40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe
Size

206KB
MD5

036d77e8a713f3e4516aba7f2a5c2b75
SHA1

5b7fd394aac8fd89f5ba681e903842f2fac8c67f
SHA256

40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc
SHA512

d25ddfd1375129b923e03943ebe8e80599aa3d529d747c19d734f551db67e518846b92aea49e3682c4cf846f288efec8ba60eeb1edcf8311754fc9d6157bb052
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLf:5vEN2U+T6i5LirrllHy4HUcMQY6Kf

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2084	explorer.exe
2652	spoolsv.exe
1316	svchost.exe
2664	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2108	40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe
2108	40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe
2084	explorer.exe
2084	explorer.exe
2652	spoolsv.exe
2652	spoolsv.exe
1316	svchost.exe
1316	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
2084	explorer.exe
1316	svchost.exe
1316	svchost.exe
2084	explorer.exe
1316	svchost.exe
1316	svchost.exe
2084	explorer.exe
1316	svchost.exe
2084	explorer.exe
1316	svchost.exe
2084	explorer.exe
1316	svchost.exe
2084	explorer.exe
2084	explorer.exe
1316	svchost.exe
1316	svchost.exe
2084	explorer.exe
1316	svchost.exe
2084	explorer.exe
1316	svchost.exe
2084	explorer.exe
2084	explorer.exe
1316	svchost.exe
2084	explorer.exe
1316	svchost.exe
1316	svchost.exe
2084	explorer.exe
2084	explorer.exe
1316	svchost.exe
2084	explorer.exe
1316	svchost.exe
2084	explorer.exe
1316	svchost.exe
2084	explorer.exe
1316	svchost.exe
2084	explorer.exe
1316	svchost.exe
1316	svchost.exe
2084	explorer.exe
2084	explorer.exe
1316	svchost.exe
2084	explorer.exe
1316	svchost.exe
1316	svchost.exe
2084	explorer.exe
2084	explorer.exe
1316	svchost.exe
1316	svchost.exe
2084	explorer.exe
1316	svchost.exe
2084	explorer.exe
2084	explorer.exe
1316	svchost.exe
1316	svchost.exe
2084	explorer.exe
2084	explorer.exe
1316	svchost.exe
1316	svchost.exe
2084	explorer.exe
2084	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2084	explorer.exe
1316	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2108	40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe
2108	40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe
2084	explorer.exe
2084	explorer.exe
2652	spoolsv.exe
2652	spoolsv.exe
1316	svchost.exe
1316	svchost.exe
2664	spoolsv.exe
2664	spoolsv.exe
2084	explorer.exe
2084	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2084	2108	40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe	29
PID 2108 wrote to memory of 2084	2108	40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe	29
PID 2108 wrote to memory of 2084	2108	40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe	29
PID 2108 wrote to memory of 2084	2108	40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe	29
PID 2084 wrote to memory of 2652	2084	explorer.exe	30
PID 2084 wrote to memory of 2652	2084	explorer.exe	30
PID 2084 wrote to memory of 2652	2084	explorer.exe	30
PID 2084 wrote to memory of 2652	2084	explorer.exe	30
PID 2652 wrote to memory of 1316	2652	spoolsv.exe	31
PID 2652 wrote to memory of 1316	2652	spoolsv.exe	31
PID 2652 wrote to memory of 1316	2652	spoolsv.exe	31
PID 2652 wrote to memory of 1316	2652	spoolsv.exe	31
PID 1316 wrote to memory of 2664	1316	svchost.exe	32
PID 1316 wrote to memory of 2664	1316	svchost.exe	32
PID 1316 wrote to memory of 2664	1316	svchost.exe	32
PID 1316 wrote to memory of 2664	1316	svchost.exe	32
PID 1316 wrote to memory of 2672	1316	svchost.exe	33
PID 1316 wrote to memory of 2672	1316	svchost.exe	33
PID 1316 wrote to memory of 2672	1316	svchost.exe	33
PID 1316 wrote to memory of 2672	1316	svchost.exe	33
PID 1316 wrote to memory of 1452	1316	svchost.exe	37
PID 1316 wrote to memory of 1452	1316	svchost.exe	37
PID 1316 wrote to memory of 1452	1316	svchost.exe	37
PID 1316 wrote to memory of 1452	1316	svchost.exe	37
PID 1316 wrote to memory of 2288	1316	svchost.exe	39
PID 1316 wrote to memory of 2288	1316	svchost.exe	39
PID 1316 wrote to memory of 2288	1316	svchost.exe	39
PID 1316 wrote to memory of 2288	1316	svchost.exe	39

C:\Users\Admin\AppData\Local\Temp\40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe
"C:\Users\Admin\AppData\Local\Temp\40846733ca4c5c79baa9d1456eb77a75017844e14baa677fce82049b95a764cc.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2084
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2664
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2672
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1452
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
201581002d9eae9144ac1bea23cc7b12

SHA1
9446154900bcc4ca41824d021d3730fc434e47af

SHA256
b6e458caf30dcf85df01d48bc472ffde14f64c65db22721d07ec372dada2cbf4

SHA512
0368eef64f8e6bafec99f74ff8466d31b95350b0eca508867558ea1a97a36f4c667db2d9d0a81ff7cc0e9859173577676573b508c76b420c2252f462b558e02c

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
ad9b45325ebc515658a8822eeb5fdc57

SHA1
dc2e1d12e4143e39f3b0853e6354acfbd55ca312

SHA256
d5b74c2c2ce7c29b56e9b798169e04d59d00fd76040c76b04b0376ec39c85670

SHA512
38dccfb2afa60e1d0e0425bdb98c79c62e06e62b9e14f588866f19fc326f4a2efc9a4921dcf39b7cfa9ffac2db68e9d6930d686318aa97730816ace196566b50

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
64dabf2e25e2f80b3734e4cae182ef6a

SHA1
8d05984a2e18efdc01ddd4805fc7fb1df65b2ec2

SHA256
ddacf1c65889a9c96ba3b1b1421da9e0a7dfb4be335fc90550718ae5730374d3

SHA512
35e596e0cc3b76ff52daf8b8b725c188252e926cf2ffa4f319212aeb23b4319255c51f78f658020573ee0f287fa6fa79f7ec293c1fad96edcd71fa7c01eb76b3

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
658af6c228cb1831d4d9f2a309acf310

SHA1
1013134af77357f6a54b2b791eb536ec7a662bb2

SHA256
37a4b6eb38b5af33c51d6ad115d2f7d70da38af34e66a91ec7a92e827dba957b

SHA512
8c377db6dba55517570d29e72ec5c7dfee227ec36300bbec99e6ec86df9c65a02895adec97112c29a501170e3955f0e50c4d48aad1ab72da83ee13abb1b9667d

Download Submit
memory/2084-26-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/2108-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-12-0x00000000032A0000-0x00000000032E0000-memory.dmp

Filesize
256KB

Download
memory/2108-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-51-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download