e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd.exe
Size

66KB
MD5

8c9a9435c35e8a64754499f8e12db43f
SHA1

c3f84db08e11242cb1859b075ea8aadb0dd3565a
SHA256

e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd
SHA512

1f28905da2090fe27e7fab3276260ffe3886a5b5520832e77cc9fd063c064b1ac1f1c2ea4da1f3ed4b286555cbe9d69bcb35cb089cfff590b66627b665a93bed
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiN:IeklMMYJhqezw/pXzH9iN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2028	explorer.exe
2624	spoolsv.exe
2840	svchost.exe
2548	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
868	e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd.exe
868	e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd.exe
2028	explorer.exe
2028	explorer.exe
2624	spoolsv.exe
2624	spoolsv.exe
2840	svchost.exe
2840	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
868	e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2840	svchost.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2028	explorer.exe
2028	explorer.exe
2840	svchost.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2028	explorer.exe
2028	explorer.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2840	svchost.exe
2028	explorer.exe
2028	explorer.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2840	svchost.exe
2028	explorer.exe
2028	explorer.exe
2840	svchost.exe
2840	svchost.exe
2028	explorer.exe
2028	explorer.exe
2840	svchost.exe
2840	svchost.exe
2028	explorer.exe
2028	explorer.exe
2840	svchost.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2028	explorer.exe
2028	explorer.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2028	explorer.exe
2840	svchost.exe
2840	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2028	explorer.exe
2840	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
868	e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd.exe
868	e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd.exe
2028	explorer.exe
2028	explorer.exe
2624	spoolsv.exe
2624	spoolsv.exe
2840	svchost.exe
2840	svchost.exe
2548	spoolsv.exe
2548	spoolsv.exe
2028	explorer.exe
2028	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 2028	868	e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd.exe	28
PID 868 wrote to memory of 2028	868	e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd.exe	28
PID 868 wrote to memory of 2028	868	e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd.exe	28
PID 868 wrote to memory of 2028	868	e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd.exe	28
PID 2028 wrote to memory of 2624	2028	explorer.exe	29
PID 2028 wrote to memory of 2624	2028	explorer.exe	29
PID 2028 wrote to memory of 2624	2028	explorer.exe	29
PID 2028 wrote to memory of 2624	2028	explorer.exe	29
PID 2624 wrote to memory of 2840	2624	spoolsv.exe	30
PID 2624 wrote to memory of 2840	2624	spoolsv.exe	30
PID 2624 wrote to memory of 2840	2624	spoolsv.exe	30
PID 2624 wrote to memory of 2840	2624	spoolsv.exe	30
PID 2840 wrote to memory of 2548	2840	svchost.exe	31
PID 2840 wrote to memory of 2548	2840	svchost.exe	31
PID 2840 wrote to memory of 2548	2840	svchost.exe	31
PID 2840 wrote to memory of 2548	2840	svchost.exe	31
PID 2840 wrote to memory of 2852	2840	svchost.exe	32
PID 2840 wrote to memory of 2852	2840	svchost.exe	32
PID 2840 wrote to memory of 2852	2840	svchost.exe	32
PID 2840 wrote to memory of 2852	2840	svchost.exe	32
PID 2840 wrote to memory of 1796	2840	svchost.exe	36
PID 2840 wrote to memory of 1796	2840	svchost.exe	36
PID 2840 wrote to memory of 1796	2840	svchost.exe	36
PID 2840 wrote to memory of 1796	2840	svchost.exe	36
PID 2840 wrote to memory of 108	2840	svchost.exe	38
PID 2840 wrote to memory of 108	2840	svchost.exe	38
PID 2840 wrote to memory of 108	2840	svchost.exe	38
PID 2840 wrote to memory of 108	2840	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd.exe
"C:\Users\Admin\AppData\Local\Temp\e0d298ae550ca244ef77ab580cf337c07b87eeab170d8b002946c4c7924d5afd.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2028
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2548
    - - C:\Windows\SysWOW64\at.exe
        
        at 03:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\at.exe
        
        at 03:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1796
    - - C:\Windows\SysWOW64\at.exe
        
        at 03:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
66KB

MD5
abdb1dd424ee2cb2b5d8b9d3001427af

SHA1
a09a8b2b1351dd3ca3a344398e09e82e133c8605

SHA256
ec2e3a5939f908e069557e1ac9c819628f8f12617993d55bc27728431cf71639

SHA512
6c7a7047a6f513d6579fea8fda13059f25e6e9c4c9b2227a42d752d326486b0e98ad406dc87c5b79a9fcc811f8b6b5d17099d0f12558419fa8a00ae5ec46429f

Download Submit
\Windows\system\explorer.exe

Filesize
66KB

MD5
9fe99f2a2ea317e4db7f727e6e462f83

SHA1
eb406eb5f70a9d7dd1ffb66f5979599b6d23ac69

SHA256
1dc4617132cd1ebfc349696789fcf50f135a371b44ed29e44310fcb3118434d7

SHA512
3a49aa78a48f476452ddace24fb15fdd1ff6f04e2b96544d3ebde4a91e167dd5369914398f3e647ad4d1c50b070773ade6a39191cfb7a31195bf9694a060cdd8

Download Submit
\Windows\system\spoolsv.exe

Filesize
66KB

MD5
6985c84ff2a03df00804017c5f63f2ce

SHA1
a404910d180fc7bdadf84e4edd4d24d5a30aa4eb

SHA256
27d15b8b8405fbe75c9eadaeabcc5092482e359cd3b28b27b7ef14a64e0e095e

SHA512
9adedd373181b993662fc1fb5dd094a89f92f6132bbd541bb87deca0d705200ce0af43915c6f78695db9576c17ff229bd80ad28cb2988bbf2d924f1ddeac555e

Download Submit
\Windows\system\svchost.exe

Filesize
66KB

MD5
58a94f9eb8110385d505010dff4f22f8

SHA1
67ac3e8017e2dd64f0e7438be51df00c45f4f09e

SHA256
032dfb4ac1cd4476b4d5ff5b09885fbf0a77553c1bc619aead1280f860e0985d

SHA512
0a5a34425ea48ef2d3451fbd05aa3f88e8eb69fc3cb1e068b564fa85648cd0a986dc36304200c655c7a9601c68b14513afbc6384d0423915950e5e4c6f32b66b

Download Submit
memory/868-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/868-13-0x0000000003370000-0x00000000033A1000-memory.dmp

Filesize
196KB

Download
memory/868-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/868-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/868-53-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/868-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/868-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/868-80-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/868-59-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/868-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2028-20-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2028-34-0x0000000003140000-0x0000000003171000-memory.dmp

Filesize
196KB

Download
memory/2028-18-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2028-94-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2028-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2028-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2028-35-0x0000000003140000-0x0000000003171000-memory.dmp

Filesize
196KB

Download
memory/2548-67-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2548-73-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2624-40-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2624-36-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2624-75-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2624-51-0x0000000003140000-0x0000000003171000-memory.dmp

Filesize
196KB

Download
memory/2840-66-0x0000000002580000-0x00000000025B1000-memory.dmp

Filesize
196KB

Download
memory/2840-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2840-85-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2840-55-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2840-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download