Malware Analysis Report

2025-01-06 10:34

Sample ID 240601-eaay2agg4t
Target d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95
SHA256 d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95

Threat Level: Known bad

The file d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:43

Reported

2024-06-01 03:46

Platform

win7-20240215-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe \??\c:\windows\system\explorer.exe
PID 2152 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe \??\c:\windows\system\explorer.exe
PID 2152 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe \??\c:\windows\system\explorer.exe
PID 2152 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe \??\c:\windows\system\explorer.exe
PID 2916 wrote to memory of 2500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2916 wrote to memory of 2500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2916 wrote to memory of 2500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2916 wrote to memory of 2500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2500 wrote to memory of 2492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2500 wrote to memory of 2492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2500 wrote to memory of 2492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2500 wrote to memory of 2492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2492 wrote to memory of 2384 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 2384 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 2384 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 2384 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 1368 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 1368 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 1368 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 1368 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2392 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2392 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2392 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2392 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe

"C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 03:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2152-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2152-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2152-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2152-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2152-3-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\explorer.exe

MD5 0a44449ca9b13f435053f6d71f295975
SHA1 7fdcf1f67bd0ca10f4a1ea97d60f2705a1df6dea
SHA256 2f9465227b1c76355030a7431cfca1617281541375b8d9ddb5a31cfb090c2379
SHA512 419110ed2dc04ba67b2c175d55bc23333da401013ccfc5e53988b86b3c9267fa2c5f5e4740d45bdf4239fceb14580291a3f27ed3cc23440f6cfadc0837b0314d

memory/2152-12-0x0000000002710000-0x0000000002741000-memory.dmp

memory/2916-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2916-19-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2916-21-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 b6f5c490cf8004d43085accd9165b12c
SHA1 b30bba50e7f84686a5083d771933610731c9cf22
SHA256 450d6af1d1a266a51920d7f61076d371289ee276f89398af5037615dc23288bb
SHA512 2f2a3511a5e8ad3b770d9ea7d8e48b2b8596a194f903bc75a2f453f9ecdbb3a3f4764e0ed20aaa65479d0cb458b638d04ab43c66c491940ba48fe6b448e327b6

memory/2500-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2916-35-0x0000000000750000-0x0000000000781000-memory.dmp

memory/2500-37-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2500-41-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 a6908142eedc768ead1975e3a65f46c1
SHA1 548b242412ef8a14d468d02725a758501e75c471
SHA256 6c5c27f3434ea80d2e56f277ca6d7265aa2425bd2f05638246372490d1e67640
SHA512 d643c479bfb7264e76d2ef406a7207462021ba209b498e14a450565fda6b4ea46110734046d301473053608563347490d2d2d69e7ab4c02a2c0219da34d33550

memory/2500-53-0x00000000027A0000-0x00000000027D1000-memory.dmp

memory/2152-54-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2492-55-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2152-58-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2492-65-0x00000000029D0000-0x0000000002A01000-memory.dmp

memory/2384-66-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2384-72-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2500-76-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2152-79-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2152-78-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 3237082280f25bcc0173810ad2df0cee
SHA1 6e42a644bfe28a0f62dc403680559a163bf600eb
SHA256 18828627f4a7f5f31ac4cb2db26183a4a6b5676ffe8180937437a73c1050d6a2
SHA512 2c8299c08f42693494dfda93682e1b78e9bcd52444cfe370757112e659136ba852222e884d0388a7cc8c2ae7b7077f20c18ad594c7270e912bc7ed101075d9e9

memory/2916-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2916-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2492-84-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2916-93-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:43

Reported

2024-06-01 03:46

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe \??\c:\windows\system\explorer.exe
PID 1660 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe \??\c:\windows\system\explorer.exe
PID 1660 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe \??\c:\windows\system\explorer.exe
PID 4160 wrote to memory of 4440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4160 wrote to memory of 4440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4160 wrote to memory of 4440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4440 wrote to memory of 2896 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4440 wrote to memory of 2896 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4440 wrote to memory of 2896 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2896 wrote to memory of 4804 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2896 wrote to memory of 4804 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2896 wrote to memory of 4804 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2896 wrote to memory of 3952 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2896 wrote to memory of 3952 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2896 wrote to memory of 3952 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2896 wrote to memory of 2316 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2896 wrote to memory of 2316 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2896 wrote to memory of 2316 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2896 wrote to memory of 2632 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2896 wrote to memory of 2632 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2896 wrote to memory of 2632 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe

"C:\Users\Admin\AppData\Local\Temp\d539ff89bbc13ff88f9ccff3a62e751f0019b9a127149679ef6e41572e939b95.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 03:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/1660-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1660-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/1660-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1660-2-0x0000000075190000-0x00000000752ED000-memory.dmp

memory/1660-5-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 436c7fe1a851dbaa6bebf486def031b3
SHA1 ed35cf2526a67197172e26966c2c4aa2c6ed9fdd
SHA256 5e7dd74dc0294f8c5205c9d4df2da277003872b44836dbc87e299fd483939288
SHA512 1ef057f5e4d8bbd94697ac36eab2bad4a511d33027ac969827dd98b9433e7b31abf406e6ae3d0f8f14568e9f2c0f04ab15fae1d222dcdf68cff2c4e74b528e8a

memory/4160-13-0x0000000075190000-0x00000000752ED000-memory.dmp

memory/4160-16-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4160-15-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 0df70d2f465aa663d91be6525bc9352f
SHA1 8be6c71eea5949a66ee778415f93eee498c963cc
SHA256 3df9e94153d659bee758f6bf1d997cb2049f171ef6286e5de2a956eecef57732
SHA512 27107e6abde5d66521e4160dcb9a117454596b228d0fff2b1ac738432f039e8576806a827dc5eb9d8a8337e8f902a1937ec59d2e11bc59ca414656777427973a

memory/4440-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4440-26-0x0000000075190000-0x00000000752ED000-memory.dmp

memory/4440-30-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 fdce0c49408d062de8e23530beb5443d
SHA1 1c52b98e379e8ad39d4b6c094e870e965639b645
SHA256 6597a841bafed6fdedd4de4dddfc4a5baff423fb4c57af03ef8cb008aa3e4a04
SHA512 cf00d17f2a424d0b7b4d4becbc6d68c71a7061ba865499a6eb82858490f4ef2f4460da1b66178da0aabffd0ff2180c907c450faa2e39c6babee68a696a563069

memory/2896-37-0x0000000075190000-0x00000000752ED000-memory.dmp

memory/2896-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4804-44-0x0000000075190000-0x00000000752ED000-memory.dmp

memory/4804-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4440-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1660-58-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 7761195f0761755119d5b6310667308d
SHA1 fd90e3d94c1f37914ab0f19c321120da7473a609
SHA256 0cd3c1991420479292f5de5246285966772eaf3569d330da459f174c45618cc4
SHA512 3c65dfa71e81d07daa8eff20cd96287717e7c3700a9b94032ba3215796a19095cc07e987ef6b4fac20e5e73c26d3e98f2a1f4f9520cf84d9aa71b5ea10699bd8

memory/1660-56-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/1660-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4160-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2896-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4160-71-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e