b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
Size

211KB
MD5

0a906cbedaa80549e3e0a8a3d1f09c17
SHA1

30468226717472118baa4ff4a010689c1401ded2
SHA256

b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95
SHA512

ea541d39434d5e246fa6c620531a975d33348fbca3aecb7fa212f6daf319b6b16a66719d78ae5a6c93b11bd7830b724c8d96a0638cf555bf4da7a72ebae97efa
SSDEEP

3072:hvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u6G:hvEN2U+T6i5LirrllHy4HUcMQY6G

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Detects executables with modified PE resources using the unpaid version of Resource Tuner 4 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122cd-5.dat	INDICATOR_SUSPICIOUS_EXE_PE_ResourceTuner
behavioral1/files/0x0009000000014e51-18.dat	INDICATOR_SUSPICIOUS_EXE_PE_ResourceTuner
behavioral1/files/0x0008000000015653-31.dat	INDICATOR_SUSPICIOUS_EXE_PE_ResourceTuner
behavioral1/files/0x000b00000001566b-50.dat	INDICATOR_SUSPICIOUS_EXE_PE_ResourceTuner

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1932	explorer.exe
2496	spoolsv.exe
2688	svchost.exe
2420	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1652	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
1652	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
1932	explorer.exe
1932	explorer.exe
2496	spoolsv.exe
2496	spoolsv.exe
2688	svchost.exe
2688	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1652	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
1932	explorer.exe
1932	explorer.exe
1932	explorer.exe
2688	svchost.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe
1932	explorer.exe
2688	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1932	explorer.exe
2688	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1652	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
1652	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
1932	explorer.exe
1932	explorer.exe
2496	spoolsv.exe
2496	spoolsv.exe
2688	svchost.exe
2688	svchost.exe
2420	spoolsv.exe
2420	spoolsv.exe
1932	explorer.exe
1932	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1932	1652	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe	28
PID 1652 wrote to memory of 1932	1652	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe	28
PID 1652 wrote to memory of 1932	1652	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe	28
PID 1652 wrote to memory of 1932	1652	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe	28
PID 1932 wrote to memory of 2496	1932	explorer.exe	29
PID 1932 wrote to memory of 2496	1932	explorer.exe	29
PID 1932 wrote to memory of 2496	1932	explorer.exe	29
PID 1932 wrote to memory of 2496	1932	explorer.exe	29
PID 2496 wrote to memory of 2688	2496	spoolsv.exe	30
PID 2496 wrote to memory of 2688	2496	spoolsv.exe	30
PID 2496 wrote to memory of 2688	2496	spoolsv.exe	30
PID 2496 wrote to memory of 2688	2496	spoolsv.exe	30
PID 2688 wrote to memory of 2420	2688	svchost.exe	31
PID 2688 wrote to memory of 2420	2688	svchost.exe	31
PID 2688 wrote to memory of 2420	2688	svchost.exe	31
PID 2688 wrote to memory of 2420	2688	svchost.exe	31
PID 2688 wrote to memory of 2388	2688	svchost.exe	32
PID 2688 wrote to memory of 2388	2688	svchost.exe	32
PID 2688 wrote to memory of 2388	2688	svchost.exe	32
PID 2688 wrote to memory of 2388	2688	svchost.exe	32
PID 2688 wrote to memory of 1500	2688	svchost.exe	36
PID 2688 wrote to memory of 1500	2688	svchost.exe	36
PID 2688 wrote to memory of 1500	2688	svchost.exe	36
PID 2688 wrote to memory of 1500	2688	svchost.exe	36
PID 2688 wrote to memory of 2212	2688	svchost.exe	38
PID 2688 wrote to memory of 2212	2688	svchost.exe	38
PID 2688 wrote to memory of 2212	2688	svchost.exe	38
PID 2688 wrote to memory of 2212	2688	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
"C:\Users\Admin\AppData\Local\Temp\b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1932
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2420
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2388
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1500
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
211KB

MD5
11d4c99ff9f284e491bf63a001ad2297

SHA1
41ec004d8e51f9316b2595756b9ccfaf78c56ce9

SHA256
c30ec30da89481be7976425018a906860d7938b21598a4bfda8bbbf30d5e6b88

SHA512
c50562488deb65d33f3a3282abfc1e738757ae2322a8013969ba9ecf0b67f6cd4c5c1d5e349d942e7330a5040600cb3b7e01a74a9048ccf444f3881c2d6006a5

Download Submit
\Windows\system\explorer.exe

Filesize
211KB

MD5
487028d9f483e7e80ca279c354277935

SHA1
c0fa5ab1cae2d65922dcb798993531fc47b76987

SHA256
d31a187117e304a49690c2d0d5e4fae7de41e4dedcfe14115fe6eb5f9bf2ebf4

SHA512
f033cbd60a16f49b86bcc995095aeeb2385be3b721fa09156f71ec622c3c9b39556b09ac9fc0d2568ff024c4e9274ca374ae94a790b33fc58e8c79a0458133a6

Download Submit
\Windows\system\spoolsv.exe

Filesize
211KB

MD5
f8205441f28fa4b84f0debff25c6ad35

SHA1
844e143b2369ada9f5c53f803ff97b1e8a1d67bb

SHA256
2ee1873225f5e1851978707e6bcf33202ffeb5c883d5d67f937c22fa71b290fc

SHA512
4bd5db96a34ed81aff3fad546bd84593fb0b0e9946807d94dd0a64c00ae3ee74db7334bfc7676986507b16e328f713621f765d1de0282083b3f809832e9c81b3

Download Submit
\Windows\system\svchost.exe

Filesize
211KB

MD5
1f38b5f682ef7b64bdc18c4935df1082

SHA1
4e97d1bf5af3e14c940c77433740834d3e69ceed

SHA256
c9c9c5255d5451c450d02c0add4c02912543f77bc7f9e60b9a4b1b50be57391e

SHA512
8e13da61572a2a4c66b2a5166168efeda79a0a824087cdd560a2c7d318f1983daa5ecf976d0ead7f4bc4ad9dd9f8c9c793d0a61cc12867b41208e18496cdf7af

Download Submit