19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
Size

225KB
MD5

affcb8c8fa1604c96af2a02fcdc53245
SHA1

51fdeeee539dd4ec719a3057ced7225bc7a3cd35
SHA256

19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9
SHA512

c3b2b4a3503535cafef1e07330cd75254f37b4c8e50a732569f63b074d010cf61de3a5580b50190a42cb6ccbc4a0dbbc0b7c43bcd21f61167cdd572f230c4ae0
SSDEEP

3072:8vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u8vMSRW:8vEN2U+T6i5LirrllHy4HUcMQY6vMSk

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

UPX dump on OEP (original entry point) 11 IoCs

resource	yara_rule
behavioral2/memory/4984-0-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral2/files/0x0009000000023406-7.dat	UPX
behavioral2/files/0x000800000002340c-13.dat	UPX
behavioral2/memory/2884-16-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral2/files/0x000800000002340e-24.dat	UPX
behavioral2/memory/4536-33-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral2/memory/2884-36-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral2/memory/4984-37-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral2/files/0x000900000002340d-38.dat	UPX
behavioral2/memory/4836-39-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral2/memory/5040-40-0x0000000000400000-0x0000000000435000-memory.dmp	UPX

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4836	explorer.exe
2884	spoolsv.exe
5040	svchost.exe
4536	spoolsv.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4984-0-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/files/0x0009000000023406-7.dat	upx
behavioral2/files/0x000800000002340c-13.dat	upx
behavioral2/memory/2884-16-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/files/0x000800000002340e-24.dat	upx
behavioral2/memory/4536-33-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2884-36-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/4984-37-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/files/0x000900000002340d-38.dat	upx
behavioral2/memory/4836-39-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/5040-40-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4984	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
4984	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
4836	explorer.exe
4836	explorer.exe
4836	explorer.exe
4836	explorer.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe
5040	svchost.exe
5040	svchost.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe
4836	explorer.exe
4836	explorer.exe
5040	svchost.exe
5040	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4836	explorer.exe
5040	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4984	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
4984	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
4836	explorer.exe
4836	explorer.exe
2884	spoolsv.exe
2884	spoolsv.exe
5040	svchost.exe
5040	svchost.exe
4536	spoolsv.exe
4536	spoolsv.exe
4836	explorer.exe
4836	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4836	4984	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe	83
PID 4984 wrote to memory of 4836	4984	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe	83
PID 4984 wrote to memory of 4836	4984	19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe	83
PID 4836 wrote to memory of 2884	4836	explorer.exe	84
PID 4836 wrote to memory of 2884	4836	explorer.exe	84
PID 4836 wrote to memory of 2884	4836	explorer.exe	84
PID 2884 wrote to memory of 5040	2884	spoolsv.exe	85
PID 2884 wrote to memory of 5040	2884	spoolsv.exe	85
PID 2884 wrote to memory of 5040	2884	spoolsv.exe	85
PID 5040 wrote to memory of 4536	5040	svchost.exe	86
PID 5040 wrote to memory of 4536	5040	svchost.exe	86
PID 5040 wrote to memory of 4536	5040	svchost.exe	86
PID 5040 wrote to memory of 2644	5040	svchost.exe	87
PID 5040 wrote to memory of 2644	5040	svchost.exe	87
PID 5040 wrote to memory of 2644	5040	svchost.exe	87
PID 5040 wrote to memory of 868	5040	svchost.exe	103
PID 5040 wrote to memory of 868	5040	svchost.exe	103
PID 5040 wrote to memory of 868	5040	svchost.exe	103
PID 5040 wrote to memory of 1872	5040	svchost.exe	112
PID 5040 wrote to memory of 1872	5040	svchost.exe	112
PID 5040 wrote to memory of 1872	5040	svchost.exe	112

C:\Users\Admin\AppData\Local\Temp\19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
"C:\Users\Admin\AppData\Local\Temp\19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4836
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4536
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:868
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
225KB

MD5
2d12b3309fd217085f7ce2288a7ab29f

SHA1
c47618a92553ea0da1a261b48efa10713c70ac20

SHA256
c533d754ea3128b682579a6f828ef081d250d5a2c9648b4edeeb4521a3e09778

SHA512
9326159b4771dc84586d0e907b7683992b258004274fb3589d8dd87859662b9b4e4c978716ffef5fa8db2e40a4e158c98297eab928d0c2a7d64e58fc093292c1

Download Submit
C:\Windows\System\explorer.exe

Filesize
225KB

MD5
9dc3688414fe7a7a658b176e2e3f9eb0

SHA1
d438e98f6ceb534052699abe4e13abf4b8ca07be

SHA256
cba65c1cd4c770160c45156578b3bdc8d8523a1491da0398da357843dc6461f8

SHA512
634e67f77417face5449452458b26058af26382669985b604e7a29a360bf76094d0742e9ec3b84fdbf6817ee569d9b6d24c60b2ac436107fbecc22577aeafd46

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
225KB

MD5
5c740689b25eddc190e021dd1d8a2bcb

SHA1
e847b3d6e27179b71cfbc65f5c30e18562da8a41

SHA256
30ad53da029117e205150bd91a4e5d3b1fffa73785e12aec5bdb865ecb633fcb

SHA512
1971c0d8e3ca71aa19c1eed48a6f148ebd118154c00d5a0ab6e1cd80a5a9e8cf6a64d91bd42828ccc4327d798deaaff837619f9f95b6a53a7fa14fe1e3369fe1

Download Submit
C:\Windows\System\svchost.exe

Filesize
225KB

MD5
281e21bcce1441b6090d857415c61c32

SHA1
dd87cb03e931159c0b442b9ddf31575346f7a992

SHA256
b5b23cc088ec7f8775d0720bf1a83fda78b1895509e9566e3fb2bbc188f7eec9

SHA512
20eff9a221f0ef5c9125992ea34c769780c7141e2db280ff1eb238af8d5a580409f15e024c45354d64d877ebd1feb02027a890e72cc8dbc39ac6461c6145ad33

Download Submit
memory/2884-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4984-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4984-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download