81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe
Size

65KB
MD5

1776870e08d43bad71031a61c0338a53
SHA1

436ace6e362807fc0e19ae5aea4ffd7b78d8ee0b
SHA256

81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e
SHA512

7f3bd946f304d079ceb96334d69268dfa0259a332b7b99b3f29556a48f7205e86c5df2af863f871f98822094650ba86f2b95341d9c27f248ecfeb61d5e3fba3a
SSDEEP

1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuT:7WNqkOJWmo1HpM0MkTUmuT

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2020	explorer.exe
2668	spoolsv.exe
2548	svchost.exe
2432	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2820	81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe
2820	81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe
2020	explorer.exe
2020	explorer.exe
2668	spoolsv.exe
2668	spoolsv.exe
2548	svchost.exe
2548	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2820	81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2020	explorer.exe
2548	svchost.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe
2548	svchost.exe
2020	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2020	explorer.exe
2548	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2820	81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe
2820	81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe
2020	explorer.exe
2020	explorer.exe
2668	spoolsv.exe
2668	spoolsv.exe
2548	svchost.exe
2548	svchost.exe
2432	spoolsv.exe
2432	spoolsv.exe
2020	explorer.exe
2020	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2020	2820	81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe	28
PID 2820 wrote to memory of 2020	2820	81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe	28
PID 2820 wrote to memory of 2020	2820	81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe	28
PID 2820 wrote to memory of 2020	2820	81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe	28
PID 2020 wrote to memory of 2668	2020	explorer.exe	29
PID 2020 wrote to memory of 2668	2020	explorer.exe	29
PID 2020 wrote to memory of 2668	2020	explorer.exe	29
PID 2020 wrote to memory of 2668	2020	explorer.exe	29
PID 2668 wrote to memory of 2548	2668	spoolsv.exe	30
PID 2668 wrote to memory of 2548	2668	spoolsv.exe	30
PID 2668 wrote to memory of 2548	2668	spoolsv.exe	30
PID 2668 wrote to memory of 2548	2668	spoolsv.exe	30
PID 2548 wrote to memory of 2432	2548	svchost.exe	31
PID 2548 wrote to memory of 2432	2548	svchost.exe	31
PID 2548 wrote to memory of 2432	2548	svchost.exe	31
PID 2548 wrote to memory of 2432	2548	svchost.exe	31
PID 2548 wrote to memory of 500	2548	svchost.exe	32
PID 2548 wrote to memory of 500	2548	svchost.exe	32
PID 2548 wrote to memory of 500	2548	svchost.exe	32
PID 2548 wrote to memory of 500	2548	svchost.exe	32
PID 2548 wrote to memory of 1512	2548	svchost.exe	36
PID 2548 wrote to memory of 1512	2548	svchost.exe	36
PID 2548 wrote to memory of 1512	2548	svchost.exe	36
PID 2548 wrote to memory of 1512	2548	svchost.exe	36
PID 2548 wrote to memory of 960	2548	svchost.exe	38
PID 2548 wrote to memory of 960	2548	svchost.exe	38
PID 2548 wrote to memory of 960	2548	svchost.exe	38
PID 2548 wrote to memory of 960	2548	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe
"C:\Users\Admin\AppData\Local\Temp\81a2b08ade27d47514e9f208bfd8bbd2e5e9487b4aeb7e1132facf39afa10a7e.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2020
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2432
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:500
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1512
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
65KB

MD5
6aee9ec1f75e7a1506ca36e0c5c0a331

SHA1
1bbc0651c76d02086ab9168b4ab6e198e9bb3c45

SHA256
517cbfa95e8abe00c4f5d73fa63ce28ea7e6393cdce34cf6bc31f1a50f4cf11b

SHA512
00f5354d4435ca604048a4a9761ecb731f4f229207d44075d55ab09889174a372c8f0e5c20db1b3c8e86853a2a967f3da4af05f7f5702c4dae8272f0efb344ac

Download Submit
C:\Windows\system\svchost.exe

Filesize
65KB

MD5
7ea97dbc36141d462c63c13f9710def7

SHA1
a34476eddfac867551c8e469d8e65f89f83c2452

SHA256
aa013298af4dc134046008dab38510bedc367f2227bdf636340c03e39eb74e5c

SHA512
955abd3b3f0e62349705c5afecd4b8d3b2c3d5f976ea5fe9a24279e93cbe7b9685e1c513e510e64e9ac4f3597e40fc86662ee9dcf62f06cab75a24fb1d7322de

Download Submit
\Windows\system\explorer.exe

Filesize
65KB

MD5
cc1974b652fe7f130f0ee994333b5e86

SHA1
a078e05d1d9b9ed7cc4b2f6026c3cf272d180045

SHA256
f6180085853388db4fce2d85a74e6ad40d3a673050ead170832af8a82001719e

SHA512
82ee45c00482115e358bfe054f59aba947a50a9d8270d68a0d5cbe7ec449b244096d1c6db9d97889f2a7af61e151587c423898dd39f8e296ecc9e80a332c9e5e

Download Submit
\Windows\system\spoolsv.exe

Filesize
65KB

MD5
3a02458c91f931421ea6a97e76265579

SHA1
0b36f0473bcc4f36782625a898ec10d6f58a2829

SHA256
abe98c63b828fb0831b6bf5891b89b66faadcec2a8f8c37fd4020b05cafc881d

SHA512
7d45c4e9efd26d3e28b8c6b4b7193ebdcfde2588573ae15ae258ddf87703fa63b42020cdad9aad9421aa836f6291ea277095f79bc611a9b945046b137111c325

Download Submit
memory/2020-19-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2020-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2020-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2020-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2020-21-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2020-30-0x0000000002720000-0x0000000002751000-memory.dmp

Filesize
196KB

Download
memory/2020-94-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2432-73-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2432-67-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2548-55-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2548-85-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2548-66-0x0000000002650000-0x0000000002681000-memory.dmp

Filesize
196KB

Download
memory/2548-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2668-54-0x0000000001DE0000-0x0000000001E11000-memory.dmp

Filesize
196KB

Download
memory/2668-77-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2668-53-0x0000000001DE0000-0x0000000001E11000-memory.dmp

Filesize
196KB

Download
memory/2668-36-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2668-40-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2668-41-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2820-59-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2820-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2820-80-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2820-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2820-16-0x0000000003110000-0x0000000003141000-memory.dmp

Filesize
196KB

Download
memory/2820-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2820-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2820-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2820-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download