Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 05:16
Static task
static1
Behavioral task
behavioral1
Sample
f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe
Resource
win10v2004-20240508-en
General
-
Target
f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe
-
Size
66KB
-
MD5
87a2bb2b79956f8fd7ea71ae7d0782fe
-
SHA1
ae16645d2f25b83016dc8e32d2ae9dce4dcf6eac
-
SHA256
f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103
-
SHA512
2fcfe2af5e26430ddc390dddc90cc0da986e123538e5f194590a5caaa0e4985355ce55e42a495498b7e081d783f27e0d32a5ee3893132eac9ac2d0ba0e227b4e
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi5oKoKoKoKoKoKoKoKoKoKr:IeklMMYJhqezw/pXzH9ix
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 1544 explorer.exe 312 spoolsv.exe 2208 svchost.exe 808 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
Processes:
f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exeexplorer.exesvchost.exepid process 1148 f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe 1148 f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 1544 explorer.exe 1544 explorer.exe 2208 svchost.exe 2208 svchost.exe 1544 explorer.exe 2208 svchost.exe 1544 explorer.exe 1544 explorer.exe 2208 svchost.exe 1544 explorer.exe 2208 svchost.exe 1544 explorer.exe 2208 svchost.exe 1544 explorer.exe 2208 svchost.exe 2208 svchost.exe 1544 explorer.exe 1544 explorer.exe 2208 svchost.exe 1544 explorer.exe 2208 svchost.exe 1544 explorer.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 1544 explorer.exe 1544 explorer.exe 2208 svchost.exe 2208 svchost.exe 1544 explorer.exe 1544 explorer.exe 2208 svchost.exe 2208 svchost.exe 1544 explorer.exe 1544 explorer.exe 2208 svchost.exe 2208 svchost.exe 1544 explorer.exe 1544 explorer.exe 2208 svchost.exe 2208 svchost.exe 1544 explorer.exe 1544 explorer.exe 2208 svchost.exe 2208 svchost.exe 1544 explorer.exe 1544 explorer.exe 2208 svchost.exe 2208 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1544 explorer.exe 2208 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1148 f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe 1148 f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe 1544 explorer.exe 1544 explorer.exe 312 spoolsv.exe 312 spoolsv.exe 2208 svchost.exe 2208 svchost.exe 808 spoolsv.exe 808 spoolsv.exe 1544 explorer.exe 1544 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1148 wrote to memory of 1544 1148 f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe explorer.exe PID 1148 wrote to memory of 1544 1148 f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe explorer.exe PID 1148 wrote to memory of 1544 1148 f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe explorer.exe PID 1544 wrote to memory of 312 1544 explorer.exe spoolsv.exe PID 1544 wrote to memory of 312 1544 explorer.exe spoolsv.exe PID 1544 wrote to memory of 312 1544 explorer.exe spoolsv.exe PID 312 wrote to memory of 2208 312 spoolsv.exe svchost.exe PID 312 wrote to memory of 2208 312 spoolsv.exe svchost.exe PID 312 wrote to memory of 2208 312 spoolsv.exe svchost.exe PID 2208 wrote to memory of 808 2208 svchost.exe spoolsv.exe PID 2208 wrote to memory of 808 2208 svchost.exe spoolsv.exe PID 2208 wrote to memory of 808 2208 svchost.exe spoolsv.exe PID 2208 wrote to memory of 4864 2208 svchost.exe at.exe PID 2208 wrote to memory of 4864 2208 svchost.exe at.exe PID 2208 wrote to memory of 4864 2208 svchost.exe at.exe PID 2208 wrote to memory of 5076 2208 svchost.exe at.exe PID 2208 wrote to memory of 5076 2208 svchost.exe at.exe PID 2208 wrote to memory of 5076 2208 svchost.exe at.exe PID 2208 wrote to memory of 2320 2208 svchost.exe at.exe PID 2208 wrote to memory of 2320 2208 svchost.exe at.exe PID 2208 wrote to memory of 2320 2208 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe"C:\Users\Admin\AppData\Local\Temp\f3578a382a156f3da91e5dd1c0fe5ac7fe40954dfc5fd95e3d222e4b8f130103.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:312 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:808 -
C:\Windows\SysWOW64\at.exeat 05:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4864
-
C:\Windows\SysWOW64\at.exeat 05:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:5076
-
C:\Windows\SysWOW64\at.exeat 05:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2320
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
66KB
MD591efeb329d1be28062e161247e243d77
SHA188bbcc5d12dafcf8ea16a0514f7a31792f20749b
SHA2567dfbd357559bf89292c0dc7c1ada70ae9b06b2ffd49725c23fb619ddc01318fa
SHA5129738c2b93a8c76ed7751c05583e122ff27306e0e8b9aa876a9079dd55f0a8eb49bddff464f4a404efdd661450237c35cbaedf5456f03fd79dee183a249d4e520
-
C:\Windows\System\explorer.exeFilesize
66KB
MD591ff26b3b88d560d1832d9cd6cda2b6c
SHA14660233229db7b3695ae370c32fc12b68bc01162
SHA2565b4ee14d61b7ad0ec4523a5c00dd0e775e05a9bda905aac40ffad11e6097a88c
SHA512122cf14c20687382a8318b207f627e1fd1eb655c18afe78e7088c114583fa06ac515c68c1c383e00da5ff371d665f0fa6cf64ea018c598f5f6a1ac1de1b1f426
-
C:\Windows\System\spoolsv.exeFilesize
66KB
MD5565e6f57b96548eb5c461b5d1ac61a5c
SHA1ae047c3e1239d270087bdafe996496d6099aca3b
SHA2565657727c315404f556b8421cd95663945cae0432282f6ada72cc6fab865d9284
SHA5127f03bf0c57fac5943f225ac2e4b86029151e4014670633fe65bd08191f550b2d9f25e2c8aa20eb97730cfa29174314edd734f6e4f268e378f144d33bf5f9612e
-
C:\Windows\System\svchost.exeFilesize
66KB
MD5b752753f1b1024280d5eb60ac4339a26
SHA13e944bc0d98bcffb26b50daed94fc3d504e0c08f
SHA2563461d72c68e3426b033c01c54377947cda4df9f8e099f7bd2dd9e27518f77498
SHA51294e60d531ef1089d1df89bd190751fa8d14501ee42584fcb108cb800edac763000038e800a4b7ec77ee2ccb1a76f1c4300bab4ff82eb36a1624ba66ee3339b7b
-
memory/312-54-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/312-26-0x0000000075080000-0x00000000751DD000-memory.dmpFilesize
1.4MB
-
memory/808-52-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/808-44-0x0000000075080000-0x00000000751DD000-memory.dmpFilesize
1.4MB
-
memory/1148-57-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/1148-0-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1148-2-0x0000000075080000-0x00000000751DD000-memory.dmpFilesize
1.4MB
-
memory/1148-5-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/1148-3-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1148-1-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/1148-55-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1544-13-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1544-14-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1544-17-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1544-15-0x0000000075080000-0x00000000751DD000-memory.dmpFilesize
1.4MB
-
memory/1544-58-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1544-68-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2208-42-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2208-37-0x0000000075080000-0x00000000751DD000-memory.dmpFilesize
1.4MB
-
memory/2208-36-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2208-59-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB