Malware Analysis Report

2025-01-06 11:47

Sample ID 240603-e3wq7sbc9v
Target da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3
SHA256 da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3

Threat Level: Known bad

The file da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:28

Reported

2024-06-03 04:31

Platform

win7-20240221-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe \??\c:\windows\system\explorer.exe
PID 2192 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe \??\c:\windows\system\explorer.exe
PID 2192 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe \??\c:\windows\system\explorer.exe
PID 2192 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe \??\c:\windows\system\explorer.exe
PID 1972 wrote to memory of 2836 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 2836 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 2836 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 2836 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2836 wrote to memory of 2700 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2836 wrote to memory of 2700 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2836 wrote to memory of 2700 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2836 wrote to memory of 2700 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2700 wrote to memory of 2716 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2700 wrote to memory of 2716 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2700 wrote to memory of 2716 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2700 wrote to memory of 2716 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2700 wrote to memory of 2348 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2700 wrote to memory of 2348 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2700 wrote to memory of 2348 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2700 wrote to memory of 2348 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2700 wrote to memory of 2480 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2700 wrote to memory of 2480 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2700 wrote to memory of 2480 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2700 wrote to memory of 2480 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2700 wrote to memory of 608 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2700 wrote to memory of 608 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2700 wrote to memory of 608 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2700 wrote to memory of 608 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe

"C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2192-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\system\explorer.exe

MD5 9a6e5d3d60866c4203ee70bfc51faeeb
SHA1 7349521ef4b98e282815da94b51b10c9f69402ea
SHA256 ad46959d17f0c495e4f92f42dbc2cd72092c14a4825e2244a8c27edbea329d06
SHA512 bf167edf7d5debb2dcea3df4e29e87792ffd08fbaa105403f9cf5c4e7342767894831ec29fa75325628bd471f687f61fab48d12338a0725ae8168a4580a4e221

memory/1972-14-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2192-12-0x0000000002630000-0x0000000002670000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 5d79fa7dbdf92e45376f7ac1d4100a3a
SHA1 f86dd62fe568cebef2fd3374f8d43593de429c5b
SHA256 abf5887e3174ed37c018c7d35e524ea389bba0047f1f2038017024006016fd09
SHA512 ce3950323ce8f937d3d97d9edb1f810d22a7fe623720369f9c1ffa5d06038f08cb8c67c557c2b134ac3ccd5aa06a139a7505dbf2de6bc016d2fd9298c989da16

memory/1972-28-0x0000000002570000-0x00000000025B0000-memory.dmp

\Windows\system\svchost.exe

MD5 9b08fbdfd879edc6e6fc6d54a01cc8c4
SHA1 7f70eb829f9b51ae200aea781b32c5135aed87ec
SHA256 25eb938480448b52ad9c3270c01bd67681acab6c53782ee3a4d26e7ea4458aa5
SHA512 62d8a3742d82916d95e4c3f49458677f393fbaa3f26a61a1abccd34150aa7a9e65699744d83fc65281ce8aabd084df89658a54bedc8752a53af7384b2722ff52

memory/2700-46-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2192-57-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2836-56-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2716-53-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 339609a539063951021843d089a2978a
SHA1 274374c8b3490e3bb62a277762be73dfa6b167bd
SHA256 02be58b30040745c977eeff6db75172181785005cc183f44bca2952d8164a264
SHA512 021aa73e236f5d915b82f821ff09b108c4349c16ebc960644b85e6f2490df85bf74a2aa6a3356d172c48e7c542186628f91c02b9befde5e46d2f3d3b06123373

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:28

Reported

2024-06-03 04:31

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe \??\c:\windows\system\explorer.exe
PID 2752 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe \??\c:\windows\system\explorer.exe
PID 2752 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe \??\c:\windows\system\explorer.exe
PID 3616 wrote to memory of 3592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3616 wrote to memory of 3592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3616 wrote to memory of 3592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3592 wrote to memory of 2968 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3592 wrote to memory of 2968 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3592 wrote to memory of 2968 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2968 wrote to memory of 1460 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2968 wrote to memory of 1460 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2968 wrote to memory of 1460 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2968 wrote to memory of 4500 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2968 wrote to memory of 4500 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2968 wrote to memory of 4500 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2968 wrote to memory of 1332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2968 wrote to memory of 1332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2968 wrote to memory of 1332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2968 wrote to memory of 2248 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2968 wrote to memory of 2248 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2968 wrote to memory of 2248 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe

"C:\Users\Admin\AppData\Local\Temp\da8ad84661349f94b16cdf06775e482835e083c0d22d35b08c41c81837b9f3a3.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2752-0-0x0000000000400000-0x0000000000440000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 eb7020364dbee1e70f389b1ea4494fcb
SHA1 dd623095dd9f9b76348fdd7e85369dc48391b745
SHA256 a6c6e1fbe5ce6f655989bf51908919ed871bb39793d95f7a6b693cb61267f71d
SHA512 4d9c23f2f2c41768360282caae17f757171dee86535d1441653da76b01eb10c470c69c6cdbae36315a9374b832cb21d55d810ce440a0d61b9f7a97aca9f5af63

C:\Windows\System\spoolsv.exe

MD5 9a21b94635880f49d560c513b688d050
SHA1 fddd9debf02a2bebb23bd504d9c370a59174cb7e
SHA256 9967a15e4375e279cb9f8a99f150d0628cb4a4cbe238dd3450808888af20e05f
SHA512 bfa4d5d29a058c75b0cb879aa1707316f278d4b84c383101a68c18e3e4d42885ac3a1f875fd2d8ef413477a6a70c70012bbabc5a4e1be3c74dc335805b340e7a

C:\Windows\System\svchost.exe

MD5 d7ac649882a5301e4d2b0e1136c9ba8b
SHA1 c17715d0655f901b94546db8da355e2a71941938
SHA256 89cb2a4777f462f690d20d039bb4528c5b16e9fa0c627beb4937fa4d1e001b22
SHA512 a25c3db3b9463eb01975b8de168959b5626cfbfed76679eac214fedc8559fafc5d6ff3a69df78d6cddda08ecf556874a9b3a8df31c4d600e6e00c14f4e00f229

memory/1460-29-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1460-33-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2752-37-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3592-36-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 be9af9fae418662e389d086f39297055
SHA1 c9149bda8762f6e080fb99bb0ddeb18006860c82
SHA256 5f350b0f155265ae883761cf9e74a49ee807f8edae0ad129dc405bcf2e31014e
SHA512 1a36df99d1349cc36fc9b264259efad85e0abb069a5557c631299c409a86d5b0df68f2993d9a18d4c165d54b9967f5f7be21c6e81ad370267976d5497ba7b4d5