9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c.exe
Size

206KB
MD5

5492018432c670f000494780ec4fcb9b
SHA1

7faac63e3646f754a0a127228705b6170eafcc20
SHA256

9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c
SHA512

4f0bbfecffe50dbbc6652f6a99c572ebf67dac4261976e3aa5e47dc4381ee8a99ede4f0986912f7e418369ef9d60a63f4b5aafbee71c19b691007333d8161c74
SSDEEP

3072:gvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unrm:gvEN2U+T6i5LirrllHy4HUcMQY6sm

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2596	explorer.exe
2652	spoolsv.exe
2616	svchost.exe
2752	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2280	9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c.exe
2280	9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c.exe
2596	explorer.exe
2596	explorer.exe
2652	spoolsv.exe
2652	spoolsv.exe
2616	svchost.exe
2616	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2616	svchost.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe
2616	svchost.exe
2596	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2596	explorer.exe
2616	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2280	9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c.exe
2280	9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c.exe
2596	explorer.exe
2596	explorer.exe
2652	spoolsv.exe
2652	spoolsv.exe
2616	svchost.exe
2616	svchost.exe
2752	spoolsv.exe
2752	spoolsv.exe
2596	explorer.exe
2596	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2596	2280	9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c.exe	28
PID 2280 wrote to memory of 2596	2280	9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c.exe	28
PID 2280 wrote to memory of 2596	2280	9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c.exe	28
PID 2280 wrote to memory of 2596	2280	9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c.exe	28
PID 2596 wrote to memory of 2652	2596	explorer.exe	29
PID 2596 wrote to memory of 2652	2596	explorer.exe	29
PID 2596 wrote to memory of 2652	2596	explorer.exe	29
PID 2596 wrote to memory of 2652	2596	explorer.exe	29
PID 2652 wrote to memory of 2616	2652	spoolsv.exe	30
PID 2652 wrote to memory of 2616	2652	spoolsv.exe	30
PID 2652 wrote to memory of 2616	2652	spoolsv.exe	30
PID 2652 wrote to memory of 2616	2652	spoolsv.exe	30
PID 2616 wrote to memory of 2752	2616	svchost.exe	31
PID 2616 wrote to memory of 2752	2616	svchost.exe	31
PID 2616 wrote to memory of 2752	2616	svchost.exe	31
PID 2616 wrote to memory of 2752	2616	svchost.exe	31
PID 2616 wrote to memory of 2424	2616	svchost.exe	32
PID 2616 wrote to memory of 2424	2616	svchost.exe	32
PID 2616 wrote to memory of 2424	2616	svchost.exe	32
PID 2616 wrote to memory of 2424	2616	svchost.exe	32
PID 2616 wrote to memory of 1596	2616	svchost.exe	36
PID 2616 wrote to memory of 1596	2616	svchost.exe	36
PID 2616 wrote to memory of 1596	2616	svchost.exe	36
PID 2616 wrote to memory of 1596	2616	svchost.exe	36
PID 2616 wrote to memory of 1956	2616	svchost.exe	38
PID 2616 wrote to memory of 1956	2616	svchost.exe	38
PID 2616 wrote to memory of 1956	2616	svchost.exe	38
PID 2616 wrote to memory of 1956	2616	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c.exe
"C:\Users\Admin\AppData\Local\Temp\9507429d0cb32ad5bcac3a4d48d4ddfd2803b7d5611df5affd327094e78f124c.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2596
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2752
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2424
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
b5399fc4de16db32ea24a1585baa2d54

SHA1
2ea1210757ceff2f467d7a7c7b130ea975dd2156

SHA256
eb62559bcbf7fba671c7e89f01dcc4baf6078f3399e99e2a58f70a85afc71e6c

SHA512
33b7ac14c8d3ea9df929a306b953c123e03be15333f971ce73222cf6663a38cbba29ec0c38a10b4a5e6e08675358f57147f6d1cfe1bb527694efd978ee5131a6

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
89f4ae1974797572add59aa570df713f

SHA1
cbdf6398d4ea5a6bec641074e2d2dafbc811a848

SHA256
8f883281578d6271ccca8eeefd2d512d2864501040df6cf9915e1b30b813443c

SHA512
546fa72c970ea18e5d203f278b3713addcc8a7dd851e7a5b43c3760afead130f40c91d9c8bbc56ae38b4970763c1927f7d5b6c03025299eb48ae226d0420150e

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
a0a99b6ce203557f621d92ca1cffa22d

SHA1
81c8d09a8c9be110971ed29132a485ccfbd540a3

SHA256
e6bfa56f15f42e90433a8bff274526ee60bc9a62dd9e3eaba3c77b2b8c078ab1

SHA512
9157fcd742daa428620d69c6a84e53b75c83171d25341fd675a7495253ccac8f8fd74fb2f4e0630df72d75064726977f5985e4a885afa015ceecc5b9c563b722

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
f7469be45d4bf538994cf03717c5f5ba

SHA1
3bc6d5429228377d390af1dcf81435a0005fa7ca

SHA256
c5ec1ab17bcc141f2df7797e1608cc60417235c4e6a208cc707237d28c63f3e7

SHA512
626cdb0ab2ac23bacd7b552f6d9c86a555aa1350dcc548826a15e5bb821e549b117fd9ca3431933612212fbe95d21c1751ebeb325b2fbcb1c64a507ab1e5e6ee

Download Submit
memory/2280-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-13-0x00000000027B0000-0x00000000027DF000-memory.dmp

Filesize
188KB

Download
memory/2280-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-41-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/2652-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download