3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391.exe
Size

199KB
MD5

9fb28fbd3e062a1f91cf45004d2f796b
SHA1

bbe609bacd8179b61b22da7a9dcd172b71505d95
SHA256

3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391
SHA512

16ecae84da06a6b33ec52abf60373a163fbb354352124211558ae2a0013b7807f70cddedd78c888f624dc0d6180685926df2dbdfa27bd88a1c0ab52c67c02c90
SSDEEP

3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u4Pmu1:7vEN2U+T6i5LirrllHy4HUcMQY6j

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2168	explorer.exe
3052	spoolsv.exe
2600	svchost.exe
2608	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1652	3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391.exe
1652	3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391.exe
2168	explorer.exe
2168	explorer.exe
3052	spoolsv.exe
3052	spoolsv.exe
2600	svchost.exe
2600	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1652	3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2600	svchost.exe
2168	explorer.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2600	svchost.exe
2168	explorer.exe
2168	explorer.exe
2600	svchost.exe
2600	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2168	explorer.exe
2600	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1652	3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391.exe
1652	3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391.exe
2168	explorer.exe
2168	explorer.exe
3052	spoolsv.exe
3052	spoolsv.exe
2600	svchost.exe
2600	svchost.exe
2608	spoolsv.exe
2608	spoolsv.exe
2168	explorer.exe
2168	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2168	1652	3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391.exe	28
PID 1652 wrote to memory of 2168	1652	3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391.exe	28
PID 1652 wrote to memory of 2168	1652	3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391.exe	28
PID 1652 wrote to memory of 2168	1652	3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391.exe	28
PID 2168 wrote to memory of 3052	2168	explorer.exe	29
PID 2168 wrote to memory of 3052	2168	explorer.exe	29
PID 2168 wrote to memory of 3052	2168	explorer.exe	29
PID 2168 wrote to memory of 3052	2168	explorer.exe	29
PID 3052 wrote to memory of 2600	3052	spoolsv.exe	30
PID 3052 wrote to memory of 2600	3052	spoolsv.exe	30
PID 3052 wrote to memory of 2600	3052	spoolsv.exe	30
PID 3052 wrote to memory of 2600	3052	spoolsv.exe	30
PID 2600 wrote to memory of 2608	2600	svchost.exe	31
PID 2600 wrote to memory of 2608	2600	svchost.exe	31
PID 2600 wrote to memory of 2608	2600	svchost.exe	31
PID 2600 wrote to memory of 2608	2600	svchost.exe	31
PID 2600 wrote to memory of 2500	2600	svchost.exe	32
PID 2600 wrote to memory of 2500	2600	svchost.exe	32
PID 2600 wrote to memory of 2500	2600	svchost.exe	32
PID 2600 wrote to memory of 2500	2600	svchost.exe	32
PID 2600 wrote to memory of 2780	2600	svchost.exe	36
PID 2600 wrote to memory of 2780	2600	svchost.exe	36
PID 2600 wrote to memory of 2780	2600	svchost.exe	36
PID 2600 wrote to memory of 2780	2600	svchost.exe	36
PID 2600 wrote to memory of 2644	2600	svchost.exe	38
PID 2600 wrote to memory of 2644	2600	svchost.exe	38
PID 2600 wrote to memory of 2644	2600	svchost.exe	38
PID 2600 wrote to memory of 2644	2600	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391.exe
"C:\Users\Admin\AppData\Local\Temp\3511f46e5a8756eb55109c119413b5a403a6a4b48a034517263932006bcd5391.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2168
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
216KB

MD5
c2260ad87bdece3aa67c3f80899b2c61

SHA1
3ce3f03082a3aba84e2dd0f33feab9b788938c63

SHA256
c8c8d0955911f6860543bed65c9f5904e13edcfd2f7e2f22f29bb60bf2013434

SHA512
fddc73f4d76ace6cccb14322d8d1eb0201a2aba155d94b5496707a1409c9934fcda938a5748a9ff64336b061a6226c0f239b3cc1d635eb1d692d5f2ff8c90435

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
216KB

MD5
e18b8f86824c2300f2763405798e1d1a

SHA1
ba2fbee49bf1c569ce3ee0a143d80ce0f76fd499

SHA256
633550140267c0931908c885a2b66e8cf6518ec198a42fa76971868aff217c36

SHA512
50b872b536381136527e7b387e2d3a787023cf89371c3fedb9e847b373607d411d1abe4c42982156356b9e1391b4c1e5f24fd7a2a865436a1ca4a47e1651c6a3

Download Submit
\Windows\system\explorer.exe

Filesize
216KB

MD5
8041e391a96dbf3a47211edffa25f7d5

SHA1
b4cea4c1d115b35a0f80085aaa70e9d8cdebaf76

SHA256
ee4daea1e059f77bc1ffe3c4a3b6e7d003d7626e0f021ccc996de2416766dbb5

SHA512
920fec3ed2309136a74d16d9d5acc37294dbb6e157c27d946a92a646a7e77e9facdfef9f2fec59b0dc0a849052e984a7ea67ec1af005fd3fa912b3c213352ae4

Download Submit
\Windows\system\svchost.exe

Filesize
216KB

MD5
cf3d7cf5909f2c40266e15e4238f1756

SHA1
c0355643eaec8191d00ae244c03b4ba80ad158d1

SHA256
850cc1bb496e608b1b0b1fef5ed08e7196cf01238e4aadace922c0eb64cb61a5

SHA512
346c13466f81670aa6f1cc9e594d53cea616877da9010fb777b7fa3bc12566d2c77253f3b4b034dc01d5e0dc4d50c23fb43df1d7e36d9545f42057b49545f308

Download Submit
memory/1652-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1652-53-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2168-25-0x00000000026B0000-0x00000000026E1000-memory.dmp

Filesize
196KB

Download
memory/2608-50-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download