98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f.exe
Size

206KB
MD5

eb744c43e70494b3b39ddb20661b1f3a
SHA1

97f878a9ddfcd16513cb0bdd947354e1b4ccc815
SHA256

98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f
SHA512

333d4851a38b9925b346df32630fd692ecbcdbc62af58fbb8dbe6065dc8160120a286045ff5773e8b9fc2e63596a91314a6d2ca350fe19829b97c71581a7ec21
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL+:5vEN2U+T6i5LirrllHy4HUcMQY6K+

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2308	explorer.exe
2592	spoolsv.exe
2672	svchost.exe
2756	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1688	98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f.exe
1688	98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f.exe
2308	explorer.exe
2308	explorer.exe
2592	spoolsv.exe
2592	spoolsv.exe
2672	svchost.exe
2672	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2672	svchost.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe
2672	svchost.exe
2308	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2308	explorer.exe
2672	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1688	98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f.exe
1688	98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f.exe
2308	explorer.exe
2308	explorer.exe
2592	spoolsv.exe
2592	spoolsv.exe
2672	svchost.exe
2672	svchost.exe
2756	spoolsv.exe
2756	spoolsv.exe
2308	explorer.exe
2308	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2308	1688	98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f.exe	28
PID 1688 wrote to memory of 2308	1688	98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f.exe	28
PID 1688 wrote to memory of 2308	1688	98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f.exe	28
PID 1688 wrote to memory of 2308	1688	98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f.exe	28
PID 2308 wrote to memory of 2592	2308	explorer.exe	29
PID 2308 wrote to memory of 2592	2308	explorer.exe	29
PID 2308 wrote to memory of 2592	2308	explorer.exe	29
PID 2308 wrote to memory of 2592	2308	explorer.exe	29
PID 2592 wrote to memory of 2672	2592	spoolsv.exe	30
PID 2592 wrote to memory of 2672	2592	spoolsv.exe	30
PID 2592 wrote to memory of 2672	2592	spoolsv.exe	30
PID 2592 wrote to memory of 2672	2592	spoolsv.exe	30
PID 2672 wrote to memory of 2756	2672	svchost.exe	31
PID 2672 wrote to memory of 2756	2672	svchost.exe	31
PID 2672 wrote to memory of 2756	2672	svchost.exe	31
PID 2672 wrote to memory of 2756	2672	svchost.exe	31
PID 2672 wrote to memory of 2468	2672	svchost.exe	32
PID 2672 wrote to memory of 2468	2672	svchost.exe	32
PID 2672 wrote to memory of 2468	2672	svchost.exe	32
PID 2672 wrote to memory of 2468	2672	svchost.exe	32
PID 2672 wrote to memory of 884	2672	svchost.exe	36
PID 2672 wrote to memory of 884	2672	svchost.exe	36
PID 2672 wrote to memory of 884	2672	svchost.exe	36
PID 2672 wrote to memory of 884	2672	svchost.exe	36
PID 2672 wrote to memory of 2164	2672	svchost.exe	38
PID 2672 wrote to memory of 2164	2672	svchost.exe	38
PID 2672 wrote to memory of 2164	2672	svchost.exe	38
PID 2672 wrote to memory of 2164	2672	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f.exe
"C:\Users\Admin\AppData\Local\Temp\98660b6ac500858378cefe41233b5d6730d2f0412a4c6c7b94f5e317a8056b8f.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2308
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2468
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:884
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
07aca612db583724e70ba89a62607154

SHA1
3ff0a9430edecf15e1e12e476b88f6246923ebfa

SHA256
62d4ce4b878c4bbcbebe760298f827f2f05b44c961bac60b85dda461be1c8bd3

SHA512
583b407d242388b4a2c70a90bbda68b309cb42d55efd2ad844c6814deb83675968bf92e8013f58e449922818f1d47822070113ab6895e2b8b7a7cb14bf8222b3

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
133b3d11b99f0e6ac5f40516c3640242

SHA1
6042de1e5635ef9e7d838175622648346d7b4018

SHA256
7b0b7625f1f5f67c437a46b281c760b44be1bcac794632545063e82fe0050ab0

SHA512
581ac28ec8f5baaab932cd0fe4738dcfc519f38733d674fa45609607673f8f79a46090ceeeb7a400629c5b165a014f8ac125f44b947b5cf898e9b69d841e3dc1

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
89291e028b4a813d84038f59541ce412

SHA1
b00d63a619f5dbaea7ac38b2dff34d61be403a3c

SHA256
1a667a69e8cf3af91b165d6e94c33d06c1af58d0f0d8e5ace41fcf1e15df45d5

SHA512
4e79623e13c6c7dbee41bc6fb726873572c6f8fe236c2d87c45542f0bc02ca259fe557d18158400d28b4a6a98642e561dcc93b2649148b2cfd897c1c99cb7672

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
c87c2eedc3c274a7eb0a2f0afd72cb5d

SHA1
26f51a14cb49a05164d772a6a06284a4837d8d45

SHA256
9e6ff1c56bc757ce2716946e2b4953717b6ca99f1a7d60a81afd25429cd45c55

SHA512
470c8041ea8ef544558a5c2fa6674e0ab0ea2f12154a11e2897a25f630b267388ecc34550845dfa07f57da91db7bf7dc723d563b9f7df158343afc51a98a6390

Download Submit
memory/1688-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-12-0x0000000001FC0000-0x0000000002000000-memory.dmp

Filesize
256KB

Download
memory/1688-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2308-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-51-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download