003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe
Size

69KB
MD5

4b2749d64840214a4436e83243e44a37
SHA1

a3c12a438c10a6918114ee780ff28d586d5e856e
SHA256

003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76
SHA512

15ff28f2fc3927679dfa71b3a347f4c06599616301679fe5220975c9530fdd2c2acbc92cd0d810d1f22dfefd67cbad38202a5c4e41696b40ecc1c472d1cc135d
SSDEEP

1536:EJrFDMRyriCY/qXfatMp4Q2V6fIMxIpLw:0F8dCY85TE6fIMSRw

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2216	explorer.exe
2736	spoolsv.exe
2776	svchost.exe
2772	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1700	003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe
1700	003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe
2216	explorer.exe
2216	explorer.exe
2736	spoolsv.exe
2736	spoolsv.exe
2776	svchost.exe
2776	svchost.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-0-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/files/0x0037000000016103-6.dat	upx
behavioral1/memory/2216-15-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/files/0x000800000001686d-24.dat	upx
behavioral1/files/0x0008000000016c56-35.dat	upx
behavioral1/memory/2776-43-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2772-55-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2736-58-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/1700-60-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/files/0x000a000000016c7a-61.dat	upx
behavioral1/memory/2216-62-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2776-64-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2216-73-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2776	svchost.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe
2776	svchost.exe
2216	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2216	explorer.exe
2776	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1700	003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe
1700	003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe
2216	explorer.exe
2216	explorer.exe
2736	spoolsv.exe
2736	spoolsv.exe
2776	svchost.exe
2776	svchost.exe
2772	spoolsv.exe
2772	spoolsv.exe
2216	explorer.exe
2216	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2216	1700	003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe	28
PID 1700 wrote to memory of 2216	1700	003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe	28
PID 1700 wrote to memory of 2216	1700	003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe	28
PID 1700 wrote to memory of 2216	1700	003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe	28
PID 2216 wrote to memory of 2736	2216	explorer.exe	29
PID 2216 wrote to memory of 2736	2216	explorer.exe	29
PID 2216 wrote to memory of 2736	2216	explorer.exe	29
PID 2216 wrote to memory of 2736	2216	explorer.exe	29
PID 2736 wrote to memory of 2776	2736	spoolsv.exe	30
PID 2736 wrote to memory of 2776	2736	spoolsv.exe	30
PID 2736 wrote to memory of 2776	2736	spoolsv.exe	30
PID 2736 wrote to memory of 2776	2736	spoolsv.exe	30
PID 2776 wrote to memory of 2772	2776	svchost.exe	31
PID 2776 wrote to memory of 2772	2776	svchost.exe	31
PID 2776 wrote to memory of 2772	2776	svchost.exe	31
PID 2776 wrote to memory of 2772	2776	svchost.exe	31
PID 2776 wrote to memory of 2572	2776	svchost.exe	32
PID 2776 wrote to memory of 2572	2776	svchost.exe	32
PID 2776 wrote to memory of 2572	2776	svchost.exe	32
PID 2776 wrote to memory of 2572	2776	svchost.exe	32
PID 2776 wrote to memory of 1216	2776	svchost.exe	36
PID 2776 wrote to memory of 1216	2776	svchost.exe	36
PID 2776 wrote to memory of 1216	2776	svchost.exe	36
PID 2776 wrote to memory of 1216	2776	svchost.exe	36
PID 2776 wrote to memory of 1492	2776	svchost.exe	38
PID 2776 wrote to memory of 1492	2776	svchost.exe	38
PID 2776 wrote to memory of 1492	2776	svchost.exe	38
PID 2776 wrote to memory of 1492	2776	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe
"C:\Users\Admin\AppData\Local\Temp\003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2216
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2772
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2572
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1216
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
69KB

MD5
53e058eb67d27919d22ad823509d000d

SHA1
e870cc70d8cd11eb9e78e4bdec7c50af6e4cf0ce

SHA256
268fe1b08b458e1f3b44e55f0a0b2b1271b152a0ed6da6390496d38b93d82e02

SHA512
30afcbe9df6f62c5b0d9dfe8bbcc2b1f38a831cfef968860229ca8d19df5f853e9866d0ffcef1ef6cb8400934a74dfffa5caaa3ffc108ea83ef718647e2237c1

Download Submit
\Windows\system\explorer.exe

Filesize
69KB

MD5
659caf2e796eb60dd7496e62a846468c

SHA1
5dd91df4c4a9629ca1225ad7034fe7a59f25b664

SHA256
8f3dc14051f6dcb7266e972a7aeeb1deba5c2b81583edb509a336964b44d2373

SHA512
bb37c80c989acb2d620f060ad89b451a07fbecf2d615e7915770a0fea9d49bc3797927d4fbb7050fed39c26fb60ee74cca072c8bbeea2b5502a1ea3a43336400

Download Submit
\Windows\system\spoolsv.exe

Filesize
69KB

MD5
86232b41d7f23c26db25a95be58c9af8

SHA1
86c77796a1fe16a74bdf1646640b6e44d664c82d

SHA256
711b006cec41678a3c95617f11223a810f6574cda2fec34771b20c3a9ceb48ad

SHA512
a57547bcd80d6a0c3e809f2c3825a0f8257453032b57b2072e842342c60b59f65565e6d6bd21efbeafd81cdbaa746a92fb497d55ff805e97dd8147feaa665198

Download Submit
\Windows\system\svchost.exe

Filesize
69KB

MD5
6245eb795942fb4b2ef1489007805131

SHA1
d613b54f882ca3d0420fc0e77b4723238adcdf5c

SHA256
a0e7aee1107f7cf895e8bda11e3ad7d2b12367cedcdeaa2373c38d5aae52a8dd

SHA512
0899c6c5249d22ece659e4bcd11c47e21f53265003145abf28b6dfa29b4d7b420dca516fbe925fe5d86158adff1235fea1c14d6e398bd0d30a4fe6af024a2af3

Download Submit
memory/1700-11-0x0000000002D60000-0x0000000002D94000-memory.dmp

Filesize
208KB

Download
memory/1700-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-13-0x0000000002D60000-0x0000000002D94000-memory.dmp

Filesize
208KB

Download
memory/1700-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-41-0x00000000031C0000-0x00000000031F4000-memory.dmp

Filesize
208KB

Download
memory/2736-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download