bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
Size

373KB
MD5

de5ca1c8ae8d17cdf1325a553a9ab49c
SHA1

064e73d5bbe85f592aeb9b526c6784838c25583f
SHA256

bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63
SHA512

bbd421bd089c140d8a1b7bde2c1bbf11120e321f2a4e52382825890e198a1d0f9077a6aea0ae7ff9e2035a2adeb9433873453b57de569ca25cc09b705566ad59
SSDEEP

6144:nvEN2U+T6i5LirrllHy4HUcMQY6nzGnEDdilYJOUYzGnEDdilYJOUd:vENN+T5xYrllrU7QY6zGnO8YJwGnO8YR

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3040	explorer.exe
2572	spoolsv.exe
2668	svchost.exe
2624	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2924	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
2924	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
3040	explorer.exe
3040	explorer.exe
2572	spoolsv.exe
2572	spoolsv.exe
2668	svchost.exe
2668	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
3040	explorer.exe
3040	explorer.exe
3040	explorer.exe
2668	svchost.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe
3040	explorer.exe
2668	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3040	explorer.exe
2668	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2924	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
2924	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
3040	explorer.exe
3040	explorer.exe
2572	spoolsv.exe
2572	spoolsv.exe
2668	svchost.exe
2668	svchost.exe
2624	spoolsv.exe
2624	spoolsv.exe
3040	explorer.exe
3040	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 3040	2924	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe	28
PID 2924 wrote to memory of 3040	2924	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe	28
PID 2924 wrote to memory of 3040	2924	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe	28
PID 2924 wrote to memory of 3040	2924	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe	28
PID 3040 wrote to memory of 2572	3040	explorer.exe	29
PID 3040 wrote to memory of 2572	3040	explorer.exe	29
PID 3040 wrote to memory of 2572	3040	explorer.exe	29
PID 3040 wrote to memory of 2572	3040	explorer.exe	29
PID 2572 wrote to memory of 2668	2572	spoolsv.exe	30
PID 2572 wrote to memory of 2668	2572	spoolsv.exe	30
PID 2572 wrote to memory of 2668	2572	spoolsv.exe	30
PID 2572 wrote to memory of 2668	2572	spoolsv.exe	30
PID 2668 wrote to memory of 2624	2668	svchost.exe	31
PID 2668 wrote to memory of 2624	2668	svchost.exe	31
PID 2668 wrote to memory of 2624	2668	svchost.exe	31
PID 2668 wrote to memory of 2624	2668	svchost.exe	31
PID 2668 wrote to memory of 2576	2668	svchost.exe	32
PID 2668 wrote to memory of 2576	2668	svchost.exe	32
PID 2668 wrote to memory of 2576	2668	svchost.exe	32
PID 2668 wrote to memory of 2576	2668	svchost.exe	32
PID 2668 wrote to memory of 1964	2668	svchost.exe	36
PID 2668 wrote to memory of 1964	2668	svchost.exe	36
PID 2668 wrote to memory of 1964	2668	svchost.exe	36
PID 2668 wrote to memory of 1964	2668	svchost.exe	36
PID 2668 wrote to memory of 2820	2668	svchost.exe	38
PID 2668 wrote to memory of 2820	2668	svchost.exe	38
PID 2668 wrote to memory of 2820	2668	svchost.exe	38
PID 2668 wrote to memory of 2820	2668	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
"C:\Users\Admin\AppData\Local\Temp\bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3040
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2624
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2576
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
373KB

MD5
123828036c7a59a4f4407272742b3b5e

SHA1
c9f149ba3d61ca3870371b7e1c780a53b64fd288

SHA256
1b86e66cd09aea4be2b05d78802d2775a3b0ad8596f3cecc6eb502fdc7dc81ad

SHA512
8b17c95c95cd970a440ee5ddd73c506e218c5cf660ab144ba7c99cd48cef449a342cbc00c9ad661e3b7da433e6edd1a0994e6960177118c2fb491f4adaeaeca4

Download Submit
C:\Windows\system\explorer.exe

Filesize
373KB

MD5
66da84e86a90aa489a9648c956e3d927

SHA1
9840dc28518d2823f49eecdb98c50e9253f934f6

SHA256
dd2778a8989fca063e41a960a74f6df90c1be532f7b3d9806d3e62d006858b66

SHA512
71e135ac988f8206d0298818966e733bb97e5b461f01f27803a38d655347c39499d469f6a0c487e4e036bdd72247281c83a6f347bd93e50558a2b4cce11c4a45

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
373KB

MD5
38aef4f2df54525b3466d30d301868d8

SHA1
c21e26231c648b087362059ef9a9f390c3421898

SHA256
d639a697c60e61d6f543efb71591c8cbfd62081b67d2d304e9d75efd8fa3cb31

SHA512
43caafe9ee2bb20e95cc5c24bb0b492938a879311ade4ed97ac7dc4b87099096d7d651ed41eac30e13969645f6561e5b6873a84718cff58d8dc99f533e9a459f

Download Submit
C:\Windows\system\svchost.exe

Filesize
373KB

MD5
94db15805f01b168dd13e7b78bc1c35d

SHA1
7af18fc6175032163299f6087339dd8ae1b7c76e

SHA256
784585d9dd7325d7981c8ea627569f57339f630e6f20eaa9fe4ed077ed14b22b

SHA512
cab7f71acf9cc956b4c612861461e8d154464af06a42530d3f0ef3bbc306930f7bfa6f0691d007d157362759af065f0020804106452102b388046f143908e7d3

Download Submit