b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
Size

211KB
MD5

0a906cbedaa80549e3e0a8a3d1f09c17
SHA1

30468226717472118baa4ff4a010689c1401ded2
SHA256

b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95
SHA512

ea541d39434d5e246fa6c620531a975d33348fbca3aecb7fa212f6daf319b6b16a66719d78ae5a6c93b11bd7830b724c8d96a0638cf555bf4da7a72ebae97efa
SSDEEP

3072:hvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u6G:hvEN2U+T6i5LirrllHy4HUcMQY6G

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Detects executables with modified PE resources using the unpaid version of Resource Tuner 4 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231f5-6.dat	INDICATOR_SUSPICIOUS_EXE_PE_ResourceTuner
behavioral2/files/0x00070000000231fc-12.dat	INDICATOR_SUSPICIOUS_EXE_PE_ResourceTuner
behavioral2/files/0x00070000000231fe-22.dat	INDICATOR_SUSPICIOUS_EXE_PE_ResourceTuner
behavioral2/files/0x00080000000231fd-33.dat	INDICATOR_SUSPICIOUS_EXE_PE_ResourceTuner

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1212	explorer.exe
2608	spoolsv.exe
800	svchost.exe
1184	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
728	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
728	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
1212	explorer.exe
1212	explorer.exe
1212	explorer.exe
1212	explorer.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe
1212	explorer.exe
1212	explorer.exe
800	svchost.exe
800	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1212	explorer.exe
800	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
728	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
728	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
1212	explorer.exe
1212	explorer.exe
2608	spoolsv.exe
2608	spoolsv.exe
800	svchost.exe
800	svchost.exe
1184	spoolsv.exe
1184	spoolsv.exe
1212	explorer.exe
1212	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 1212	728	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe	83
PID 728 wrote to memory of 1212	728	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe	83
PID 728 wrote to memory of 1212	728	b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe	83
PID 1212 wrote to memory of 2608	1212	explorer.exe	84
PID 1212 wrote to memory of 2608	1212	explorer.exe	84
PID 1212 wrote to memory of 2608	1212	explorer.exe	84
PID 2608 wrote to memory of 800	2608	spoolsv.exe	85
PID 2608 wrote to memory of 800	2608	spoolsv.exe	85
PID 2608 wrote to memory of 800	2608	spoolsv.exe	85
PID 800 wrote to memory of 1184	800	svchost.exe	86
PID 800 wrote to memory of 1184	800	svchost.exe	86
PID 800 wrote to memory of 1184	800	svchost.exe	86
PID 800 wrote to memory of 4472	800	svchost.exe	87
PID 800 wrote to memory of 4472	800	svchost.exe	87
PID 800 wrote to memory of 4472	800	svchost.exe	87
PID 800 wrote to memory of 2368	800	svchost.exe	97
PID 800 wrote to memory of 2368	800	svchost.exe	97
PID 800 wrote to memory of 2368	800	svchost.exe	97
PID 800 wrote to memory of 4752	800	svchost.exe	99
PID 800 wrote to memory of 4752	800	svchost.exe	99
PID 800 wrote to memory of 4752	800	svchost.exe	99

C:\Users\Admin\AppData\Local\Temp\b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe
"C:\Users\Admin\AppData\Local\Temp\b3adf53eda8f1593145e2b8e1d2f5f9d885fbd8b24ddc768c67746a44724ff95.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1212
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1184
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4472
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2368
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
211KB

MD5
a89fad2b7b2a6d8e2ccd35d0fc73e591

SHA1
fb23e6c40a71bce3fdb279daafac162cc468bad1

SHA256
0c3f22874750c8141ab702d471f07352260993d244830c67c9b4f0b17dec5f7b

SHA512
a3abd0efb18563cf1e1ba6ddd10b0090bd2b37b09f80d8a9f5d69176bf074b69cade20274da263f3e0bf6b4d64919407db60981b9bf2cb6499f16aeb5f010371

Download Submit
C:\Windows\System\explorer.exe

Filesize
211KB

MD5
ed75e897d452498339ff47ef1b823cd9

SHA1
c63ab8867c463b5ab2072e2b35bc71c49a3fe476

SHA256
a5d6e85f56b3755665eda7c15f4bf1adc2a49279fdf8d03c0e2e9954ff607289

SHA512
bbafcedc593b56b284fe3c5a2a200e56a3b18142b916afaeb8c82585552d9c74867af850095e98c53ceeba5eeeb681a1d90cd05d7e9b3ea73ecfc09064c71f7d

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
211KB

MD5
1008bff7f22f39a6c0bf27cbb3740cb3

SHA1
e6f9736b27ee3f8f7f52b6823d83d556e3f00ac2

SHA256
79f6b6b10dd355e749168dcc25fd79ebb3004afc6155e505bdbbd0950a74e543

SHA512
6f1791ebeb38dffb6e2206c795c540dacc2f6c0f7302e8ab4acf6feaf57124b8fbdc17844abdbb77a50073d55cf23801f5368f3116349519835142c20eb1c3ff

Download Submit
C:\Windows\System\svchost.exe

Filesize
211KB

MD5
891d4bd2aef41bf0e042f29846ad6d84

SHA1
de3255779d82242b2a37ae4206e6ff8a0df8c536

SHA256
be042f3309ec837caac1481ac427bc97a124c453f22f9aece4bb581f9ec05166

SHA512
132cfa9be434b02d1edc03cf10f8ff3f82ae43be06f9f4cb02fe234ee3a6719ad81d02b931b5f49de8527c37489bf170a23e441374e79c33b2fb711a5ea745df

Download Submit