bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
Size

373KB
MD5

de5ca1c8ae8d17cdf1325a553a9ab49c
SHA1

064e73d5bbe85f592aeb9b526c6784838c25583f
SHA256

bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63
SHA512

bbd421bd089c140d8a1b7bde2c1bbf11120e321f2a4e52382825890e198a1d0f9077a6aea0ae7ff9e2035a2adeb9433873453b57de569ca25cc09b705566ad59
SSDEEP

6144:nvEN2U+T6i5LirrllHy4HUcMQY6nzGnEDdilYJOUYzGnEDdilYJOUd:vENN+T5xYrllrU7QY6zGnO8YJwGnO8YR

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1648	explorer.exe
2484	spoolsv.exe
4112	svchost.exe
2204	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4480	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
4480	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe
4112	svchost.exe
4112	svchost.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe
1648	explorer.exe
1648	explorer.exe
4112	svchost.exe
4112	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1648	explorer.exe
4112	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4480	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
4480	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
1648	explorer.exe
1648	explorer.exe
2484	spoolsv.exe
2484	spoolsv.exe
4112	svchost.exe
4112	svchost.exe
2204	spoolsv.exe
2204	spoolsv.exe
1648	explorer.exe
1648	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 1648	4480	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe	86
PID 4480 wrote to memory of 1648	4480	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe	86
PID 4480 wrote to memory of 1648	4480	bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe	86
PID 1648 wrote to memory of 2484	1648	explorer.exe	88
PID 1648 wrote to memory of 2484	1648	explorer.exe	88
PID 1648 wrote to memory of 2484	1648	explorer.exe	88
PID 2484 wrote to memory of 4112	2484	spoolsv.exe	89
PID 2484 wrote to memory of 4112	2484	spoolsv.exe	89
PID 2484 wrote to memory of 4112	2484	spoolsv.exe	89
PID 4112 wrote to memory of 2204	4112	svchost.exe	90
PID 4112 wrote to memory of 2204	4112	svchost.exe	90
PID 4112 wrote to memory of 2204	4112	svchost.exe	90
PID 4112 wrote to memory of 4488	4112	svchost.exe	91
PID 4112 wrote to memory of 4488	4112	svchost.exe	91
PID 4112 wrote to memory of 4488	4112	svchost.exe	91
PID 4112 wrote to memory of 3436	4112	svchost.exe	103
PID 4112 wrote to memory of 3436	4112	svchost.exe	103
PID 4112 wrote to memory of 3436	4112	svchost.exe	103
PID 4112 wrote to memory of 2916	4112	svchost.exe	105
PID 4112 wrote to memory of 2916	4112	svchost.exe	105
PID 4112 wrote to memory of 2916	4112	svchost.exe	105

C:\Users\Admin\AppData\Local\Temp\bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
"C:\Users\Admin\AppData\Local\Temp\bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1648
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2204
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4488
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:3436
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
373KB

MD5
4586a205925089ae2e25dbb59fad0119

SHA1
542e238fdf21ebb05b5dbfa723fd74cce7df3389

SHA256
6d1a1a01a71fa6a910556b9bdd6746988c0f76ca76c1aa50fc5052d38db8510a

SHA512
6f0b5d4bf32a35e39cb3999133192749ae862a80226df8ad2ef0c586adc5e7103e2e8bc98670e83173b288a63fb55ac4e2d683f9911e92a5d6e489ae7d870890

Download Submit
C:\Windows\System\explorer.exe

Filesize
373KB

MD5
fcdd470e697ed925cf6a79edf1734b4f

SHA1
3ba0ec883b9be065694653daa4f01aa8c82a1afa

SHA256
52f345f4f0858e452fa98a3ea41fd8847564551ebd0b15e1d2bcbc563727fcf9

SHA512
e00c0a2262024981ce9b3ad8e5f34ce2367ab91a4f4c49d3dbbe98d5966cb50ff787ed2210263856ceedcbc84b522f5d4316c998202cdb2d5e60ef9589c41732

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
373KB

MD5
d6bb79165da6ebaa40db91e0f86c94a9

SHA1
00cb1a659a7560ec96330d7a7e69fbe1e90f483f

SHA256
28d4285eeebb25c575a6b5abe3dd36e6f64017b8f6f631ad3ff56b39b3e06f1f

SHA512
85ddbabe58c80ffb69f127a7bdb418ec71eb001b712bb80223ed0e5a4a357ebfdef3c2b8c3da8df3115e0f472a885375baa6f9639793b1e7d80f54d9c48b60d8

Download Submit
C:\Windows\System\svchost.exe

Filesize
373KB

MD5
7fc909130286a6eb4d878c75f3b2b90e

SHA1
051a6aedd2beb258cc5065e44aa2484d0ddb9ac7

SHA256
3730744eae10702e3518ab89abba44fe54df56b36e920a075df2392bbf114e63

SHA512
eb94a7edf2eb74d4d75ac7334c2d6c7459f747006fe57bd348b143d3bc7440a13d8f23575a8be719f4e9a1df54c0aa60d83fc0c245ca6c42b9b17c41987f78bf

Download Submit