3427a3de054f8448871f3b2f58ad33d0b5893b9483cdc43399dd3fa8befcc77f

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3427a3de054f8448871f3b2f58ad33d0b5893b9483cdc43399dd3fa8befcc77f.exe
Size

211KB
MD5

c51fc2f3b5baf94edd0a789e86064513
SHA1

e5bd7871977d8edb5374035ef4d6628cf9514889
SHA256

3427a3de054f8448871f3b2f58ad33d0b5893b9483cdc43399dd3fa8befcc77f
SHA512

2d6a8aae9161ebc43abcefcac70363f1dd4cfafd874117c52f2ff0c1dc5e28ac512cc6e70bb24c5d799939395e609ec05e26a526d02808b014388f73c97e637d
SSDEEP

3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqON:Jh8cBzHLRMpZ4d1ZN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2688	userinit.exe
2556	spoolsw.exe
2452	swchost.exe
2444	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\userinit.exe	3427a3de054f8448871f3b2f58ad33d0b5893b9483cdc43399dd3fa8befcc77f.exe
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	3427a3de054f8448871f3b2f58ad33d0b5893b9483cdc43399dd3fa8befcc77f.exe
2688	userinit.exe
2688	userinit.exe
2688	userinit.exe
2688	userinit.exe
2452	swchost.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe
2452	swchost.exe
2688	userinit.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2688	userinit.exe
2452	swchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1704	3427a3de054f8448871f3b2f58ad33d0b5893b9483cdc43399dd3fa8befcc77f.exe
1704	3427a3de054f8448871f3b2f58ad33d0b5893b9483cdc43399dd3fa8befcc77f.exe
2688	userinit.exe
2688	userinit.exe
2556	spoolsw.exe
2556	spoolsw.exe
2452	swchost.exe
2452	swchost.exe
2444	spoolsw.exe
2444	spoolsw.exe
2688	userinit.exe
2688	userinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2688	1704	3427a3de054f8448871f3b2f58ad33d0b5893b9483cdc43399dd3fa8befcc77f.exe	29
PID 1704 wrote to memory of 2688	1704	3427a3de054f8448871f3b2f58ad33d0b5893b9483cdc43399dd3fa8befcc77f.exe	29
PID 1704 wrote to memory of 2688	1704	3427a3de054f8448871f3b2f58ad33d0b5893b9483cdc43399dd3fa8befcc77f.exe	29
PID 1704 wrote to memory of 2688	1704	3427a3de054f8448871f3b2f58ad33d0b5893b9483cdc43399dd3fa8befcc77f.exe	29
PID 2688 wrote to memory of 2556	2688	userinit.exe	30
PID 2688 wrote to memory of 2556	2688	userinit.exe	30
PID 2688 wrote to memory of 2556	2688	userinit.exe	30
PID 2688 wrote to memory of 2556	2688	userinit.exe	30
PID 2556 wrote to memory of 2452	2556	spoolsw.exe	31
PID 2556 wrote to memory of 2452	2556	spoolsw.exe	31
PID 2556 wrote to memory of 2452	2556	spoolsw.exe	31
PID 2556 wrote to memory of 2452	2556	spoolsw.exe	31
PID 2452 wrote to memory of 2444	2452	swchost.exe	32
PID 2452 wrote to memory of 2444	2452	swchost.exe	32
PID 2452 wrote to memory of 2444	2452	swchost.exe	32
PID 2452 wrote to memory of 2444	2452	swchost.exe	32

C:\Users\Admin\AppData\Local\Temp\3427a3de054f8448871f3b2f58ad33d0b5893b9483cdc43399dd3fa8befcc77f.exe
"C:\Users\Admin\AppData\Local\Temp\3427a3de054f8448871f3b2f58ad33d0b5893b9483cdc43399dd3fa8befcc77f.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2452
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
a4e3338f0509343e0ffb4f43219387bc

SHA1
168e01692fd85fca422f0abc1171394dc14a501e

SHA256
4419e0fe8572fe04041d1222b1f3d1322bdffe9b8df30c805f246027d769a4f0

SHA512
cc2311601b50c76aba16ad03212fda2ec35f0e365cfb2c87f977a13c4a15c009cd22006988ef466bd4898d73c21ed984279289399e80c76ce685e8bcf33f95df

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
5d699bcd5966f70eb25267b675a713ae

SHA1
8d67d26f9c893ce9955b6922c4cdca0e0f6d2dee

SHA256
d225dc55bb24b94bd8aef046516269032a7b6d57e56f86588f0490a81e47d742

SHA512
89285be54573134a488e0fcaaf51d9f1b50be70f08bd5f8b7fae575189f18ee45e387579723c670e45f3f6065e9ef1b3d824d0c11d481cd2f903fbd999994205

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
c4636ac18c94dee24f61fef84215adcf

SHA1
c9f82baeb82686d2c483d6a5da18fc52458d0cdc

SHA256
b9e2441dea9f13ed5294a69e11906b59fefa2d4c42fe179e171e9a57c7a8a076

SHA512
c614951a0fcc0f96a05d25d07dc826f7e3b1bbf78f2e607e111d7839704fb0f9acb894985519414e267be43e298647e29f0140c8cd34ab69ef8637e0c5d657d9

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
cf98ea9eaa5439915da124c99655fb3a

SHA1
c684bf2e90b5f2dda4cc8fc9c58828b4c99e9943

SHA256
d2f0d6b01725572ccd0485a7b1cbb274700f5eec55fb9973558b8a4f479ae8b5

SHA512
f62286f85115f07356069f477655918f6c3b517a7ef68bf4250b9b54f2d72c4ade3b5bf6c8030b591284a6aafef9f7546773445e31e8913eb12690afb75765c5

Download Submit