6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
Size

274KB
MD5

73d592f229191a78a5df650bfaf071ca
SHA1

f7c234b745981f5abacaaf885e983551c2e97eb2
SHA256

6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f
SHA512

8923eaab44eee401c32e7f7daf5f634090715ad934099b992c7fd7745e6fd2ca6e417b2cd679e0cd434b2f9bd1737b0ca5284b6280193b1af5be0af8d7a06e27
SSDEEP

6144:FvEN2U+T6i5LirrllHy4HUcMQY6MbThVcHa:lENN+T5xYrllrU7QY62Thh

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1936	explorer.exe
2552	spoolsv.exe
2656	svchost.exe
2680	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1924	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
1924	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
1936	explorer.exe
1936	explorer.exe
2552	spoolsv.exe
2552	spoolsv.exe
2656	svchost.exe
2656	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
2656	svchost.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe
1936	explorer.exe
2656	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1936	explorer.exe
2656	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1924	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
1924	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
1936	explorer.exe
1936	explorer.exe
2552	spoolsv.exe
2552	spoolsv.exe
2656	svchost.exe
2656	svchost.exe
2680	spoolsv.exe
2680	spoolsv.exe
1936	explorer.exe
1936	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1936	1924	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe	28
PID 1924 wrote to memory of 1936	1924	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe	28
PID 1924 wrote to memory of 1936	1924	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe	28
PID 1924 wrote to memory of 1936	1924	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe	28
PID 1936 wrote to memory of 2552	1936	explorer.exe	29
PID 1936 wrote to memory of 2552	1936	explorer.exe	29
PID 1936 wrote to memory of 2552	1936	explorer.exe	29
PID 1936 wrote to memory of 2552	1936	explorer.exe	29
PID 2552 wrote to memory of 2656	2552	spoolsv.exe	30
PID 2552 wrote to memory of 2656	2552	spoolsv.exe	30
PID 2552 wrote to memory of 2656	2552	spoolsv.exe	30
PID 2552 wrote to memory of 2656	2552	spoolsv.exe	30
PID 2656 wrote to memory of 2680	2656	svchost.exe	31
PID 2656 wrote to memory of 2680	2656	svchost.exe	31
PID 2656 wrote to memory of 2680	2656	svchost.exe	31
PID 2656 wrote to memory of 2680	2656	svchost.exe	31
PID 2656 wrote to memory of 2584	2656	svchost.exe	32
PID 2656 wrote to memory of 2584	2656	svchost.exe	32
PID 2656 wrote to memory of 2584	2656	svchost.exe	32
PID 2656 wrote to memory of 2584	2656	svchost.exe	32
PID 2656 wrote to memory of 2160	2656	svchost.exe	36
PID 2656 wrote to memory of 2160	2656	svchost.exe	36
PID 2656 wrote to memory of 2160	2656	svchost.exe	36
PID 2656 wrote to memory of 2160	2656	svchost.exe	36
PID 2656 wrote to memory of 324	2656	svchost.exe	38
PID 2656 wrote to memory of 324	2656	svchost.exe	38
PID 2656 wrote to memory of 324	2656	svchost.exe	38
PID 2656 wrote to memory of 324	2656	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
"C:\Users\Admin\AppData\Local\Temp\6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1936
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2680
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2160
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
274KB

MD5
ae0030ce658cf6f07263e23f42af8d1e

SHA1
63ae217173aec457f6bae83c4fbd94b951ad17d0

SHA256
5ab57dc36e5a959ed54c810bee37196e58bacfb0cb720114ac19f6965dd90db8

SHA512
63fd9b5a3abcee80e5aa44c7f2ef3c0865aa5ec45bbba66707e8b835f6462f283b9470bac7fa03cfeeb7ba644d2e62a120672ac6b27dcac197d3082711234e32

Download Submit
C:\Windows\system\svchost.exe

Filesize
274KB

MD5
33621808d0bf26ef2b0117c6719a50f2

SHA1
75f2ee58571d82e9446122b77334079718c7e09d

SHA256
8211a5bb9853cf7695b5c88a3d1b5576aace62da276cec225a2f9fba610209cd

SHA512
7b3a257a98bfdaee5be5ba3dbaa28b794d556549121e34f71dbd3f7c6f5207469dd04bc95bee062d1ebe9e4a4d206fa5d5ad08cb73b2507cb316d6249ab2e1cd

Download Submit
\Windows\system\explorer.exe

Filesize
274KB

MD5
5a338b48f0e965379bdb849341e434cd

SHA1
93903c4b0e671ba7d7d1a32222845bcb9b46d649

SHA256
33d306a8d29ae447ec90a5a671b92c546f47079cea4e4807dd119b53c4403025

SHA512
fe6012afb80cef08500c52bffb5b228a564d8e305d6cf7d140ac9aa8d318326e1f161c795751c7071593b886081d0a03c12114c05f8d2e776ec98f46c9a8d7a1

Download Submit
\Windows\system\spoolsv.exe

Filesize
274KB

MD5
fd1e4ad915a99f007c11940cf7fe6aff

SHA1
dde757463d21612878d7ccca2e1eb1ac749edc40

SHA256
b8dec1c1650ddf27c86104c28adc96c053e209b0f382dbf4a5f9d1ce51ec6688

SHA512
6cfc6d4e8e6b90174ae1385b60fdb5a53a5ec70b4360920121954972054a1165cf9fc222cd6c3c2074042920eb483467d4f2130420a3327319319d79bc0d4bc7

Download Submit