fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe
Size

211KB
MD5

123595dbb144cdf5b16c0ca6fd605a8e
SHA1

a0fbaefdc45c4998df189ff1ed8a1275dcf9340a
SHA256

fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49
SHA512

fb28bc28928222771919925e9549e4f7f92deda86ee9bb185cd6f6afe3576f7d9cd013bebc0b4dca7307e4414981dabc9abb8d4ed1328ed3eec5246a023d6f3c
SSDEEP

3072:WD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOQ:Wh8cBzHLRMpZ4d1ZQ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe

Executes dropped EXE 4 IoCs

pid	Process
4180	userinit.exe
3504	spoolsw.exe
1312	swchost.exe
4088	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\userinit.exe	fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4396	fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe
4396	fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe
4180	userinit.exe
4180	userinit.exe
4180	userinit.exe
4180	userinit.exe
4180	userinit.exe
4180	userinit.exe
4180	userinit.exe
1312	swchost.exe
4180	userinit.exe
1312	swchost.exe
1312	swchost.exe
1312	swchost.exe
1312	swchost.exe
4180	userinit.exe
1312	swchost.exe
4180	userinit.exe
4180	userinit.exe
1312	swchost.exe
4180	userinit.exe
1312	swchost.exe
4180	userinit.exe
1312	swchost.exe
4180	userinit.exe
1312	swchost.exe
1312	swchost.exe
4180	userinit.exe
1312	swchost.exe
4180	userinit.exe
1312	swchost.exe
4180	userinit.exe
4180	userinit.exe
1312	swchost.exe
1312	swchost.exe
4180	userinit.exe
4180	userinit.exe
1312	swchost.exe
1312	swchost.exe
4180	userinit.exe
1312	swchost.exe
4180	userinit.exe
4180	userinit.exe
1312	swchost.exe
4180	userinit.exe
1312	swchost.exe
1312	swchost.exe
4180	userinit.exe
1312	swchost.exe
4180	userinit.exe
4180	userinit.exe
1312	swchost.exe
1312	swchost.exe
4180	userinit.exe
4180	userinit.exe
1312	swchost.exe
1312	swchost.exe
4180	userinit.exe
1312	swchost.exe
4180	userinit.exe
4180	userinit.exe
1312	swchost.exe
1312	swchost.exe
1312	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4180	userinit.exe
1312	swchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4396	fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe
4396	fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe
4180	userinit.exe
4180	userinit.exe
3504	spoolsw.exe
3504	spoolsw.exe
1312	swchost.exe
1312	swchost.exe
4088	spoolsw.exe
4088	spoolsw.exe
4180	userinit.exe
4180	userinit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 4180	4396	fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe	87
PID 4396 wrote to memory of 4180	4396	fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe	87
PID 4396 wrote to memory of 4180	4396	fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe	87
PID 4180 wrote to memory of 3504	4180	userinit.exe	88
PID 4180 wrote to memory of 3504	4180	userinit.exe	88
PID 4180 wrote to memory of 3504	4180	userinit.exe	88
PID 3504 wrote to memory of 1312	3504	spoolsw.exe	89
PID 3504 wrote to memory of 1312	3504	spoolsw.exe	89
PID 3504 wrote to memory of 1312	3504	spoolsw.exe	89
PID 1312 wrote to memory of 4088	1312	swchost.exe	90
PID 1312 wrote to memory of 4088	1312	swchost.exe	90
PID 1312 wrote to memory of 4088	1312	swchost.exe	90

C:\Users\Admin\AppData\Local\Temp\fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe
"C:\Users\Admin\AppData\Local\Temp\fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4396
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4180
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1312
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
9bb148287eebb3ef3a64ff8a0c3d1212

SHA1
9a4eba94add39ab3358e01af49b0b242a887b354

SHA256
db717cc642f9c927a948fa80c4154e69931c6fb0642ba8dae6af192d6a040394

SHA512
6c9b16a4154d1fe52580670a853c7c45bdac1f9fc4323dffd1db6731f2039c8ef448496a0b8cd3156e4a04e346cecb432b7faeeca8e39f156b6499ad3a214ea2

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
e74dcab148676731d46001704b7aafc8

SHA1
c766e3f0995ed04520eda65cec66a26c372d8f22

SHA256
0e51a4d8f1c838a3d11b7de0f4ade28d1dedc1d7255d48c9d4429aa1a8fd838b

SHA512
defc6044d0a70058911b7ae3684958922f984cd23d312bde0f908dfac76b11d522e451bd3687b51e9ab313feb8122e4b447ef9fb115d1474d836f5d92a55eeda

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
bbcc65005c0630f3b93a620016188ddc

SHA1
aab81b7e218bc2743769d38dcac70f2dde049294

SHA256
e3eb55258ab4d87857b6759e4874a69d31837d6c46b69da3a5ebba0672e140ba

SHA512
a35948d045ec599937a2581ae51ff36c00fe59637531eedeaef08880931e379874a3ee0e9f45c02e00bbb96c6c5fc7b1f69b9f4ac91952a9535daf9f9f98b673

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
0aedb69ec899b94883acae3809b8b320

SHA1
0fbeb8709998a0462efb45fee9cd21d70fb7a9d1

SHA256
250af1d9bfa4c8c7e4eed344ebddccdd30a91f624d0867281bc696d0c8e0fb63

SHA512
fdca31171d0e0ddd12d7bf8427ea5a4074cb4c1ded7a7fd6f2b265151fc398840f775c52958e07693e163720033a13bcf0a1cf898b712c258aa4fa454c437ca4

Download Submit
memory/1312-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3504-36-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4088-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4396-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4396-37-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download