d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908

General

Target

d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe
Size

206KB
MD5

038f12ac48bdbf7a6a4cde19fa5d4822
SHA1

4204f2c1aca9e198cb92ed7d46ff205aa7725f25
SHA256

d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908
SHA512

b01f573a7635ddada8e8ce8eacf480cda1da8f355a7a33b190bf52739dcc070700599f797cfa01fb3911f8813236aa09432e53fa566972759d7e29522feb1cee
SSDEEP

3072:RvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unm9:RvEN2U+T6i5LirrllHy4HUcMQY6b9

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2084 explorer.exe
3128 spoolsv.exe
1204 svchost.exe
1692 spoolsv.exe

pid	process
2084	explorer.exe
3128	spoolsv.exe
1204	svchost.exe
1692	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exeexplorer.exed7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exeexplorer.exesvchost.exe

pid	process
3944	d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe
3944	d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe
1204	svchost.exe
1204	svchost.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe
2084	explorer.exe
2084	explorer.exe
1204	svchost.exe
1204	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2084 explorer.exe
1204 svchost.exe

pid	process
2084	explorer.exe
1204	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3944	d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe
3944	d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe
2084	explorer.exe
2084	explorer.exe
3128	spoolsv.exe
3128	spoolsv.exe
1204	svchost.exe
1204	svchost.exe
1692	spoolsv.exe
1692	spoolsv.exe
2084	explorer.exe
2084	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3944 wrote to memory of 2084	3944	d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe	explorer.exe
PID 3944 wrote to memory of 2084	3944	d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe	explorer.exe
PID 3944 wrote to memory of 2084	3944	d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe	explorer.exe
PID 2084 wrote to memory of 3128	2084	explorer.exe	spoolsv.exe
PID 2084 wrote to memory of 3128	2084	explorer.exe	spoolsv.exe
PID 2084 wrote to memory of 3128	2084	explorer.exe	spoolsv.exe
PID 3128 wrote to memory of 1204	3128	spoolsv.exe	svchost.exe
PID 3128 wrote to memory of 1204	3128	spoolsv.exe	svchost.exe
PID 3128 wrote to memory of 1204	3128	spoolsv.exe	svchost.exe
PID 1204 wrote to memory of 1692	1204	svchost.exe	spoolsv.exe
PID 1204 wrote to memory of 1692	1204	svchost.exe	spoolsv.exe
PID 1204 wrote to memory of 1692	1204	svchost.exe	spoolsv.exe
PID 1204 wrote to memory of 5056	1204	svchost.exe	at.exe
PID 1204 wrote to memory of 5056	1204	svchost.exe	at.exe
PID 1204 wrote to memory of 5056	1204	svchost.exe	at.exe
PID 1204 wrote to memory of 4140	1204	svchost.exe	at.exe
PID 1204 wrote to memory of 4140	1204	svchost.exe	at.exe
PID 1204 wrote to memory of 4140	1204	svchost.exe	at.exe
PID 1204 wrote to memory of 4552	1204	svchost.exe	at.exe
PID 1204 wrote to memory of 4552	1204	svchost.exe	at.exe
PID 1204 wrote to memory of 4552	1204	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe
"C:\Users\Admin\AppData\Local\Temp\d7872c553974f4dbde417da646b2ad4b170deb805e29547993362f324846e908.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3128

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\SysWOW64\at.exe
at 03:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:5056

C:\Windows\SysWOW64\at.exe
at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:4140

C:\Windows\SysWOW64\at.exe
at 04:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:4552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
206KB

MD5
51a7c8eebfb3316c69ff4809ad4b2c5a

SHA1
b07b1aa64d0228fe4df88829da25ffa7d4f2595e

SHA256
5c81af05def77801c0c9048af72790c16b991b3383b09d848e92fa9d3b58e4d1

SHA512
0856dd00efbb33e25e4bbd6c3e9d3209a152a9d2d53a44815ae1f61e4f2f33ef8e3312bffd83749d2e5946ad477e3f140fef96dd9b85ebefe6adf9c793089861

Download Submit
C:\Windows\System\explorer.exe
Filesize
207KB

MD5
d83cfdace486f49b0bb57bf07f3d2e09

SHA1
0d10addfba63d932cf1a37c4ecc2f1cebb05e3ba

SHA256
74727cf9d8a5774dab3eed4feb87b7d9080cfd02d8a3f46e37ec77afe8ba77cc

SHA512
a7a230aadc6d69bc9436071e513a0cc9870badcdc2e77f7374c31ec69d7c76049226a2bbd6412d0b6cac717b88f33bc336405a5605ee531f4cfea4c9c9b59ca9

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
206KB

MD5
78052423d7d9923365b431f00a7a49f5

SHA1
a4c1d230da5c5ed45fe0108718bf9a656f777bfd

SHA256
7aec08c54bcabae69e0cc17fdced26715d4dc6c6566adcb6f4f8d3288a13efe6

SHA512
3da627154ac343f20b1cb1b21d984f1bd9070509a54b68b058e6b05d8ce04807792b938894ca92b381b3d85cf5c1a9a9d0c96375dd8aa1e838e96a91d4bbf50c

Download Submit
C:\Windows\System\svchost.exe
Filesize
206KB

MD5
5edad06cb091182ba47be8c714aef077

SHA1
8755d4c3c89f51b7a03f254a7b4f9bfa16c5fe92

SHA256
a35e5e53ee5febb95bac3047f0fc12354175141210496fd7076cbd0362958957

SHA512
88e0c611f529994d112e575f62ad29a97c37f3e1aa85a9d2a4fde420777b6ccc15bb1e8d84d84750a0c8292c3187aa02a4ea515587e80f95734c037e61fecb46

Download Submit
\??\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1692-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3128-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3944-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3944-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads