6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
Size

274KB
MD5

73d592f229191a78a5df650bfaf071ca
SHA1

f7c234b745981f5abacaaf885e983551c2e97eb2
SHA256

6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f
SHA512

8923eaab44eee401c32e7f7daf5f634090715ad934099b992c7fd7745e6fd2ca6e417b2cd679e0cd434b2f9bd1737b0ca5284b6280193b1af5be0af8d7a06e27
SSDEEP

6144:FvEN2U+T6i5LirrllHy4HUcMQY6MbThVcHa:lENN+T5xYrllrU7QY62Thh

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1720	explorer.exe
3704	spoolsv.exe
2080	svchost.exe
3588	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2184	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
2184	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe
2080	svchost.exe
2080	svchost.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe
1720	explorer.exe
1720	explorer.exe
2080	svchost.exe
2080	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1720	explorer.exe
2080	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2184	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
2184	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
1720	explorer.exe
1720	explorer.exe
3704	spoolsv.exe
3704	spoolsv.exe
2080	svchost.exe
2080	svchost.exe
3588	spoolsv.exe
3588	spoolsv.exe
1720	explorer.exe
1720	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1720	2184	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe	83
PID 2184 wrote to memory of 1720	2184	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe	83
PID 2184 wrote to memory of 1720	2184	6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe	83
PID 1720 wrote to memory of 3704	1720	explorer.exe	84
PID 1720 wrote to memory of 3704	1720	explorer.exe	84
PID 1720 wrote to memory of 3704	1720	explorer.exe	84
PID 3704 wrote to memory of 2080	3704	spoolsv.exe	85
PID 3704 wrote to memory of 2080	3704	spoolsv.exe	85
PID 3704 wrote to memory of 2080	3704	spoolsv.exe	85
PID 2080 wrote to memory of 3588	2080	svchost.exe	86
PID 2080 wrote to memory of 3588	2080	svchost.exe	86
PID 2080 wrote to memory of 3588	2080	svchost.exe	86
PID 2080 wrote to memory of 4888	2080	svchost.exe	87
PID 2080 wrote to memory of 4888	2080	svchost.exe	87
PID 2080 wrote to memory of 4888	2080	svchost.exe	87
PID 2080 wrote to memory of 2856	2080	svchost.exe	104
PID 2080 wrote to memory of 2856	2080	svchost.exe	104
PID 2080 wrote to memory of 2856	2080	svchost.exe	104
PID 2080 wrote to memory of 1872	2080	svchost.exe	118
PID 2080 wrote to memory of 1872	2080	svchost.exe	118
PID 2080 wrote to memory of 1872	2080	svchost.exe	118

C:\Users\Admin\AppData\Local\Temp\6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe
"C:\Users\Admin\AppData\Local\Temp\6adb838a8df207a87ad0e1dc6bde6bab04d99c315adcbb772c0009fc8a41e88f.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3588
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4888
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
274KB

MD5
8a836dd8b172ac73375e3dc17b11e169

SHA1
8b86ccf9c2bfac829135c8b3b752aed1d046bb4e

SHA256
fe51b4e6c6bdd72e3a04cc19e3bba0e6e4919c90261ce13536f46e673f414dbb

SHA512
5d07b1fb3f1eea9e6d7a15f44d9498e0222ea3f253a8b6e6f9721e0f2b03806f1970c41f14da5576e4684cef7a818e813e1258eb850755b0b63ec484516e4d85

Download Submit
C:\Windows\System\explorer.exe

Filesize
274KB

MD5
92da5baa8ce5089cbe451e3240c771c7

SHA1
31681f7d762204b4852a21ef6580b6105130db8d

SHA256
963642a17fbd7beb69c3f5e5c44d3fb6222349580b7cfad7ab9b63e40d04c662

SHA512
de37a083a00a197763be4aef66232c3cb5a79e86c8d4d1eace2785b8a6a51fc7a5556cb4ac6392a67eba9e4c44088b5d4b0fefe6a4add59c3ac9e53ef052717c

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
274KB

MD5
a5fc05eac388c8e2e65954dc927799a1

SHA1
b64eddd1ae858b3793736bbe5eb8456574fddc7e

SHA256
7ff42c58a7811f57d4bd76c06a940af67ef1fb3410f1aa18e6f3fad84962d947

SHA512
dd49fa2f990f101fed43b41f6cb44c4f52feccf196d5553b294110cf393bfdb03cdf7009c731d6027ad903b673d2af1e6c2f7095483d101ecf26fceca68d1f1e

Download Submit
C:\Windows\System\svchost.exe

Filesize
274KB

MD5
77cf52c1f45f902dccdb691d0b237544

SHA1
757383aa6805563fd18c9ccb3fbcf6b0e3a6344b

SHA256
5ffc9345d9a8a1ca3cb38ceebef1f84aedb8049a0f9d067b839cb0a5b5a148f9

SHA512
07023b01db730a1de9279cb0579f441085a8bc6b6d29e50cc7a847b35ec241ac1c8f1de3e1d581cf1e8131b43531198e4a5c93da1beee44d9b994ddc24aa3ece

Download Submit