b11e7f479d21ce033de08506e61391b04f94ee6becdf579b6ffcbfeba7022717

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b11e7f479d21ce033de08506e61391b04f94ee6becdf579b6ffcbfeba7022717.exe
Size

206KB
MD5

0977ab785db2bc729a0554c7f2c58768
SHA1

43b2caa7e734d1325a010b793fc275636924f965
SHA256

b11e7f479d21ce033de08506e61391b04f94ee6becdf579b6ffcbfeba7022717
SHA512

505912453666d2ce8bc755d6dca6aceb37e392564615008990f10c784ce3c0a732e463123cfe92fac0162141223e6504f4cfe5a642b38cb0d3e30702f42009d6
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unR:zvEN2U+T6i5LirrllHy4HUcMQY6O

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
3672	explorer.exe
1356	spoolsv.exe
3808	svchost.exe
216	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	b11e7f479d21ce033de08506e61391b04f94ee6becdf579b6ffcbfeba7022717.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
888	b11e7f479d21ce033de08506e61391b04f94ee6becdf579b6ffcbfeba7022717.exe
888	b11e7f479d21ce033de08506e61391b04f94ee6becdf579b6ffcbfeba7022717.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3808	svchost.exe
3672	explorer.exe
3672	explorer.exe
3808	svchost.exe
3808	svchost.exe
3672	explorer.exe
3672	explorer.exe
3808	svchost.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3672	explorer.exe
3808	svchost.exe
3672	explorer.exe
3808	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3808	svchost.exe
3672	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
888	b11e7f479d21ce033de08506e61391b04f94ee6becdf579b6ffcbfeba7022717.exe
888	b11e7f479d21ce033de08506e61391b04f94ee6becdf579b6ffcbfeba7022717.exe
3672	explorer.exe
3672	explorer.exe
1356	spoolsv.exe
1356	spoolsv.exe
3808	svchost.exe
3808	svchost.exe
216	spoolsv.exe
216	spoolsv.exe
3672	explorer.exe
3672	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 3672	888	b11e7f479d21ce033de08506e61391b04f94ee6becdf579b6ffcbfeba7022717.exe	85
PID 888 wrote to memory of 3672	888	b11e7f479d21ce033de08506e61391b04f94ee6becdf579b6ffcbfeba7022717.exe	85
PID 888 wrote to memory of 3672	888	b11e7f479d21ce033de08506e61391b04f94ee6becdf579b6ffcbfeba7022717.exe	85
PID 3672 wrote to memory of 1356	3672	explorer.exe	86
PID 3672 wrote to memory of 1356	3672	explorer.exe	86
PID 3672 wrote to memory of 1356	3672	explorer.exe	86
PID 1356 wrote to memory of 3808	1356	spoolsv.exe	88
PID 1356 wrote to memory of 3808	1356	spoolsv.exe	88
PID 1356 wrote to memory of 3808	1356	spoolsv.exe	88
PID 3808 wrote to memory of 216	3808	svchost.exe	90
PID 3808 wrote to memory of 216	3808	svchost.exe	90
PID 3808 wrote to memory of 216	3808	svchost.exe	90
PID 3808 wrote to memory of 1164	3808	svchost.exe	91
PID 3808 wrote to memory of 1164	3808	svchost.exe	91
PID 3808 wrote to memory of 1164	3808	svchost.exe	91
PID 3808 wrote to memory of 4344	3808	svchost.exe	103
PID 3808 wrote to memory of 4344	3808	svchost.exe	103
PID 3808 wrote to memory of 4344	3808	svchost.exe	103
PID 3808 wrote to memory of 3892	3808	svchost.exe	105
PID 3808 wrote to memory of 3892	3808	svchost.exe	105
PID 3808 wrote to memory of 3892	3808	svchost.exe	105

C:\Users\Admin\AppData\Local\Temp\b11e7f479d21ce033de08506e61391b04f94ee6becdf579b6ffcbfeba7022717.exe
"C:\Users\Admin\AppData\Local\Temp\b11e7f479d21ce033de08506e61391b04f94ee6becdf579b6ffcbfeba7022717.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:888
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3672
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:216
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1164
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4344
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
6ab0b76cb2fffe6ca9756a964ccdbc30

SHA1
24611db817b4c1fb8964b47836d11ec235e3f23b

SHA256
761a8eacc7257216a9345bc50c05f26dd829fe02dbed5b91e469d26c7e8de1a9

SHA512
585a1ed96a4f7a6d7b4f078d785155bc18da2aaa5d6e75e5cd2417052b6696c59bfc3fe61397a7d4f2fe2a172fb151944b494d2c78a4a8e3c40f059287e6efbc

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
207KB

MD5
ed30b8160ee3b79feda01ffa6c4a7c7e

SHA1
b4ef431d945e94fd2311e27e26965f238ba7c843

SHA256
4ea63be689e07982fea30cb82b1dab6a3f2a0ab751504f686d9b06aebb4e3725

SHA512
9059da7233bb8edc60b7d822cd779b0b1d0850ecd37f0805500e34e59e2396405c52e9a9a960fd0e8d7d17243695fbabcc39f4b9b79c4d2159653822059fb321

Download Submit
C:\Windows\System\svchost.exe

Filesize
207KB

MD5
1f449c789acb40410d7837534ccf1bc0

SHA1
aecc14e421cf8225d82d7402a798ce2d74d67ae1

SHA256
edb24ced603961d5c3ee218fd76788f0e120ad8a1aee29fad5b4716d71021f67

SHA512
1cb186727b7298c519dd7d16a8f2ae4e5aba00443a70d84e73c17845c338eeeedd95801a40688aac9babc20def071bb90288bae76008fd6e393b8d49fbcc640c

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
a64a7258e2e55024598487c069fe182d

SHA1
cde20ee2d7437134ec637aa737c7a5435ee302da

SHA256
cf3c661ac52c97acd1f6d3fcb3c61c1fd437a9728105a68c53f270a5034acdc2

SHA512
1a91f15f130294b1c5f8413f08ab249b5e6530d35fc21d488df7afe9b6f4b18db410ca760d91f279086bfa1424dac5eda3ad5fec0659db434053f9109b8b8b4d

Download Submit