a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe
Size

211KB
MD5

0622dbb63e1ea9a865dcc2862318646d
SHA1

c9bf1ea146228550404dc0f41aa51f64f0ec02ae
SHA256

a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054
SHA512

4468708bd56b9e1966a809525eab9cdc56a94cafc28ab47c7f8c89650ee17beec37de32c4f6117ec5be87c8d38b46e102d7b0f71a877e8953aaa606c33a3ac59
SSDEEP

3072:vDEPeJlYW1ea8HKHSRUN3jjXs9Y+MiMVB/w68PEAjAfIrAvGPZz6sPJBIiFe/GcX:vSAl1IK1aY+MiMVBSeh

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2664	userinit.exe
2624	spoolsw.exe
2636	swchost.exe
2684	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\userinit.exe	a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe
2664	userinit.exe
2664	userinit.exe
2664	userinit.exe
2636	swchost.exe
2636	swchost.exe
2664	userinit.exe
2636	swchost.exe
2664	userinit.exe
2636	swchost.exe
2636	swchost.exe
2664	userinit.exe
2636	swchost.exe
2664	userinit.exe
2664	userinit.exe
2636	swchost.exe
2636	swchost.exe
2664	userinit.exe
2636	swchost.exe
2664	userinit.exe
2664	userinit.exe
2636	swchost.exe
2636	swchost.exe
2664	userinit.exe
2664	userinit.exe
2636	swchost.exe
2664	userinit.exe
2636	swchost.exe
2636	swchost.exe
2664	userinit.exe
2664	userinit.exe
2636	swchost.exe
2636	swchost.exe
2664	userinit.exe
2636	swchost.exe
2664	userinit.exe
2636	swchost.exe
2664	userinit.exe
2636	swchost.exe
2664	userinit.exe
2664	userinit.exe
2636	swchost.exe
2664	userinit.exe
2636	swchost.exe
2636	swchost.exe
2664	userinit.exe
2664	userinit.exe
2636	swchost.exe
2636	swchost.exe
2664	userinit.exe
2636	swchost.exe
2664	userinit.exe
2636	swchost.exe
2664	userinit.exe
2664	userinit.exe
2636	swchost.exe
2636	swchost.exe
2664	userinit.exe
2636	swchost.exe
2664	userinit.exe
2636	swchost.exe
2664	userinit.exe
2664	userinit.exe
2636	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2636	swchost.exe
2664	userinit.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2196	a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe
2196	a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe
2664	userinit.exe
2664	userinit.exe
2624	spoolsw.exe
2624	spoolsw.exe
2636	swchost.exe
2636	swchost.exe
2684	spoolsw.exe
2684	spoolsw.exe
2664	userinit.exe
2664	userinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2664	2196	a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe	29
PID 2196 wrote to memory of 2664	2196	a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe	29
PID 2196 wrote to memory of 2664	2196	a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe	29
PID 2196 wrote to memory of 2664	2196	a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe	29
PID 2664 wrote to memory of 2624	2664	userinit.exe	30
PID 2664 wrote to memory of 2624	2664	userinit.exe	30
PID 2664 wrote to memory of 2624	2664	userinit.exe	30
PID 2664 wrote to memory of 2624	2664	userinit.exe	30
PID 2624 wrote to memory of 2636	2624	spoolsw.exe	31
PID 2624 wrote to memory of 2636	2624	spoolsw.exe	31
PID 2624 wrote to memory of 2636	2624	spoolsw.exe	31
PID 2624 wrote to memory of 2636	2624	spoolsw.exe	31
PID 2636 wrote to memory of 2684	2636	swchost.exe	32
PID 2636 wrote to memory of 2684	2636	swchost.exe	32
PID 2636 wrote to memory of 2684	2636	swchost.exe	32
PID 2636 wrote to memory of 2684	2636	swchost.exe	32

C:\Users\Admin\AppData\Local\Temp\a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe
"C:\Users\Admin\AppData\Local\Temp\a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2664
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2636
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
6effffb3d22dcd31a0f5734adcbbe30f

SHA1
88b0c41c8d68f4ccc795a16a1aadbde4d5ae1024

SHA256
d8a92f8b58e41638211d9a40c08d29180d512b3051a0509fc126d0961e27a173

SHA512
c6a2796cca3821fb25c8ca2e41cfa5d4694555a3f1eacc45cd512f9ca093ef17c3c84c0540612d9f4455bf03bae1fc977fd2f67dcf1a7d8c4c3201afa7b069c8

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
af10eb4971e3cb637b7043b2c05ef48b

SHA1
8bf169dc39d7f4aad2344680b134fc72251c75b0

SHA256
45002407c0ab2591cc5ea34e997ecc28a003e927aed3c2d0e75d08c02f05b077

SHA512
ccc2843118c908c835abc7af30df5817ef407e9ab0da372cd27cae67328958b4d480a5c2c4ce8132a57b1faf15e4083f4c6b3779dde1188287416644d827a167

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
db1259da4c45793bfa926aee6cc2f825

SHA1
a59154c4a36aa3f5fae7c3caaf7a8c6437f9e478

SHA256
b43fed0ded7c3f7ce4f662fe2bf837ab22d4eef2265ae9bcf550704dec0b01b4

SHA512
94bc9cb3e9d18d82d59a6a863d76966e422ae5d7eca618d867359fea22c222f6db327214714d0ca0e9f8e2f14f1ea3ae6379afc943cd2d4ed24c800e75a4ed4f

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
1925a847c225a7c20b914a9d985c2317

SHA1
0a150428a7d67e57af217fb2882963aec86265fe

SHA256
2445a88d117a47d2a8ff9e00cdaf3a37834611958379d9a112de28e2529f1b30

SHA512
3da977d262f586a0ae1381eef6aa57e047277444513b25b079252a938c6ec1fd7c7e1fa3784d0bdd34c29624787b74cafe5fd43b8dee0942d4e2d1e0f387f501

Download Submit