24965fe68a669f17d5a5e7aee73c302975c321174a415547a08d997b0e4d2840

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24965fe68a669f17d5a5e7aee73c302975c321174a415547a08d997b0e4d2840.exe
Size

206KB
MD5

3ad30b1b56f433615b64107644c2cedf
SHA1

3c9cc9693dd1eed23151cc923eafc27fef35c9fe
SHA256

24965fe68a669f17d5a5e7aee73c302975c321174a415547a08d997b0e4d2840
SHA512

0f4b41c007055c69d0e11646b10d8f33ac0c3e623fa18c1cec3f4210ca15ab2b0fc4e62bb0ec394aae841baf20774115e56260e29086dd9b155daec86006eb1f
SSDEEP

3072:YvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unpxxxxxxxxxxxxxxxxxxxxxZ:YvEN2U+T6i5LirrllHy4HUcMQY6c

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
620	explorer.exe
3396	spoolsv.exe
4980	svchost.exe
1440	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	24965fe68a669f17d5a5e7aee73c302975c321174a415547a08d997b0e4d2840.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4984	24965fe68a669f17d5a5e7aee73c302975c321174a415547a08d997b0e4d2840.exe
4984	24965fe68a669f17d5a5e7aee73c302975c321174a415547a08d997b0e4d2840.exe
620	explorer.exe
620	explorer.exe
620	explorer.exe
620	explorer.exe
620	explorer.exe
620	explorer.exe
4980	svchost.exe
4980	svchost.exe
4980	svchost.exe
4980	svchost.exe
620	explorer.exe
620	explorer.exe
4980	svchost.exe
4980	svchost.exe
620	explorer.exe
620	explorer.exe
4980	svchost.exe
4980	svchost.exe
620	explorer.exe
620	explorer.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
4980	svchost.exe
620	explorer.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
620	explorer.exe
4980	svchost.exe
4980	svchost.exe
620	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
620	explorer.exe
4980	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4984	24965fe68a669f17d5a5e7aee73c302975c321174a415547a08d997b0e4d2840.exe
4984	24965fe68a669f17d5a5e7aee73c302975c321174a415547a08d997b0e4d2840.exe
620	explorer.exe
620	explorer.exe
3396	spoolsv.exe
3396	spoolsv.exe
4980	svchost.exe
4980	svchost.exe
1440	spoolsv.exe
1440	spoolsv.exe
620	explorer.exe
620	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 620	4984	24965fe68a669f17d5a5e7aee73c302975c321174a415547a08d997b0e4d2840.exe	82
PID 4984 wrote to memory of 620	4984	24965fe68a669f17d5a5e7aee73c302975c321174a415547a08d997b0e4d2840.exe	82
PID 4984 wrote to memory of 620	4984	24965fe68a669f17d5a5e7aee73c302975c321174a415547a08d997b0e4d2840.exe	82
PID 620 wrote to memory of 3396	620	explorer.exe	83
PID 620 wrote to memory of 3396	620	explorer.exe	83
PID 620 wrote to memory of 3396	620	explorer.exe	83
PID 3396 wrote to memory of 4980	3396	spoolsv.exe	84
PID 3396 wrote to memory of 4980	3396	spoolsv.exe	84
PID 3396 wrote to memory of 4980	3396	spoolsv.exe	84
PID 4980 wrote to memory of 1440	4980	svchost.exe	85
PID 4980 wrote to memory of 1440	4980	svchost.exe	85
PID 4980 wrote to memory of 1440	4980	svchost.exe	85
PID 4980 wrote to memory of 1768	4980	svchost.exe	86
PID 4980 wrote to memory of 1768	4980	svchost.exe	86
PID 4980 wrote to memory of 1768	4980	svchost.exe	86
PID 4980 wrote to memory of 4904	4980	svchost.exe	96
PID 4980 wrote to memory of 4904	4980	svchost.exe	96
PID 4980 wrote to memory of 4904	4980	svchost.exe	96
PID 4980 wrote to memory of 4564	4980	svchost.exe	98
PID 4980 wrote to memory of 4564	4980	svchost.exe	98
PID 4980 wrote to memory of 4564	4980	svchost.exe	98

C:\Users\Admin\AppData\Local\Temp\24965fe68a669f17d5a5e7aee73c302975c321174a415547a08d997b0e4d2840.exe
"C:\Users\Admin\AppData\Local\Temp\24965fe68a669f17d5a5e7aee73c302975c321174a415547a08d997b0e4d2840.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:620
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1440
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1768
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4904
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
963db6d2983e428be189e265187d7761

SHA1
1dc1e10d83f14b0c8f0bf5bcff302169d6cfc080

SHA256
1f10db155e160fd318942108480df4bc539738227dbb297fc5e780772a7eadc2

SHA512
79d5c983c0b9bb4139068c133fd35a0952a593840ef1a7402bae1e6125afe9209da11b053dd95cd82145e5f5c78c4ddc024f2e76feca5f721ec54e31bd426c08

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
c29b50607fb3133b26fb82a2d4bdcf74

SHA1
d27a2957e267bb845f0a7f325c6ef05c93610646

SHA256
2f1d31500e833d8d28b02d0a67f004f1c36c1aeb35c8a570140f2a696ecfd9d1

SHA512
5b86765cb5cd376bff51aaea39bcff313cd47b114b93b6671c1ab089fbe77dbea337a8ad1983d48fdadb85d554b8d4966634fae131039920616b7b795160b759

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
28ffdcc6cb770b08a65a470eee64072d

SHA1
6206351caedc59dc81da60d174a3ee264cb270f4

SHA256
bb07d37d92c7e714f003bd8196b5a59ca7654045257ad989c538edaa8cb6b8ec

SHA512
f8e7f39efc1fb4d3cdfcccb6e86c09ca2db9368ef4fd1c095ec7351072ff231f3f8c6e3d03baa76c49fe1a025d0de61c1e14b059f71595d26581b481e7448e01

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
207KB

MD5
ecfe720a629af6842579e0ebc7799bf4

SHA1
abd5fdcf485836f083f06e0f555c1b24f94f17d8

SHA256
d27d4fefb751c83e2f8f12a3e2ce1f9bdd86624cbae34cefa750c9e4452696eb

SHA512
99bb5636d956b27074b395bdbfa451c4b22fb4aecc3d47bf8404e7f7f02ac240af8149fee1623932824eea92a0a43ace56ad66d3f8c3506391691c3e434c6289

Download Submit
memory/620-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3396-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4984-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4984-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download