09887c556940df9d1674b9545fc683f5ccb7c43270970cc4563952ef66848c8e

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09887c556940df9d1674b9545fc683f5ccb7c43270970cc4563952ef66848c8e.exe
Size

211KB
MD5

7a89eec390e688ddec6cb2de55dc99a7
SHA1

8590aeeb0098e8f5b3a732be23fe9336171faa37
SHA256

09887c556940df9d1674b9545fc683f5ccb7c43270970cc4563952ef66848c8e
SHA512

c2820aabeb045b98610e124145e4269f87ce074e89b2c7e46541a3bb54a581a068fcf093aaf9635992b96701b0c1cdef8559ecc56b955f8bdb9e6c1ae631b54d
SSDEEP

3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOr:Jh8cBzHLRMpZ4d1Zr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2572	userinit.exe
2580	spoolsw.exe
2860	swchost.exe
2716	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe
File opened for modification	\??\c:\windows\userinit.exe	09887c556940df9d1674b9545fc683f5ccb7c43270970cc4563952ef66848c8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	09887c556940df9d1674b9545fc683f5ccb7c43270970cc4563952ef66848c8e.exe
2572	userinit.exe
2572	userinit.exe
2572	userinit.exe
2860	swchost.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe
2572	userinit.exe
2860	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2572	userinit.exe
2860	swchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2352	09887c556940df9d1674b9545fc683f5ccb7c43270970cc4563952ef66848c8e.exe
2352	09887c556940df9d1674b9545fc683f5ccb7c43270970cc4563952ef66848c8e.exe
2572	userinit.exe
2572	userinit.exe
2580	spoolsw.exe
2580	spoolsw.exe
2860	swchost.exe
2860	swchost.exe
2716	spoolsw.exe
2716	spoolsw.exe
2572	userinit.exe
2572	userinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2572	2352	09887c556940df9d1674b9545fc683f5ccb7c43270970cc4563952ef66848c8e.exe	29
PID 2352 wrote to memory of 2572	2352	09887c556940df9d1674b9545fc683f5ccb7c43270970cc4563952ef66848c8e.exe	29
PID 2352 wrote to memory of 2572	2352	09887c556940df9d1674b9545fc683f5ccb7c43270970cc4563952ef66848c8e.exe	29
PID 2352 wrote to memory of 2572	2352	09887c556940df9d1674b9545fc683f5ccb7c43270970cc4563952ef66848c8e.exe	29
PID 2572 wrote to memory of 2580	2572	userinit.exe	30
PID 2572 wrote to memory of 2580	2572	userinit.exe	30
PID 2572 wrote to memory of 2580	2572	userinit.exe	30
PID 2572 wrote to memory of 2580	2572	userinit.exe	30
PID 2580 wrote to memory of 2860	2580	spoolsw.exe	31
PID 2580 wrote to memory of 2860	2580	spoolsw.exe	31
PID 2580 wrote to memory of 2860	2580	spoolsw.exe	31
PID 2580 wrote to memory of 2860	2580	spoolsw.exe	31
PID 2860 wrote to memory of 2716	2860	swchost.exe	32
PID 2860 wrote to memory of 2716	2860	swchost.exe	32
PID 2860 wrote to memory of 2716	2860	swchost.exe	32
PID 2860 wrote to memory of 2716	2860	swchost.exe	32

C:\Users\Admin\AppData\Local\Temp\09887c556940df9d1674b9545fc683f5ccb7c43270970cc4563952ef66848c8e.exe
"C:\Users\Admin\AppData\Local\Temp\09887c556940df9d1674b9545fc683f5ccb7c43270970cc4563952ef66848c8e.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2572
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2860
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
968fa3fa7ba351452b068f4aa97715b7

SHA1
4a7bbfc28defa8161ceefc80337893d3e179dde1

SHA256
b39a2f90b76021bed9b83a466058cdd4e5993468b4b35d60178f51d029c03ee2

SHA512
cc8836511db4fd0ed5552485ac0403ca18914039de610e7bf145e1cb131dfcb22135cc14b4cf84a3a94fc9133033d403e6b6aa017027ba8ae140efdc27962851

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
5e1572ca6f12cfaf7177b7ad5f0f3dcb

SHA1
646a46c3069809fd894a459e0945efc4fc782dda

SHA256
042ac08a64ff4b5b52c180d91912395345e8829eadfbcc6e34292c786f2bad02

SHA512
a176671eae9a99b940b44e22435ac38012aaeb9eeb8af5a1f32e50b04547cc3cfcf3cb037c2ba9699c6fdb4def31e172c17da6df45c0136844c55a5fba846fc6

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
28ea8f680f87da41f7d65d0fc326781a

SHA1
7fecd8a30299a0bb8ceff50929f1e06094a43c30

SHA256
27e937baa7c3dbd4d71a9dadc684776cac3579a79a9949d1f876f69a8994d4d2

SHA512
174a995b7d11d8a510caccae5896766d9328f38c45577e597baad9380e4abced86b93cc899215f4c2ae1dad6f775a3a2722a2d9a6726f4c24fbca6ceb4d73e0b

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
7f0a1706c829fcc8e47e4b59bc405ca7

SHA1
0bab7f0f40b7dfb17825482db8706e6df3216068

SHA256
5d16983dc7e09efac0bebc721317bec2761ef3fc84ae64d92ff4f40dda58f6a9

SHA512
07e7ea72efc4f978de81d8e04c9ebfb7452ce6fb97064d6ba0272c28d289dc4ed3bd1c31057b77c6c2498a04ca4858a319bfd6b542ad84d91b7289fd1eac32c7

Download Submit