3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0.exe
Size

206KB
MD5

92ba2b484272b899b065a55ea8736932
SHA1

f20eae6446da818981bf29f0ea380a0c504051cf
SHA256

3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0
SHA512

ff546ea3e32aebb1852d64cddc2aca9eecacb430fe7b5cd3b92362ebe4583d8428b9215a5a138e2d205b780f5eadc5456b013b3747f4bded8aa7c6f1c5a3b8a7
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6une:5vEN2U+T6i5LirrllHy4HUcMQY6j

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2160	explorer.exe
2668	spoolsv.exe
2228	svchost.exe
2800	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2192	3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0.exe
2192	3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0.exe
2160	explorer.exe
2160	explorer.exe
2668	spoolsv.exe
2668	spoolsv.exe
2228	svchost.exe
2228	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2228	svchost.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2228	svchost.exe
2160	explorer.exe
2160	explorer.exe
2228	svchost.exe
2228	svchost.exe
2160	explorer.exe
2160	explorer.exe
2228	svchost.exe
2228	svchost.exe
2160	explorer.exe
2160	explorer.exe
2228	svchost.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2160	explorer.exe
2228	svchost.exe
2160	explorer.exe
2228	svchost.exe
2228	svchost.exe
2160	explorer.exe
2160	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2160	explorer.exe
2228	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2192	3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0.exe
2192	3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0.exe
2160	explorer.exe
2160	explorer.exe
2668	spoolsv.exe
2668	spoolsv.exe
2228	svchost.exe
2228	svchost.exe
2800	spoolsv.exe
2800	spoolsv.exe
2160	explorer.exe
2160	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2160	2192	3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0.exe	28
PID 2192 wrote to memory of 2160	2192	3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0.exe	28
PID 2192 wrote to memory of 2160	2192	3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0.exe	28
PID 2192 wrote to memory of 2160	2192	3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0.exe	28
PID 2160 wrote to memory of 2668	2160	explorer.exe	29
PID 2160 wrote to memory of 2668	2160	explorer.exe	29
PID 2160 wrote to memory of 2668	2160	explorer.exe	29
PID 2160 wrote to memory of 2668	2160	explorer.exe	29
PID 2668 wrote to memory of 2228	2668	spoolsv.exe	30
PID 2668 wrote to memory of 2228	2668	spoolsv.exe	30
PID 2668 wrote to memory of 2228	2668	spoolsv.exe	30
PID 2668 wrote to memory of 2228	2668	spoolsv.exe	30
PID 2228 wrote to memory of 2800	2228	svchost.exe	31
PID 2228 wrote to memory of 2800	2228	svchost.exe	31
PID 2228 wrote to memory of 2800	2228	svchost.exe	31
PID 2228 wrote to memory of 2800	2228	svchost.exe	31
PID 2228 wrote to memory of 2476	2228	svchost.exe	32
PID 2228 wrote to memory of 2476	2228	svchost.exe	32
PID 2228 wrote to memory of 2476	2228	svchost.exe	32
PID 2228 wrote to memory of 2476	2228	svchost.exe	32
PID 2228 wrote to memory of 2632	2228	svchost.exe	36
PID 2228 wrote to memory of 2632	2228	svchost.exe	36
PID 2228 wrote to memory of 2632	2228	svchost.exe	36
PID 2228 wrote to memory of 2632	2228	svchost.exe	36
PID 2228 wrote to memory of 2024	2228	svchost.exe	38
PID 2228 wrote to memory of 2024	2228	svchost.exe	38
PID 2228 wrote to memory of 2024	2228	svchost.exe	38
PID 2228 wrote to memory of 2024	2228	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0.exe
"C:\Users\Admin\AppData\Local\Temp\3dc8ed924f145649c4ded3f740bd627a8ae2a4adb78de9ec87248210f94387b0.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2160
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
    - - C:\Windows\SysWOW64\at.exe
        
        at 21:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\at.exe
        
        at 21:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\at.exe
        
        at 21:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
9a83c7b84231d619a0a929659668b8ed

SHA1
a9dde0b9b8bec7586d92619ebbced67b3bd6f090

SHA256
13c308167ae472f9f14ec1d14a4de4526f1c8388c0c04c0ec9b95902364ccf23

SHA512
20e5c04f112b1107497f1bff1f2c5f5f624d26df93012bb4de258a195b63d61690c54fe5c2b1dbba3031000902ae8b8898d8f5f7ac71d06d888b5a6090d2182e

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
97c5495fba4dac614244345ea406e71d

SHA1
af7bddb0d2fc5c61d5c5f0e9e9de5953d9aa8f4f

SHA256
92032aca109c5fee09accfcea5ae09fda0b1ee5de8da27d53003db198752b3a6

SHA512
04947129e34e39176c8740c174ce7e31b5e7d44e1fca1180e33df727d744d6ba6250aa97d92116e06ff40ced70d6d5688abf6cc64909d10cda83ecb9dfadab4d

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
d43d9d8c73c28bbdd9c6c801ddf4f506

SHA1
ab6e0996ab6905e95f64f6ca067cdfad21ebcf33

SHA256
73fba608d2404c1ce19b43b80c1ecfa33599ea12b6f81f840555bff99b432071

SHA512
58a4903c080ffaa90ef7bb55d774652dce17f1e65b4052778b9b684f0b9d43159ecbea30f25f8bdfd0f09e0e3ddfb1c6628546dcb9501cb74fd704eb6ffa20f3

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
6c9989a2ab8e5f8a76433fa143b9f461

SHA1
043ea94cf04765f27bd38916807da3a72ebb5af6

SHA256
b1b5cd49eeeaf794a5b2da2e614374e45a285b3dc7ca77489b620d1ea740fb9e

SHA512
a53ba6a32d4acc0929c316578fdec7b30cba022c5daf9127160347caaa6ec8e8c9f4b6ace3ea041673bfdbe6925c829e8013df8a62832d032fa3d7514bdc577c

Download Submit
memory/2160-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-28-0x00000000030F0000-0x0000000003130000-memory.dmp

Filesize
256KB

Download
memory/2192-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-12-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/2192-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download