6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6.exe
Size

71KB
MD5

473c3d5dfea3db1d9758d807c6db39cf
SHA1

dd338b3ccf1a01455603f502341614f972056897
SHA256

6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6
SHA512

6a8dfa677411777e1f62466b944ca64f68d6face62d6ada3413fc9fea4da6c792efebd855cdc382a6b2b4469a7c01d96452bca461471730f67d0f6df96c3cbfc
SSDEEP

1536:EFrmh0HgB3LKrL9AcnQFMc9zwR6i+Bs////////////////////////////////J:ec0HgB3LCqZMYXBs///////////////B

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

UPX dump on OEP (original entry point) 14 IoCs

resource	yara_rule
behavioral1/memory/1108-0-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/files/0x000a0000000155f7-6.dat	UPX
behavioral1/memory/2968-14-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/files/0x0008000000015c3d-21.dat	UPX
behavioral1/memory/2984-29-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/files/0x000b000000015c6b-36.dat	UPX
behavioral1/memory/2612-51-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/memory/2612-54-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/memory/2984-58-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/memory/1108-60-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/files/0x000a000000015c9f-61.dat	UPX
behavioral1/memory/2968-62-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/memory/2636-63-0x0000000000400000-0x0000000000435000-memory.dmp	UPX
behavioral1/memory/2968-72-0x0000000000400000-0x0000000000435000-memory.dmp	UPX

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2968	explorer.exe
2984	spoolsv.exe
2636	svchost.exe
2612	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1108	6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6.exe
1108	6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6.exe
2968	explorer.exe
2968	explorer.exe
2984	spoolsv.exe
2984	spoolsv.exe
2636	svchost.exe
2636	svchost.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1108-0-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/files/0x000a0000000155f7-6.dat	upx
behavioral1/memory/2968-14-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/files/0x0008000000015c3d-21.dat	upx
behavioral1/memory/2984-29-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/files/0x000b000000015c6b-36.dat	upx
behavioral1/memory/2612-51-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2612-54-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2984-58-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1108-60-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/files/0x000a000000015c9f-61.dat	upx
behavioral1/memory/2968-62-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2636-63-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2968-72-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1108	6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2636	svchost.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe
2968	explorer.exe
2636	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2968	explorer.exe
2636	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1108	6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6.exe
1108	6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6.exe
2968	explorer.exe
2968	explorer.exe
2984	spoolsv.exe
2984	spoolsv.exe
2636	svchost.exe
2636	svchost.exe
2612	spoolsv.exe
2612	spoolsv.exe
2968	explorer.exe
2968	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2968	1108	6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6.exe	28
PID 1108 wrote to memory of 2968	1108	6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6.exe	28
PID 1108 wrote to memory of 2968	1108	6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6.exe	28
PID 1108 wrote to memory of 2968	1108	6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6.exe	28
PID 2968 wrote to memory of 2984	2968	explorer.exe	29
PID 2968 wrote to memory of 2984	2968	explorer.exe	29
PID 2968 wrote to memory of 2984	2968	explorer.exe	29
PID 2968 wrote to memory of 2984	2968	explorer.exe	29
PID 2984 wrote to memory of 2636	2984	spoolsv.exe	30
PID 2984 wrote to memory of 2636	2984	spoolsv.exe	30
PID 2984 wrote to memory of 2636	2984	spoolsv.exe	30
PID 2984 wrote to memory of 2636	2984	spoolsv.exe	30
PID 2636 wrote to memory of 2612	2636	svchost.exe	31
PID 2636 wrote to memory of 2612	2636	svchost.exe	31
PID 2636 wrote to memory of 2612	2636	svchost.exe	31
PID 2636 wrote to memory of 2612	2636	svchost.exe	31
PID 2636 wrote to memory of 2504	2636	svchost.exe	32
PID 2636 wrote to memory of 2504	2636	svchost.exe	32
PID 2636 wrote to memory of 2504	2636	svchost.exe	32
PID 2636 wrote to memory of 2504	2636	svchost.exe	32
PID 2636 wrote to memory of 2536	2636	svchost.exe	36
PID 2636 wrote to memory of 2536	2636	svchost.exe	36
PID 2636 wrote to memory of 2536	2636	svchost.exe	36
PID 2636 wrote to memory of 2536	2636	svchost.exe	36
PID 2636 wrote to memory of 1480	2636	svchost.exe	38
PID 2636 wrote to memory of 1480	2636	svchost.exe	38
PID 2636 wrote to memory of 1480	2636	svchost.exe	38
PID 2636 wrote to memory of 1480	2636	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6.exe
"C:\Users\Admin\AppData\Local\Temp\6adb038ebe738e788ae4146318f5655b4ef006492813ae8a09768fa974bb5fe6.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2968
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2612
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2504
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
71KB

MD5
c8485c347b754fa2dbddf1df069b7e53

SHA1
e429e4a12b3b00558d42ba24ecf880b207653a64

SHA256
cc431aaa2fc93d62f154d939b63a0273cf48c5dafbb7c5a43663d3afed07b5aa

SHA512
44c54e814af4aaae97b758e1fad4b9ee341d25bab38e083c19c260e1f8a9b40d094ed9bef0d66d3020ac15ff4d38cd3d3a898da59f9a1629329b784a6fe629cb

Download Submit
\Windows\system\explorer.exe

Filesize
71KB

MD5
b3abf8c37ecd27dd1f088d57d2283423

SHA1
f8ba7bfaedb9beb8364b63631498eaa66bc79657

SHA256
f599e92902d377ae00e06478802a3ff51cac575c38cb20e8093da15e7b1f1f5c

SHA512
d8f82908fecb3e6b5bff53ca847a14afc9638ca44fcfbdcae8b0361f2c03c1388547e8d4c80eadbd48bee036a6de358644ae4165cf5ecdca92f682d99ed20c82

Download Submit
\Windows\system\spoolsv.exe

Filesize
71KB

MD5
c1d5f933750373fc0de14249b2d1ea8f

SHA1
e6d5b36717c2fac3c88748b1165214aed33b5e7b

SHA256
73bedeabf5e997fe27ed201222cac9f28fc7ebd362f969f37d81ae8b774ebc78

SHA512
287b25dc87fc177088bcf2918abbde46bc4b3893cbf458cfbc4be87904718ef5d5b9d10af418c5ffc8f5270eecd3edd78821613ba2870e9a6744018f3258c03f

Download Submit
\Windows\system\svchost.exe

Filesize
71KB

MD5
180666b517bb833fb039c2dc93a522ae

SHA1
74d877cc22564ecd3e810591c93e42e216a9b622

SHA256
02c649f94da5bf70b3fbc62082b92adaf7b6e6513ff43d621551881b5039c5ab

SHA512
3f224e9e31ec0df4b812c04af39a776474d00bb186f4369b0e6b91e0ea781a4b3deabb254e2f675346b3a816836e530e2642f7b533b01763c3ac9f5568e3b545

Download Submit
memory/1108-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1108-12-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/1108-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-51-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-28-0x0000000000550000-0x0000000000585000-memory.dmp

Filesize
212KB

Download
memory/2968-62-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-29-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download