82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
Size

206KB
MD5

56a6af523a68f8f4f6076469cdfbef94
SHA1

be01694779217eb4ebd4b30d0e89aca7f0a6f2f7
SHA256

82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63
SHA512

9afadfcc585bd39297dfaf44b9be60624a812b03d68acdef582d5609e654e4294f05667f72c3402ca3a80790fd00880166774e6a6bc10bc1077be19e7fad99ae
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL+:5vEN2U+T6i5LirrllHy4HUcMQY6K+

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
5112	explorer.exe
1744	spoolsv.exe
3448	svchost.exe
3440	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4076	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
4076	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
5112	explorer.exe
3448	svchost.exe
5112	explorer.exe
3448	svchost.exe
3448	svchost.exe
3448	svchost.exe
5112	explorer.exe
5112	explorer.exe
3448	svchost.exe
3448	svchost.exe
5112	explorer.exe
5112	explorer.exe
3448	svchost.exe
3448	svchost.exe
5112	explorer.exe
5112	explorer.exe
3448	svchost.exe
3448	svchost.exe
5112	explorer.exe
5112	explorer.exe
3448	svchost.exe
3448	svchost.exe
5112	explorer.exe
5112	explorer.exe
3448	svchost.exe
3448	svchost.exe
5112	explorer.exe
5112	explorer.exe
3448	svchost.exe
3448	svchost.exe
5112	explorer.exe
5112	explorer.exe
3448	svchost.exe
3448	svchost.exe
5112	explorer.exe
5112	explorer.exe
3448	svchost.exe
3448	svchost.exe
5112	explorer.exe
5112	explorer.exe
3448	svchost.exe
3448	svchost.exe
5112	explorer.exe
5112	explorer.exe
3448	svchost.exe
3448	svchost.exe
5112	explorer.exe
5112	explorer.exe
3448	svchost.exe
3448	svchost.exe
5112	explorer.exe
5112	explorer.exe
3448	svchost.exe
3448	svchost.exe
5112	explorer.exe
5112	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5112	explorer.exe
3448	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4076	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
4076	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
5112	explorer.exe
5112	explorer.exe
1744	spoolsv.exe
1744	spoolsv.exe
3448	svchost.exe
3448	svchost.exe
3440	spoolsv.exe
3440	spoolsv.exe
5112	explorer.exe
5112	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 5112	4076	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe	91
PID 4076 wrote to memory of 5112	4076	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe	91
PID 4076 wrote to memory of 5112	4076	82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe	91
PID 5112 wrote to memory of 1744	5112	explorer.exe	92
PID 5112 wrote to memory of 1744	5112	explorer.exe	92
PID 5112 wrote to memory of 1744	5112	explorer.exe	92
PID 1744 wrote to memory of 3448	1744	spoolsv.exe	93
PID 1744 wrote to memory of 3448	1744	spoolsv.exe	93
PID 1744 wrote to memory of 3448	1744	spoolsv.exe	93
PID 3448 wrote to memory of 3440	3448	svchost.exe	94
PID 3448 wrote to memory of 3440	3448	svchost.exe	94
PID 3448 wrote to memory of 3440	3448	svchost.exe	94
PID 3448 wrote to memory of 4892	3448	svchost.exe	95
PID 3448 wrote to memory of 4892	3448	svchost.exe	95
PID 3448 wrote to memory of 4892	3448	svchost.exe	95
PID 3448 wrote to memory of 4508	3448	svchost.exe	106
PID 3448 wrote to memory of 4508	3448	svchost.exe	106
PID 3448 wrote to memory of 4508	3448	svchost.exe	106
PID 3448 wrote to memory of 2204	3448	svchost.exe	108
PID 3448 wrote to memory of 2204	3448	svchost.exe	108
PID 3448 wrote to memory of 2204	3448	svchost.exe	108

C:\Users\Admin\AppData\Local\Temp\82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe
"C:\Users\Admin\AppData\Local\Temp\82ee727dbca60cbc09889e28d542c88e7f41d1cbdb80321f196bc083684abb63.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4076
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5112
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3440
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4892
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4508
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
c9e4caa32d5b07e6cacb7b74d5fac13c

SHA1
438c669ab2848b4442556e29fd48808a1be6c46f

SHA256
fffdef22d95993e14e818d93c0ddf57710d317cdbc49299df13e4e44b970db60

SHA512
8a92ecf27feb45c121634a2a70a98d3df82a1358a9e48ee4c6b7baf3bcaf603b299f0ff9227ccbe3b738351c5a565dabc79c8e7830bd601bfe554b05c3f8b901

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
e6f947759b19cc3399f28b0f0eda6bbb

SHA1
9a99a4f41f5e8b268864a8d0a437c575f80ec8f9

SHA256
2ed79e8d100779df6b06a9343304ae0c263b87acba77a78a9165f44f86893af0

SHA512
dd18fa52b3550a6a93db1dfb63fcf1c42cfa1dd9de7808cd58349f33a6f8dddda96fb60a11e4cca32562d267ebea52f4eedee98b12085974c6e85b5de9653772

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
9c499f1d2afdf345bbdefa8bfdeb77a7

SHA1
45afc496c1b4eb79fbe3a26e860f1871ad25e038

SHA256
efae2b3f058b743c3a0dfd9f0c34d63d2527f7421ab164f1ac35c99b19f0c7c6

SHA512
a1756f1a87fc3433cfe42daa0d87d5ae9fb3afcdecf3a46f9e9acef84032c6309b17de7c36483eedd107979f6484d081f580215ed7355e252350320683224519

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
2ee9df151c8cb5b7b07da382c26a94b9

SHA1
cbe01f613006670f5bb54a781c7f4c287c1938cd

SHA256
9411aa336254b9b4c71f4fa7b9d1b1821e0baeaab7f1e5a00bc8ca89e7ab232a

SHA512
7a57a83e4ea0f9ebb6262d6f8969f92e48c891eefbc193424a31affb2ecd6670d9b83398f1c352fc260912f32ec11a18d47fcb1cace97ac0cdd1a0629072b96c

Download Submit
memory/1744-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4076-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4076-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download