82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
Size

206KB
MD5

56a6af523a68f8f4f6076469cdfbef94
SHA1

be01694779217eb4ebd4b30d0e89aca7f0a6f2f7
SHA256

82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63
SHA512

9afadfcc585bd39297dfaf44b9be60624a812b03d68acdef582d5609e654e4294f05667f72c3402ca3a80790fd00880166774e6a6bc10bc1077be19e7fad99ae
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL+:5vEN2U+T6i5LirrllHy4HUcMQY6K+

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2664	explorer.exe
2596	spoolsv.exe
2984	svchost.exe
2928	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2276	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
2276	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
2664	explorer.exe
2664	explorer.exe
2596	spoolsv.exe
2596	spoolsv.exe
2984	svchost.exe
2984	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
2664	explorer.exe
2664	explorer.exe
2664	explorer.exe
2984	svchost.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe
2664	explorer.exe
2984	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2664	explorer.exe
2984	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2276	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
2276	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
2664	explorer.exe
2664	explorer.exe
2596	spoolsv.exe
2596	spoolsv.exe
2984	svchost.exe
2984	svchost.exe
2928	spoolsv.exe
2928	spoolsv.exe
2664	explorer.exe
2664	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2664	2276	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe	28
PID 2276 wrote to memory of 2664	2276	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe	28
PID 2276 wrote to memory of 2664	2276	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe	28
PID 2276 wrote to memory of 2664	2276	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe	28
PID 2664 wrote to memory of 2596	2664	explorer.exe	29
PID 2664 wrote to memory of 2596	2664	explorer.exe	29
PID 2664 wrote to memory of 2596	2664	explorer.exe	29
PID 2664 wrote to memory of 2596	2664	explorer.exe	29
PID 2596 wrote to memory of 2984	2596	spoolsv.exe	30
PID 2596 wrote to memory of 2984	2596	spoolsv.exe	30
PID 2596 wrote to memory of 2984	2596	spoolsv.exe	30
PID 2596 wrote to memory of 2984	2596	spoolsv.exe	30
PID 2984 wrote to memory of 2928	2984	svchost.exe	31
PID 2984 wrote to memory of 2928	2984	svchost.exe	31
PID 2984 wrote to memory of 2928	2984	svchost.exe	31
PID 2984 wrote to memory of 2928	2984	svchost.exe	31
PID 2984 wrote to memory of 2436	2984	svchost.exe	32
PID 2984 wrote to memory of 2436	2984	svchost.exe	32
PID 2984 wrote to memory of 2436	2984	svchost.exe	32
PID 2984 wrote to memory of 2436	2984	svchost.exe	32
PID 2984 wrote to memory of 2292	2984	svchost.exe	36
PID 2984 wrote to memory of 2292	2984	svchost.exe	36
PID 2984 wrote to memory of 2292	2984	svchost.exe	36
PID 2984 wrote to memory of 2292	2984	svchost.exe	36
PID 2984 wrote to memory of 2168	2984	svchost.exe	38
PID 2984 wrote to memory of 2168	2984	svchost.exe	38
PID 2984 wrote to memory of 2168	2984	svchost.exe	38
PID 2984 wrote to memory of 2168	2984	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
"C:\Users\Admin\AppData\Local\Temp\82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2664
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2928
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2436
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
207KB

MD5
0836f5bc2a981803f23a471456204d34

SHA1
53ec230f95e770f69ccb33b568d432937b731723

SHA256
8e7a63d37acd32c34570dc66675e587a8720f728c5b2c44eb479638e7d688b3d

SHA512
7ac25ee5965c14fefb1701aa9d5b17f632c7ecee764fc844acee5585d8cb3e218401f7dcb06e8ad33a885a7e844e764e47cb330aee72ee4625d1b99dee0f9c15

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
3c81a3b0d56b228181fb6307ae8d7dee

SHA1
3c3299d4809ca8506c9bf9776092b52cfdb7b5db

SHA256
409cf0bf53b8c8b4fc03c7506ccf31f6f762eb0fcd194389323497a8b09cc155

SHA512
e534c9c1bd6f1d45c17c3e9add066015dc9cca4da1f760f4e130c206c867a44cac788ddedff14b8b17cc0aafaf0548dfc2e483f26bc98fc8fc1ccd1f04ac35e5

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
2c3f8e1116f63b5cafdfccfbdb5b9124

SHA1
963d8b494360d31c451e5ecd4456719d903ed530

SHA256
0aa6b5d21c5951d78e02da6d7ec629954dae03dde65403265c07a8f8e450cf98

SHA512
43ac491fff5f9f3ba63e188acda1e88fa680d1edc2bd7479788cf9bdfd4b0bc3cce5555dd82e2ea0195754acc5eaa063a5705ae0aaab98d921d2ff9a46f13412

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
1b97494f5844ba94e16aebc79da85340

SHA1
eac4b914558bc9509439eae2001ce96f4542f78b

SHA256
e38a6a36b7c92557a85eafaeac5259db215363e88757ca9c52590e3b820a7121

SHA512
4e9a73fa79c8e2d3de6d9fae959a7dfda05dc01ffed0053e22dd0f4f9dd1e52363200772e8f668e4dd122623af22c1f5b4a3c7b2cf484e38551d3eeae4ca9c2c

Download Submit
memory/2276-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-13-0x0000000003230000-0x0000000003270000-memory.dmp

Filesize
256KB

Download
memory/2276-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2596-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-27-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/2928-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download