79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591.exe
Size

206KB
MD5

1e68f62987bf5fde1b43f628843c300c
SHA1

b9c7d3b91e1ee7ce0bd492ea37f165d9195c4f44
SHA256

79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591
SHA512

e75e77695752082ed1aa8bc9949a1a76061bf9dd500b521dde6ede8a64eda41fe9f8a3b15b394e71cbba13df85589e29055fa69328d3209b35f69d5638879469
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unr:zvEN2U+T6i5LirrllHy4HUcMQY6k

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2524	explorer.exe
2696	spoolsv.exe
2532	svchost.exe
2412	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2596	79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591.exe
2596	79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591.exe
2524	explorer.exe
2524	explorer.exe
2696	spoolsv.exe
2696	spoolsv.exe
2532	svchost.exe
2532	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2596	79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe
2532	svchost.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe
2532	svchost.exe
2524	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2524	explorer.exe
2532	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2596	79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591.exe
2596	79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591.exe
2524	explorer.exe
2524	explorer.exe
2696	spoolsv.exe
2696	spoolsv.exe
2532	svchost.exe
2532	svchost.exe
2412	spoolsv.exe
2412	spoolsv.exe
2524	explorer.exe
2524	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2524	2596	79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591.exe	28
PID 2596 wrote to memory of 2524	2596	79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591.exe	28
PID 2596 wrote to memory of 2524	2596	79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591.exe	28
PID 2596 wrote to memory of 2524	2596	79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591.exe	28
PID 2524 wrote to memory of 2696	2524	explorer.exe	29
PID 2524 wrote to memory of 2696	2524	explorer.exe	29
PID 2524 wrote to memory of 2696	2524	explorer.exe	29
PID 2524 wrote to memory of 2696	2524	explorer.exe	29
PID 2696 wrote to memory of 2532	2696	spoolsv.exe	30
PID 2696 wrote to memory of 2532	2696	spoolsv.exe	30
PID 2696 wrote to memory of 2532	2696	spoolsv.exe	30
PID 2696 wrote to memory of 2532	2696	spoolsv.exe	30
PID 2532 wrote to memory of 2412	2532	svchost.exe	31
PID 2532 wrote to memory of 2412	2532	svchost.exe	31
PID 2532 wrote to memory of 2412	2532	svchost.exe	31
PID 2532 wrote to memory of 2412	2532	svchost.exe	31
PID 2532 wrote to memory of 2972	2532	svchost.exe	32
PID 2532 wrote to memory of 2972	2532	svchost.exe	32
PID 2532 wrote to memory of 2972	2532	svchost.exe	32
PID 2532 wrote to memory of 2972	2532	svchost.exe	32
PID 2532 wrote to memory of 1316	2532	svchost.exe	36
PID 2532 wrote to memory of 1316	2532	svchost.exe	36
PID 2532 wrote to memory of 1316	2532	svchost.exe	36
PID 2532 wrote to memory of 1316	2532	svchost.exe	36
PID 2532 wrote to memory of 2108	2532	svchost.exe	38
PID 2532 wrote to memory of 2108	2532	svchost.exe	38
PID 2532 wrote to memory of 2108	2532	svchost.exe	38
PID 2532 wrote to memory of 2108	2532	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591.exe
"C:\Users\Admin\AppData\Local\Temp\79c22a2c9c050e635e1e18c48ff7d977f399f6de1b8725875a544f6e8b404591.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2524
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2412
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2972
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1316
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
8062297d84b02feca7aed9a1210d544d

SHA1
c055a05ef5ab7c16aa6ec2aae65ab8eed9885931

SHA256
80fd4b439f0ab7000518e925492d7aaf4735c98dea5e8c7df531800a951f9942

SHA512
3f216634e0563e4461ef28f8c527f591316c763b602ca66324e65994eefb93db0baa3ccc58a6359ab93de396d2611c76b5573bc270290dc7fb1bba4312bc3b43

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
da5d14015938ef1e6aa7bcec75a0a7f6

SHA1
611a66aa69c4d9a84837999477377a82b80038f9

SHA256
5a997372f8f5c11e7dfefa2b33f50e3e9055d74e5ecdef429fb5c19a30d69c70

SHA512
223293ec479d907149686c06575ec079d08e615b45d03028cb9a0cc490283e61976617aa0fd8b98b4a2886a8060d274299cc33b52e45379fb415e9af55f60c58

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
d961d093d7eb31fc8514032120cf89f7

SHA1
bdc42bf973f28c2c7d438fc8b36765c4328f6f75

SHA256
ec1f9dec40bd7b7efb5ade8c9533ad08d50440377e012f60be1a28e0ea6e37fa

SHA512
97417952be710cf27a135a2d28edc8c77548e1abca8520a3ea8009b0bdd9685c80795831b496310840f6c1ec02289575be806afc4e2dd4c5ce05e3b591bcc4e6

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
4286da4913ca4f33e9603fe3996f8355

SHA1
996f46cf34f3762638aafaabf33f6d301e61e10a

SHA256
4dbb30e17703544956592b5fd94d3d3b7d1214838108bf35cc45a5f6b1230356

SHA512
7a973553ab8cfd88b2d04d3f8ef8190c719771a999a269048c00be1a187c9fde372746a9171f67b6f98450bef9eeb514f6416f0d613b58994bc827abe43f73a8

Download Submit