Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:30
Behavioral task
behavioral1
Sample
bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe
Resource
win10v2004-20240508-en
General
-
Target
bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe
-
Size
69KB
-
MD5
f56f004d5b096f4907fa0197eab2d21f
-
SHA1
34ce1851628e4d38e2d9439440fe73e1ff98ee4a
-
SHA256
bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063
-
SHA512
fcd0b3b0409762cecc2602113b227b67b34ab81ae45e992b877594ff8631736fa5db730d8c0f8a37d409ae17b96008323245d46dac1f498839f528260b603ed7
-
SSDEEP
1536:EJrFDMRyriCY/qXfatMp4Q2V6fIMxIpL9:0F8dCY85TE6fIMSR9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
UPX dump on OEP (original entry point) 13 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\mrsys.exe UPX behavioral1/memory/1152-59-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/840-55-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/2728-53-0x0000000000400000-0x0000000000434000-memory.dmp UPX C:\Windows\system\spoolsv.exe UPX \??\c:\windows\system\svchost.exe UPX behavioral1/memory/2080-27-0x0000000002580000-0x00000000025B4000-memory.dmp UPX \??\c:\windows\system\explorer.exe UPX behavioral1/memory/2080-14-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/1152-0-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/2080-61-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/2616-63-0x0000000000400000-0x0000000000434000-memory.dmp UPX behavioral1/memory/2080-72-0x0000000000400000-0x0000000000434000-memory.dmp UPX -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2080 explorer.exe 840 spoolsv.exe 2616 svchost.exe 2728 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exeexplorer.exespoolsv.exesvchost.exepid process 1152 bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe 1152 bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe 2080 explorer.exe 2080 explorer.exe 840 spoolsv.exe 840 spoolsv.exe 2616 svchost.exe 2616 svchost.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\mrsys.exe upx behavioral1/memory/1152-59-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/840-55-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2728-53-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\Windows\system\spoolsv.exe upx \??\c:\windows\system\svchost.exe upx behavioral1/memory/2080-27-0x0000000002580000-0x00000000025B4000-memory.dmp upx \??\c:\windows\system\explorer.exe upx behavioral1/memory/2080-14-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1152-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2080-61-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2616-63-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2080-72-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
Processes:
bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exeexplorer.exesvchost.exepid process 1152 bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe 2080 explorer.exe 2080 explorer.exe 2080 explorer.exe 2616 svchost.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe 2080 explorer.exe 2616 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2080 explorer.exe 2616 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1152 bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe 1152 bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe 2080 explorer.exe 2080 explorer.exe 840 spoolsv.exe 840 spoolsv.exe 2616 svchost.exe 2616 svchost.exe 2728 spoolsv.exe 2728 spoolsv.exe 2080 explorer.exe 2080 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1152 wrote to memory of 2080 1152 bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe explorer.exe PID 1152 wrote to memory of 2080 1152 bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe explorer.exe PID 1152 wrote to memory of 2080 1152 bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe explorer.exe PID 1152 wrote to memory of 2080 1152 bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe explorer.exe PID 2080 wrote to memory of 840 2080 explorer.exe spoolsv.exe PID 2080 wrote to memory of 840 2080 explorer.exe spoolsv.exe PID 2080 wrote to memory of 840 2080 explorer.exe spoolsv.exe PID 2080 wrote to memory of 840 2080 explorer.exe spoolsv.exe PID 840 wrote to memory of 2616 840 spoolsv.exe svchost.exe PID 840 wrote to memory of 2616 840 spoolsv.exe svchost.exe PID 840 wrote to memory of 2616 840 spoolsv.exe svchost.exe PID 840 wrote to memory of 2616 840 spoolsv.exe svchost.exe PID 2616 wrote to memory of 2728 2616 svchost.exe spoolsv.exe PID 2616 wrote to memory of 2728 2616 svchost.exe spoolsv.exe PID 2616 wrote to memory of 2728 2616 svchost.exe spoolsv.exe PID 2616 wrote to memory of 2728 2616 svchost.exe spoolsv.exe PID 2616 wrote to memory of 2440 2616 svchost.exe at.exe PID 2616 wrote to memory of 2440 2616 svchost.exe at.exe PID 2616 wrote to memory of 2440 2616 svchost.exe at.exe PID 2616 wrote to memory of 2440 2616 svchost.exe at.exe PID 2616 wrote to memory of 1924 2616 svchost.exe at.exe PID 2616 wrote to memory of 1924 2616 svchost.exe at.exe PID 2616 wrote to memory of 1924 2616 svchost.exe at.exe PID 2616 wrote to memory of 1924 2616 svchost.exe at.exe PID 2616 wrote to memory of 2132 2616 svchost.exe at.exe PID 2616 wrote to memory of 2132 2616 svchost.exe at.exe PID 2616 wrote to memory of 2132 2616 svchost.exe at.exe PID 2616 wrote to memory of 2132 2616 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe"C:\Users\Admin\AppData\Local\Temp\bd88cf8c700d7064f3738f7349dab2224b9ff4eae69bd2459f35d19c4cf78063.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
C:\Windows\SysWOW64\at.exeat 02:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2440
-
-
C:\Windows\SysWOW64\at.exeat 02:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1924
-
-
C:\Windows\SysWOW64\at.exeat 02:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2132
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD57a0e8d962e892572eb337c1c031856b2
SHA1a1c78a29496cc26205be47b58f7ee15921837ccc
SHA256b8f73c587d4940565db14212f0811ea29ae947331d3df3c4662152392276aaa8
SHA5126c8198df7c7c3ff30bfffcd62035647086ead92b2fd0fb71643ae7b0c9aa2c7e6232ec26bb680c3f282c22f850e5dc0ddaed7234954172a81a8b464f38ef3b6c
-
Filesize
69KB
MD56b8398971968cb90baa2c85442987734
SHA1808317589f85140e82fd860aa608676b33f161ff
SHA256221f2b6759ebd2c8f6cdbcbc721b8f211ca04928f638b55db95af751155a91b9
SHA512b2f26c94f886eb603512300aa086c8f7b3d5a04f5e978ff96701159ae49a84e1620cb555cd04089e3b2a4fc7dd066176c13a44230f7ae2fbf7e47ba632a6868f
-
Filesize
69KB
MD5922b12df24cc0525d1c186f54ed81e92
SHA1780a07d750b376780929f37b586b4fde2a8a75d5
SHA25609f35e6557007cbcda2d363bcfe9537b915c7336868ee675d5d7920ab3eb2d73
SHA51283fb2ef8c072e1d9493db53b4f0b6b01df14dbc1c0d3e253f6206af8bbc506ac9aa83a932ff0c138144118f7f3b6a3c5e4a4ffa4828158eba5259e3d1aeb3cd0
-
Filesize
69KB
MD56f11b1179d3c26ad70c348f1154dfc10
SHA192748ae134aad24772bbae4249d89a87a6ee54f6
SHA256c0d3a6fd7c3dff3d454166756d2f02bb15456195d763a41c3a7744adc003f3fe
SHA51207ae95447e75f872e6848142458d92d1a70b1c7ebd482101284ecb6f8582f4e4e1f7f1bd597db526bb6d44ac5061636ea7245f3254d9da2f185dad90019658a6