Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 03:56
Static task
static1
Behavioral task
behavioral1
Sample
d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe
Resource
win10v2004-20240412-en
General
-
Target
d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe
-
Size
206KB
-
MD5
038f12ac48bdbf7a6a4cde19fa5d4822
-
SHA1
4204f2c1aca9e198cb92ed7d46ff205aa7725f25
-
SHA256
d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908
-
SHA512
b01f573a7635ddada8e8ce8eacf480cda1da8f355a7a33b190bf52739dcc070700599f797cfa01fb3911f8813236aa09432e53fa566972759d7e29522feb1cee
-
SSDEEP
3072:RvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unm9:RvEN2U+T6i5LirrllHy4HUcMQY6b9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2084 explorer.exe 3128 spoolsv.exe 1204 svchost.exe 1692 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exeexplorer.exed7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exeexplorer.exesvchost.exepid process 3944 d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe 3944 d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe 2084 explorer.exe 2084 explorer.exe 2084 explorer.exe 2084 explorer.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe 1204 svchost.exe 1204 svchost.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe 2084 explorer.exe 2084 explorer.exe 1204 svchost.exe 1204 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2084 explorer.exe 1204 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3944 d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe 3944 d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe 2084 explorer.exe 2084 explorer.exe 3128 spoolsv.exe 3128 spoolsv.exe 1204 svchost.exe 1204 svchost.exe 1692 spoolsv.exe 1692 spoolsv.exe 2084 explorer.exe 2084 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3944 wrote to memory of 2084 3944 d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe explorer.exe PID 3944 wrote to memory of 2084 3944 d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe explorer.exe PID 3944 wrote to memory of 2084 3944 d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe explorer.exe PID 2084 wrote to memory of 3128 2084 explorer.exe spoolsv.exe PID 2084 wrote to memory of 3128 2084 explorer.exe spoolsv.exe PID 2084 wrote to memory of 3128 2084 explorer.exe spoolsv.exe PID 3128 wrote to memory of 1204 3128 spoolsv.exe svchost.exe PID 3128 wrote to memory of 1204 3128 spoolsv.exe svchost.exe PID 3128 wrote to memory of 1204 3128 spoolsv.exe svchost.exe PID 1204 wrote to memory of 1692 1204 svchost.exe spoolsv.exe PID 1204 wrote to memory of 1692 1204 svchost.exe spoolsv.exe PID 1204 wrote to memory of 1692 1204 svchost.exe spoolsv.exe PID 1204 wrote to memory of 5056 1204 svchost.exe at.exe PID 1204 wrote to memory of 5056 1204 svchost.exe at.exe PID 1204 wrote to memory of 5056 1204 svchost.exe at.exe PID 1204 wrote to memory of 4140 1204 svchost.exe at.exe PID 1204 wrote to memory of 4140 1204 svchost.exe at.exe PID 1204 wrote to memory of 4140 1204 svchost.exe at.exe PID 1204 wrote to memory of 4552 1204 svchost.exe at.exe PID 1204 wrote to memory of 4552 1204 svchost.exe at.exe PID 1204 wrote to memory of 4552 1204 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe"C:\Users\Admin\AppData\Local\Temp\d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 03:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 04:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
206KB
MD551a7c8eebfb3316c69ff4809ad4b2c5a
SHA1b07b1aa64d0228fe4df88829da25ffa7d4f2595e
SHA2565c81af05def77801c0c9048af72790c16b991b3383b09d848e92fa9d3b58e4d1
SHA5120856dd00efbb33e25e4bbd6c3e9d3209a152a9d2d53a44815ae1f61e4f2f33ef8e3312bffd83749d2e5946ad477e3f140fef96dd9b85ebefe6adf9c793089861
-
C:\Windows\System\explorer.exeFilesize
207KB
MD5d83cfdace486f49b0bb57bf07f3d2e09
SHA10d10addfba63d932cf1a37c4ecc2f1cebb05e3ba
SHA25674727cf9d8a5774dab3eed4feb87b7d9080cfd02d8a3f46e37ec77afe8ba77cc
SHA512a7a230aadc6d69bc9436071e513a0cc9870badcdc2e77f7374c31ec69d7c76049226a2bbd6412d0b6cac717b88f33bc336405a5605ee531f4cfea4c9c9b59ca9
-
C:\Windows\System\spoolsv.exeFilesize
206KB
MD578052423d7d9923365b431f00a7a49f5
SHA1a4c1d230da5c5ed45fe0108718bf9a656f777bfd
SHA2567aec08c54bcabae69e0cc17fdced26715d4dc6c6566adcb6f4f8d3288a13efe6
SHA5123da627154ac343f20b1cb1b21d984f1bd9070509a54b68b058e6b05d8ce04807792b938894ca92b381b3d85cf5c1a9a9d0c96375dd8aa1e838e96a91d4bbf50c
-
C:\Windows\System\svchost.exeFilesize
206KB
MD55edad06cb091182ba47be8c714aef077
SHA18755d4c3c89f51b7a03f254a7b4f9bfa16c5fe92
SHA256a35e5e53ee5febb95bac3047f0fc12354175141210496fd7076cbd0362958957
SHA51288e0c611f529994d112e575f62ad29a97c37f3e1aa85a9d2a4fde420777b6ccc15bb1e8d84d84750a0c8292c3187aa02a4ea515587e80f95734c037e61fecb46
-
\??\PIPE\atsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1692-33-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2084-9-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3128-36-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3944-0-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3944-37-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB