c3b81cbe6a2a5
SHA1

5bad1bc03464264685c85f1837dbf5a94f2de967
SHA256

25dda001be45839c985f0db2a1b60a3399aa2ad4079c15fa429ebd08f9e0a7bd
SHA512

62cc138abac9b611348c380d379bbbf37bb8c2b8dd0ca12537d05668fbb24fce046793918203180a153aba4af336db4569f85b222d9e71d6bc275b0506e4e5ca
SSDEEP

3145728:ExZI1yI6xMfOpPRmbkoeuPBxTBNkDHhI3OQL2PZ8tG63ZBSLtwgfYyE2/6/w/95A:YZI1WpJmreSBbYwRsJon

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	MRT.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\MRT\50709301-5672-7BB3-896A-361F6B84FF60\MPENGINE.DLL	MRT.exe
File created	C:\Windows\system32\MRT\50709301-5672-7BB3-896A-361F6B84FF60\MRT\325DE823-70F1-4125-BC00-7CC18A11E00B\MpGearSupport_20240220_013039D7F4BD6A-9AB2-76F3-3326-BE9BB4037FF5.log	MRT.exe
File created	C:\Windows\system32\MRT\50709301-5672-7BB3-896A-361F6B84FF60\MRT\325DE823-70F1-4125-BC00-7CC18A11E00B\01da639cb2db0c1a	MRT.exe
File created	C:\Windows\system32\MRT\50709301-5672-7BB3-896A-361F6B84FF60\MPGEAR.DLL	MRT.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\mrt.log	MRT.exe

Loads dropped DLL 2 IoCs

pid	Process
3676	MRT.exe
3676	MRT.exe

Registers COM server for autorun 1 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32	MRT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32	MRT.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3676	MRT.exe
3676	MRT.exe
3676	MRT.exe
3676	MRT.exe
3676	MRT.exe
3676	MRT.exe
3676	MRT.exe
3676	MRT.exe
3676	MRT.exe
3676	MRT.exe
3676	MRT.exe
3676	MRT.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3676	MRT.exe
Token: SeBackupPrivilege	3676	MRT.exe
Token: SeRestorePrivilege	3676	MRT.exe
Token: SeSystemEnvironmentPrivilege	3676	MRT.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MRT.exe
"C:\Users\Admin\AppData\Local\Temp\MRT.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\MRT\50709301-5672-7BB3-896A-361F6B84FF60\MPENGINE.DLL

Filesize
11.1MB

MD5
28a2fa550a086488708a76033fa93595

SHA1
dcde5ed21ba5db2404406026ce224e5370a3f281

SHA256
b6b50c1f0a062887945ffa8f99278739bc3c25e1999a4e2dfa228bc3ecb1f43c

SHA512
645f3a60a2c665c11878ee1718c2cd941ad8545247af57fa33bb6331e2552fc59244dbf581ff44355d24eec089d11f82ebaa74c29d69f889d73d11d1f0c73522

Download Submit
C:\Windows\System32\MRT\50709301-5672-7BB3-896A-361F6B84FF60\MPENGINE.DLL

Filesize
12.4MB

MD5
691cee60da58c396c1fd24176d2477a3

SHA1
3db4cdbc5a75e568e68f8938f9eef38c2f394c8c

SHA256
bf6e1b00e5a38d5316a0705c20485970c0e1d958a0e941a7ef6c229545bd3b65

SHA512
312a0f30f48d2b6f49e04fadcefd7efe4c7ef60df94b05c1cb02f19d847fca89c5f564088c1a967dda6465ccb23c79f5a6d7a77b4369637500f357dafdc52c8c

Download Submit
C:\Windows\System32\MRT\50709301-5672-7BB3-896A-361F6B84FF60\MPGEAR.DLL

Filesize
607KB

MD5
a0c4ac6378ce0313955dccfd2d9208a6

SHA1
7ee2f0f3bf4504f4f7bbc63cb5fa883711c13801

SHA256
abbe3285c58c830314f9f0ad2ddc769139c0d808e27893290adc69a535b996b1

SHA512
72ea9f0d7399fa5d6865f3f887ffa07098b883b1428b33dcb552a40bb22ca6a461a546736667ca1aa97e5f06dffd10dab765c7f6e3e827dd0335b562b27d2fb5

Download Submit
memory/3676-10-0x0000024066080000-0x0000024066591000-memory.dmp

Filesize
5.1MB

Download
memory/3676-11-0x000002405AD40000-0x000002405B0B6000-memory.dmp

Filesize
3.5MB

Download
memory/3676-12-0x0000024055E20000-0x0000024055E24000-memory.dmp

Filesize
16KB

Download
memory/3676-13-0x000002405B560000-0x000002405B564000-memory.dmp

Filesize
16KB

Download
memory/3676-15-0x000002405C410000-0x000002405C414000-memory.dmp

Filesize
16KB

Download
memory/3676-14-0x000002405C2C0000-0x000002405C2C4000-memory.dmp

Filesize
16KB

Download
memory/3676-16-0x000002405C420000-0x000002405C424000-memory.dmp

Filesize
16KB

Download
memory/3676-17-0x000002405CE30000-0x000002405CE34000-memory.dmp

Filesize
16KB

Download
memory/3676-19-0x000002405B0C0000-0x000002405B0C4000-memory.dmp

Filesize
16KB

Download
memory/3676-18-0x000002405F8E0000-0x000002405F8E4000-memory.dmp

Filesize
16KB

Download
memory/3676-21-0x000002405B0E0000-0x000002405B0E4000-memory.dmp

Filesize
16KB

Download
memory/3676-20-0x000002405B0D0000-0x000002405B0D4000-memory.dmp

Filesize
16KB

Download
memory/3676-22-0x000002405B0F0000-0x000002405B0F4000-memory.dmp

Filesize
16KB

Download
memory/3676-23-0x00000240668E0000-0x00000240668E4000-memory.dmp

Filesize
16KB

Download
memory/3676-24-0x00000240668F0000-0x00000240668F4000-memory.dmp

Filesize
16KB

Download
memory/3676-26-0x0000024066910000-0x0000024066914000-memory.dmp

Filesize
16KB

Download
memory/3676-25-0x0000024066900000-0x0000024066904000-memory.dmp

Filesize
16KB

Download
memory/3676-27-0x0000024066920000-0x0000024066924000-memory.dmp

Filesize
16KB

Download
memory/3676-28-0x0000024066930000-0x0000024066934000-memory.dmp

Filesize
16KB

Download
memory/3676-29-0x0000024066940000-0x0000024066944000-memory.dmp

Filesize
16KB

Download
memory/3676-31-0x0000024066960000-0x0000024066964000-memory.dmp

Filesize
16KB

Download
memory/3676-32-0x0000024066970000-0x0000024066974000-memory.dmp

Filesize
16KB

Download
memory/3676-30-0x0000024066950000-0x0000024066954000-memory.dmp

Filesize
16KB

Download
memory/3676-33-0x0000024066980000-0x00000240669CB000-memory.dmp

Filesize
300KB

Download
memory/3676-34-0x00000240669D0000-0x0000024066A19000-memory.dmp

Filesize
292KB

Download
memory/3676-35-0x0000024066A20000-0x0000024066AB2000-memory.dmp

Filesize
584KB

Download
memory/3676-36-0x0000024055E30000-0x0000024055E31000-memory.dmp

Filesize
4KB

Download
memory/3676-38-0x000002405BFB0000-0x000002405BFB1000-memory.dmp

Filesize
4KB

Download
memory/3676-37-0x000002405B250000-0x000002405B251000-memory.dmp

Filesize
4KB

Download
memory/3676-39-0x000002405B420000-0x000002405B421000-memory.dmp

Filesize
4KB

Download
memory/3676-40-0x000002405B530000-0x000002405B531000-memory.dmp

Filesize
4KB

Download
memory/3676-42-0x000002405B550000-0x000002405B551000-memory.dmp

Filesize
4KB

Download
memory/3676-41-0x000002405B540000-0x000002405B541000-memory.dmp

Filesize
4KB

Download
memory/3676-43-0x00000240600F0000-0x00000240600F1000-memory.dmp

Filesize
4KB

Download
memory/3676-44-0x0000024060100000-0x0000024060101000-memory.dmp

Filesize
4KB

Download
memory/3676-46-0x0000024060420000-0x0000024060421000-memory.dmp

Filesize
4KB

Download
memory/3676-45-0x0000024060110000-0x0000024060111000-memory.dmp

Filesize
4KB

Download
memory/3676-49-0x0000024060B60000-0x0000024060B61000-memory.dmp

Filesize
4KB

Download
memory/3676-47-0x0000024060430000-0x0000024060431000-memory.dmp

Filesize
4KB

Download
memory/3676-48-0x0000024060440000-0x0000024060441000-memory.dmp

Filesize
4KB

Download
memory/3676-51-0x0000024065110000-0x0000024065111000-memory.dmp

Filesize
4KB

Download
memory/3676-50-0x0000024065100000-0x0000024065101000-memory.dmp

Filesize
4KB

Download
memory/3676-53-0x0000024065130000-0x0000024065131000-memory.dmp

Filesize
4KB

Download
memory/3676-52-0x0000024065120000-0x0000024065121000-memory.dmp

Filesize
4KB

Download
memory/3676-54-0x0000024065140000-0x0000024065141000-memory.dmp

Filesize
4KB

Download
memory/3676-56-0x0000024065160000-0x0000024065161000-memory.dmp

Filesize
4KB

Download
memory/3676-55-0x0000024065150000-0x0000024065151000-memory.dmp

Filesize
4KB

Download
memory/3676-58-0x0000024065180000-0x0000024065181000-memory.dmp

Filesize
4KB

Download
memory/3676-57-0x0000024065170000-0x0000024065171000-memory.dmp

Filesize
4KB

Download
memory/3676-70-0x0000024065410000-0x0000024065411000-memory.dmp

Filesize
4KB

Download
memory/3676-69-0x0000024065400000-0x0000024065401000-memory.dmp

Filesize
4KB

Download
memory/3676-72-0x0000024065430000-0x0000024065431000-memory.dmp

Filesize
4KB

Download
memory/3676-71-0x0000024065420000-0x0000024065421000-memory.dmp

Filesize
4KB

Download
memory/3676-68-0x00000240653F0000-0x00000240653F1000-memory.dmp

Filesize
4KB

Download
memory/3676-67-0x0000024065210000-0x0000024065211000-memory.dmp

Filesize
4KB

Download
memory/3676-65-0x00000240651F0000-0x00000240651F1000-memory.dmp

Filesize
4KB

Download
memory/3676-66-0x0000024065200000-0x0000024065201000-memory.dmp

Filesize
4KB

Download
memory/3676-64-0x00000240651E0000-0x00000240651E1000-memory.dmp

Filesize
4KB

Download
memory/3676-63-0x00000240651D0000-0x00000240651D1000-memory.dmp

Filesize
4KB

Download
memory/3676-62-0x00000240651C0000-0x00000240651C1000-memory.dmp

Filesize
4KB

Download
memory/3676-61-0x00000240651B0000-0x00000240651B1000-memory.dmp

Filesize
4KB

Download
memory/3676-60-0x00000240651A0000-0x00000240651A1000-memory.dmp

Filesize
4KB

Download
memory/3676-59-0x0000024065190000-0x0000024065191000-memory.dmp

Filesize
4KB

Download
memory/3676-73-0x0000024065440000-0x0000024065441000-memory.dmp

Filesize
4KB

Download
memory/3676-524-0x0000024066E50000-0x0000024066F50000-memory.dmp

Filesize
1024KB

Download
memory/3676-528-0x000002405E3C0000-0x000002405E4CD000-memory.dmp

Filesize
1.1MB

Download
memory/3676-532-0x0000024067FE0000-0x00000240681E0000-memory.dmp

Filesize
2.0MB

Download
memory/3676-2216-0x0000024066E50000-0x0000024066F50000-memory.dmp

Filesize
1024KB

Download
memory/3676-2417-0x000002405E3C0000-0x000002405E4CD000-memory.dmp

Filesize
1.1MB

Download
memory/3676-2629-0x0000024067FE0000-0x00000240681E0000-memory.dmp

Filesize
2.0MB

Download
memory/3676-6938-0x000002405DC30000-0x000002405DC50000-memory.dmp

Filesize
128KB

Download
memory/3676-6939-0x000002405E4D0000-0x000002405E4F0000-memory.dmp

Filesize
128KB

Download
memory/3676-6940-0x000002405E4F0000-0x000002405E510000-memory.dmp

Filesize
128KB

Download
memory/3676-7448-0x000002405E500000-0x000002405E60D000-memory.dmp

Filesize
1.1MB

Download
memory/3676-7447-0x000002405DC30000-0x000002405DC50000-memory.dmp

Filesize
128KB

Download
memory/3676-8098-0x000002405E500000-0x000002405E60D000-memory.dmp

Filesize
1.1MB

Download
memory/3676-8212-0x000002405E620000-0x000002405E640000-memory.dmp

Filesize
128KB

Download
memory/3676-8741-0x000002405E500000-0x000002405E60D000-memory.dmp

Filesize
1.1MB

Download
memory/3676-8902-0x000002405E500000-0x000002405E60D000-memory.dmp

Filesize
1.1MB

Download
memory/3676-8959-0x000002405E620000-0x000002405E640000-memory.dmp

Filesize
128KB

Download
memory/3676-9639-0x000002405E500000-0x000002405E60D000-memory.dmp

Filesize
1.1MB

Download
memory/3676-9655-0x000002405E500000-0x000002405E60D000-memory.dmp

Filesize
1.1MB

Download
memory/3676-11296-0x000002405E500000-0x000002405E60D000-memory.dmp

Filesize
1.1MB

Download
memory/3676-11456-0x000002405E500000-0x000002405E60D000-memory.dmp

Filesize
1.1MB

Download
memory/3676-11922-0x000002406A5C0000-0x000002406A6CD000-memory.dmp

Filesize
1.1MB

Download
memory/3676-11927-0x000002406A2F0000-0x000002406A3FD000-memory.dmp

Filesize
1.1MB

Download