5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22/05/2024, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe
Size

211KB
MD5

7e500640e10c71bea60fce063a52b151
SHA1

9856d7b0f806109275fc4bc159fd8528254bfa5b
SHA256

5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68
SHA512

852036fee52d251bb13d96d57dfdbe94c830f1afcd86b5226124e93c94664896688597ebe536e3fc69bd51d84598e9c7d57f8f11820e04ce2c606e1e99a7924c
SSDEEP

3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqO/:Jh8cBzHLRMpZ4d1Z/

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2788	userinit.exe
2624	spoolsw.exe
2552	swchost.exe
2692	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe
File opened for modification	\??\c:\windows\userinit.exe	5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe
2788	userinit.exe
2788	userinit.exe
2788	userinit.exe
2552	swchost.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe
2788	userinit.exe
2552	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2788	userinit.exe
2552	swchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3016	5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe
3016	5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe
2788	userinit.exe
2788	userinit.exe
2624	spoolsw.exe
2624	spoolsw.exe
2552	swchost.exe
2552	swchost.exe
2692	spoolsw.exe
2692	spoolsw.exe
2788	userinit.exe
2788	userinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2788	3016	5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe	29
PID 3016 wrote to memory of 2788	3016	5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe	29
PID 3016 wrote to memory of 2788	3016	5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe	29
PID 3016 wrote to memory of 2788	3016	5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe	29
PID 2788 wrote to memory of 2624	2788	userinit.exe	30
PID 2788 wrote to memory of 2624	2788	userinit.exe	30
PID 2788 wrote to memory of 2624	2788	userinit.exe	30
PID 2788 wrote to memory of 2624	2788	userinit.exe	30
PID 2624 wrote to memory of 2552	2624	spoolsw.exe	31
PID 2624 wrote to memory of 2552	2624	spoolsw.exe	31
PID 2624 wrote to memory of 2552	2624	spoolsw.exe	31
PID 2624 wrote to memory of 2552	2624	spoolsw.exe	31
PID 2552 wrote to memory of 2692	2552	swchost.exe	32
PID 2552 wrote to memory of 2692	2552	swchost.exe	32
PID 2552 wrote to memory of 2692	2552	swchost.exe	32
PID 2552 wrote to memory of 2692	2552	swchost.exe	32

C:\Users\Admin\AppData\Local\Temp\5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe
"C:\Users\Admin\AppData\Local\Temp\5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2788
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2552
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
c1a9bb1541a5d205166b6d333303d9b2

SHA1
5037d91aaa11c905ecccda9fd45ba36eb8a26f0f

SHA256
f1a88fed8e39b3ecba2971080c62459ded6420b7eeb2cb8e6a4eed9a67cde286

SHA512
46524d397689224606eff580da715872a9958ab7ac917b8f3d9a6a08bd9d63817f0fede4787897a3d12c91c1edc2c36b002b55221091a10da04d3eafd399637a

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
81fed6c522e27f6a55d5b06374fff6ff

SHA1
99ac2f82804671c66af92c496db2976c5e8d5c96

SHA256
263a9ca3c5478ba5914e9dc47e0ec56e76354ca82123fb433e5317fb4437c8d8

SHA512
b77725ab200b4ebb5128c59504a147088b048315b6ee6f10bcabc6db6b531333bbec496b81c082e6bcb3a111f2fa38b27d86eda4c1591707cf0f2502ccc045d7

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
d7eff5ac0231acf944d769bd7bf68ad3

SHA1
0fb1ac9691f080c5b5ab05b9eff805ebcd035041

SHA256
62f81b7f7072024e7017f4ed4671364ea320ea193a31adfc81385fb407f7f458

SHA512
a495693746765bee5298c43fb3cf71d0beed5cf4e303f996c0b4806fb9c8df198a289f408f3da9b94bb5729ac9c83c7bb6ab20c00dafcc8105c774de554d8fa3

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
039e18d8ed8eecb12450f12613865142

SHA1
267bbd39576c8937c1858f482bb1626f8bbaae62

SHA256
1498fcc844b9611f7964b538e97d0acc02c04f12d18275dd71d03a653be4863c

SHA512
bfc2101c6e717a1c7b87b938994aed17d8bcef2b529ba6a37d14149a8a13da8c5005720e4d0a709dee1d518574f8fe462436464ce841a381a6339f133c4b7f44

Download Submit