Malware Analysis Report

2025-01-06 10:34

Sample ID 240601-d1nr5sgh69
Target cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034
SHA256 cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034

Threat Level: Known bad

The file cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win7-20240419-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe \??\c:\windows\system\explorer.exe
PID 1148 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe \??\c:\windows\system\explorer.exe
PID 1148 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe \??\c:\windows\system\explorer.exe
PID 1148 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe \??\c:\windows\system\explorer.exe
PID 632 wrote to memory of 2724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 632 wrote to memory of 2724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 632 wrote to memory of 2724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 632 wrote to memory of 2724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2724 wrote to memory of 2272 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2724 wrote to memory of 2272 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2724 wrote to memory of 2272 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2724 wrote to memory of 2272 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2272 wrote to memory of 2648 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2272 wrote to memory of 2648 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2272 wrote to memory of 2648 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2272 wrote to memory of 2648 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2272 wrote to memory of 2368 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2272 wrote to memory of 2368 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2272 wrote to memory of 2368 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2272 wrote to memory of 2368 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2272 wrote to memory of 1652 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2272 wrote to memory of 1652 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2272 wrote to memory of 1652 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2272 wrote to memory of 1652 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2272 wrote to memory of 3032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2272 wrote to memory of 3032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2272 wrote to memory of 3032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2272 wrote to memory of 3032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe

"C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 03:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1148-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1148-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1148-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1148-5-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1148-2-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\explorer.exe

MD5 b8dbecb7fcee6ded7424ee4b172f65be
SHA1 8a82a45b29975eae26d521e27544858bc3defb69
SHA256 1bc2fc62b29919924799dc523702760707b645939742b84939ec96588d9905a4
SHA512 2eb66b9f24c10c6f0c854fc6be65203ac772edd8592a671e660c51838c4e971b1ed84ddc12981c734e3203ae3958fc12e71b65d12198f89fb6f2058328527423

memory/1148-13-0x0000000003270000-0x00000000032A1000-memory.dmp

memory/632-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1148-18-0x0000000003270000-0x00000000032A1000-memory.dmp

memory/632-22-0x0000000000400000-0x0000000000431000-memory.dmp

memory/632-20-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\spoolsv.exe

MD5 b1163182380adceed277634f786a5044
SHA1 ec362c5874101945a31ba55d683852e9f9d143c3
SHA256 30eb97c26b21f4cd22918c06f8b35da6af8f057dffba71b859f61b3c3fc949d3
SHA512 956279aca8a61cb31487b1c91fc6291c5fd79b986aa923b078e873bf94ad36c8ff70d04741c5e2c99eeff2de853fa8a4851cfde4ed92b673ff58d2d5ce44eda4

memory/2724-37-0x0000000000400000-0x0000000000431000-memory.dmp

memory/632-35-0x0000000003110000-0x0000000003141000-memory.dmp

memory/2724-38-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2724-42-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 a7776974256d215340f566f17bf2007e
SHA1 62fa07b7de91d7c5352c5ee9d77757347a28a848
SHA256 c1a4ac4a17190377f8586355eb731371208b9d98653531050dfa0be0601377c9
SHA512 f0c5da5ee7f1dc722ce8bc3062d7bc53f77110b8df384d93d73eb5c05cb85ee848b1f1f34f028eabea9f2e06ef67ddddc68382a76832603a498ec4af8ec39f94

memory/1148-54-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2272-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2272-57-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1148-56-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2724-55-0x00000000025E0000-0x0000000002611000-memory.dmp

memory/632-67-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2648-68-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2648-74-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1148-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2724-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1148-79-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 36cf1ea7bf24f7675544ec10d353bb86
SHA1 f05ae38680b0570411d36546ab0b7f021a6ffc0e
SHA256 557b3e32ab5ad26a24b667defeb9c1f2990da21dc1493cc0c6a3b71eaee80792
SHA512 8c303c4dac975f028a06da4d067016f897c751e0f8548fd6d5e186432a0b0c1de34f3b242d6bbd1a4d1ec73db920e6931ac7f09dbfb8c37e052820563eccc620

memory/632-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2272-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/632-92-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:31

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe \??\c:\windows\system\explorer.exe
PID 1580 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe \??\c:\windows\system\explorer.exe
PID 1580 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe \??\c:\windows\system\explorer.exe
PID 2788 wrote to memory of 764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2788 wrote to memory of 764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2788 wrote to memory of 764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 764 wrote to memory of 3052 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 764 wrote to memory of 3052 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 764 wrote to memory of 3052 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3052 wrote to memory of 3704 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3052 wrote to memory of 3704 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3052 wrote to memory of 3704 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3052 wrote to memory of 3488 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3052 wrote to memory of 3488 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3052 wrote to memory of 3488 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3052 wrote to memory of 3516 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3052 wrote to memory of 3516 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3052 wrote to memory of 3516 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3052 wrote to memory of 1864 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3052 wrote to memory of 1864 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3052 wrote to memory of 1864 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe

"C:\Users\Admin\AppData\Local\Temp\cf8d4798baec65113dab7c4b195fff33adc732dba2de9951195bcb06115eb034.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 03:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8

C:\Windows\SysWOW64\at.exe

at 03:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/1580-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1580-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/1580-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1580-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1580-2-0x0000000075170000-0x00000000752CD000-memory.dmp

C:\Windows\System\explorer.exe

MD5 00ed6ae2223e51eb6d9fc5c0d8455c5d
SHA1 393420230588946e9538431379700f55c379418e
SHA256 4b79b89c96f158801fbaad533e80930d3244a9c2820a3c3e94ff74d352412017
SHA512 b501a9de506ff0457ab0b3b7ca5cbc5d3f7e6ca178ebe087e98780597a379df28bf901998812bba9a7d4af62905ecfaee2f884b1b36df4ba75ad6a59b8048af2

memory/2788-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2788-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2788-14-0x0000000075170000-0x00000000752CD000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 53db99230e51066681f2344d9bc8e76f
SHA1 c4b02472c8b76565ad4bf9317859892fc537df5d
SHA256 cc66bdad88b36eaf5b89fb6a57a23261bd009ddb5121e6b9972692203afaabfb
SHA512 c1f9d2eece1a63c11850b48a3b84649b704e38d193044392b6aecee9259f6f6c946f6054eb11186655830979d9295ad11df4b520139bc20b6084d489f42b236e

memory/764-28-0x0000000000400000-0x0000000000431000-memory.dmp

memory/764-25-0x0000000075170000-0x00000000752CD000-memory.dmp

C:\Windows\System\svchost.exe

MD5 8b05219e34e432054b9a68a4c90fc145
SHA1 f3248725de1176b9ce4ab02fd0cbd6a31900df7f
SHA256 995e701f5c5714433d3975add56aca268290bacb59d4fcc179ce61559398d43c
SHA512 204e68712829704dff97e53e89692f53758d1669863d8b825d727294dc47508a13840da484a20d783da724a183f2c9871dea897faf0254a2eef43ddb94ecfc64

memory/3052-36-0x0000000075170000-0x00000000752CD000-memory.dmp

memory/3052-40-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1580-43-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3704-44-0x0000000075170000-0x00000000752CD000-memory.dmp

memory/3704-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/764-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1580-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1580-57-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 ddf4433b389973025de3e412b760b81b
SHA1 99bb1f0a34b4fc8df1d80097eb430bac4be70a9c
SHA256 a607440e6bb516d11c49eb1e3b5f28b32309781e6c3ca65382ff65675b84cbd9
SHA512 96f151d736c2d419d4b7e1adc61a62eb6ea5ce04b03dc025a7aba5b4ed8b460d15b8ded3b48c5f78a365a92bec97428a88ed02a0fcae3181ca830883fb36075b

memory/2788-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3052-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2788-70-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e