19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
Size

225KB
MD5

affcb8c8fa1604c96af2a02fcdc53245
SHA1

51fdeeee539dd4ec719a3057ced7225bc7a3cd35
SHA256

19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9
SHA512

c3b2b4a3503535cafef1e07330cd75254f37b4c8e50a732569f63b074d010cf61de3a5580b50190a42cb6ccbc4a0dbbc0b7c43bcd21f61167cdd572f230c4ae0
SSDEEP

3072:8vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u8vMSRW:8vEN2U+T6i5LirrllHy4HUcMQY6vMSk

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

UPX dump on OEP (original entry point) 11 IoCs

resource	yara_rule
behavioral1/memory/2084-1-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/files/0x00360000000144e9-6.dat	UPX
behavioral1/memory/2084-8-0x00000000004D0000-0x0000000000505000-memory.dmp	UPX
behavioral1/files/0x000800000001470b-20.dat	UPX
behavioral1/files/0x0008000000014983-34.dat	UPX
behavioral1/memory/1476-51-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/memory/2624-54-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/memory/2084-55-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/files/0x0009000000015c6d-56.dat	UPX
behavioral1/memory/3036-57-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/memory/2524-58-0x0000000000400000-0x0000000000435000-memory.dmp	UPX

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
3036	explorer.exe
2624	spoolsv.exe
2524	svchost.exe
1476	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2084	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
2084	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
3036	explorer.exe
3036	explorer.exe
2624	spoolsv.exe
2624	spoolsv.exe
2524	svchost.exe
2524	svchost.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-1-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/files/0x00360000000144e9-6.dat	upx
behavioral1/memory/2084-8-0x00000000004D0000-0x0000000000505000-memory.dmp	upx
behavioral1/files/0x000800000001470b-20.dat	upx
behavioral1/files/0x0008000000014983-34.dat	upx
behavioral1/memory/1476-51-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2624-54-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2084-55-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/files/0x0009000000015c6d-56.dat	upx
behavioral1/memory/3036-57-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2524-58-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
2524	svchost.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe
3036	explorer.exe
2524	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3036	explorer.exe
2524	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2084	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
2084	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
3036	explorer.exe
3036	explorer.exe
2624	spoolsv.exe
2624	spoolsv.exe
2524	svchost.exe
2524	svchost.exe
1476	spoolsv.exe
1476	spoolsv.exe
3036	explorer.exe
3036	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 3036	2084	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe	28
PID 2084 wrote to memory of 3036	2084	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe	28
PID 2084 wrote to memory of 3036	2084	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe	28
PID 2084 wrote to memory of 3036	2084	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe	28
PID 3036 wrote to memory of 2624	3036	explorer.exe	29
PID 3036 wrote to memory of 2624	3036	explorer.exe	29
PID 3036 wrote to memory of 2624	3036	explorer.exe	29
PID 3036 wrote to memory of 2624	3036	explorer.exe	29
PID 2624 wrote to memory of 2524	2624	spoolsv.exe	30
PID 2624 wrote to memory of 2524	2624	spoolsv.exe	30
PID 2624 wrote to memory of 2524	2624	spoolsv.exe	30
PID 2624 wrote to memory of 2524	2624	spoolsv.exe	30
PID 2524 wrote to memory of 1476	2524	svchost.exe	31
PID 2524 wrote to memory of 1476	2524	svchost.exe	31
PID 2524 wrote to memory of 1476	2524	svchost.exe	31
PID 2524 wrote to memory of 1476	2524	svchost.exe	31
PID 2524 wrote to memory of 2480	2524	svchost.exe	32
PID 2524 wrote to memory of 2480	2524	svchost.exe	32
PID 2524 wrote to memory of 2480	2524	svchost.exe	32
PID 2524 wrote to memory of 2480	2524	svchost.exe	32
PID 2524 wrote to memory of 2660	2524	svchost.exe	36
PID 2524 wrote to memory of 2660	2524	svchost.exe	36
PID 2524 wrote to memory of 2660	2524	svchost.exe	36
PID 2524 wrote to memory of 2660	2524	svchost.exe	36
PID 2524 wrote to memory of 2252	2524	svchost.exe	38
PID 2524 wrote to memory of 2252	2524	svchost.exe	38
PID 2524 wrote to memory of 2252	2524	svchost.exe	38
PID 2524 wrote to memory of 2252	2524	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
"C:\Users\Admin\AppData\Local\Temp\19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3036
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1476
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2480
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2660
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
225KB

MD5
bebc56a54d87cf1973fbb943c99c718e

SHA1
3dc2132249821aef6f2c0683d2f0726144884e25

SHA256
1814c4c5c79629d96a1a886ac3f90467546cf88a275846aca5832aef03de55ff

SHA512
7a67364ed50fbd89caf5b1ff5e7018d0ab8bff25d9df7fa5d23ae1940d1971b09095e52549a70a4fcb2e35939015e9e6e82b68dcaa01f17d53bf5ea78c222c7e

Download Submit
\Windows\system\explorer.exe

Filesize
225KB

MD5
8253e60391293752640f3e6109c1f78c

SHA1
de39ab8a7b8a57f4b724be622ab1a9391898a378

SHA256
a001371e147b14aaddc0b0fd2d0090e60e32bb6eb4a74c8be409c26715271a32

SHA512
06cf1c21b2c188afa3771d3e38393090e7806928d7d645aaab423b05121d0eae8d0c01d5804983970c36db5c279435344ca2ae4349bb34b575ca4f8e602b80bb

Download Submit
\Windows\system\spoolsv.exe

Filesize
225KB

MD5
879b3f3fad15f298373b28d61dbb9fff

SHA1
86dc1087a76f594f2bff1d4feef2ea6e96dc23b1

SHA256
a5c24c05b6380ae4016db60ea270dadfc29733300a5106fb69442f180d340b08

SHA512
1815ebee8ba503cc86267e06272a7ebb7703fe29dc1456ecda093ec5bb3b9651390d34f789401287e982821cfdb655e0d23d68ee4bba443db46c1eb3045bdc55

Download Submit
\Windows\system\svchost.exe

Filesize
225KB

MD5
f5073f3e34577bebb48ca203202ce471

SHA1
afb2d3f72d35a7c59836704589923f350b354f9d

SHA256
102118aeb9be9ea67979cde81733d168e4eadfcd581785824dff80ea75689341

SHA512
a09847872376a2b51feb5f484afccd1bdd78aac8a5bd857d5da6585508e290e33eb406ecd6de7c5e708cb8bbf8f264454e47614e2fa0b0d9f643285d7f247e58

Download Submit
memory/1476-51-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-8-0x00000000004D0000-0x0000000000505000-memory.dmp

Filesize
212KB

Download
memory/2084-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3036-27-0x00000000026D0000-0x0000000002705000-memory.dmp

Filesize
212KB

Download
memory/3036-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download