Malware Analysis Report

2025-01-06 11:35

Sample ID 240603-e7874ach54
Target dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635
SHA256 dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635

Threat Level: Known bad

The file dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:36

Reported

2024-06-03 04:38

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe \??\c:\windows\system\explorer.exe
PID 1284 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe \??\c:\windows\system\explorer.exe
PID 1284 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe \??\c:\windows\system\explorer.exe
PID 1284 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe \??\c:\windows\system\explorer.exe
PID 2264 wrote to memory of 2676 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2264 wrote to memory of 2676 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2264 wrote to memory of 2676 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2264 wrote to memory of 2676 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2676 wrote to memory of 2608 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2676 wrote to memory of 2608 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2676 wrote to memory of 2608 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2676 wrote to memory of 2608 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2608 wrote to memory of 2376 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2608 wrote to memory of 2376 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2608 wrote to memory of 2376 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2608 wrote to memory of 2376 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2608 wrote to memory of 1096 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2608 wrote to memory of 1096 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2608 wrote to memory of 1096 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2608 wrote to memory of 1096 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2608 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2608 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2608 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2608 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2608 wrote to memory of 2084 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2608 wrote to memory of 2084 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2608 wrote to memory of 2084 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2608 wrote to memory of 2084 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe

"C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1284-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1284-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1284-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1284-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1284-4-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 fb2cbb18f1b9b365c59d18df89390876
SHA1 26f217ede5d6d3baff89c592eb46c4851472542f
SHA256 4428e3086c8e54f6aef486ca263171defc22e0cc43ffd240ad1160fe1e864515
SHA512 6228aeb8ae0d789b5a48e7ef8f37a30860e6aed03fffd655ee43a333c2f0a65766116ed4b5fc96b71199ae3629b8100d4a547481099ec680cae54de309dfaf91

memory/1284-16-0x0000000002560000-0x0000000002591000-memory.dmp

memory/2264-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1284-18-0x0000000002560000-0x0000000002591000-memory.dmp

memory/2264-22-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2264-20-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\spoolsv.exe

MD5 71feb4804ba74091cccf4e5d157748f0
SHA1 69ed5b7b4c5b7f147571eb4c073254417a5badfd
SHA256 868f8e21bfcb74e95e174ef24632b953616620c172b22a26d50e8d565a385628
SHA512 d86429bbcdf2b923b92a8fef9efa96f219ddfa613c18eafbb52aebbc3bb25f118f52982bcc786aa75154ab577b1bee39fc51dd6fc7bf4c70f4d4d958df6b5341

memory/2676-36-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\svchost.exe

MD5 0a3e31596b723effab94cc1dfc381d39
SHA1 5918688a21870ada6e2c3bf78125a92671533e57
SHA256 857e87203bd45693540ab7a934bb7c22b1279f9f92bc96e4af2511ac22034e32
SHA512 ed6bb73b8ad4cf56b2ffd20aa336dbd7d9b0492df221b2f8008687ba5161c1c681d165beddc2916df23d04cab92d894666fbd2560176f87fa7c38ee27441e659

memory/1284-53-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2608-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2608-54-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2376-66-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2376-67-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2608-65-0x00000000026B0000-0x00000000026E1000-memory.dmp

memory/2608-64-0x00000000026B0000-0x00000000026E1000-memory.dmp

memory/1284-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1284-78-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 00267ffed3303cc12aeb8b1caca7c057
SHA1 d67270d65ed83fd9b6a8d1dde8161fd576843d2a
SHA256 ed68ad3e1c2f73387cc1ad5c3d15ffd6f3c00c25769edafd685a89ef5b352c73
SHA512 503f7026d9e9b2157c86298a9add41c1db9f631c645b350344e3f3bbcff77cca95630a0220c5fced576730f14a75fbf0fe3a361fdf8acb67455b7e7dc8a1249f

memory/2676-76-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2376-72-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2608-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2676-42-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2264-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2264-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2608-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2264-92-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:36

Reported

2024-06-03 04:38

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe \??\c:\windows\system\explorer.exe
PID 1880 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe \??\c:\windows\system\explorer.exe
PID 1880 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe \??\c:\windows\system\explorer.exe
PID 3584 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3584 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3584 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2512 wrote to memory of 1520 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2512 wrote to memory of 1520 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2512 wrote to memory of 1520 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1520 wrote to memory of 1064 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1520 wrote to memory of 1064 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1520 wrote to memory of 1064 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1520 wrote to memory of 452 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 452 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 452 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 2116 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 2116 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 2116 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 3708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 3708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 3708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe

"C:\Users\Admin\AppData\Local\Temp\dde0594197a2a9b23bdd70ad201a96d5004f8fe03aa86bd9828ed24b0196a635.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1880-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1880-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/1880-2-0x0000000075750000-0x00000000758AD000-memory.dmp

memory/1880-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1880-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3584-13-0x0000000075750000-0x00000000758AD000-memory.dmp

memory/3584-15-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\explorer.exe

MD5 a43d2d79954d5d4d6903e2e64fec8b81
SHA1 797e1bb54835c713c53701c2ce690e542a07b5c5
SHA256 64b66085a0e4a42881ce4f0a3232e1acf6056f24c253973bf0646678ad4f30ff
SHA512 607e6d93a7c50ba69d0d8f5623f9e5e933cb5043cf75f229eb4bae365a1bfe4cce7b6c65595292343f24072cb154ede9d5fb40a93e6809a4a8aa70095fdb2ae5

C:\Windows\System\spoolsv.exe

MD5 6e2f12bea8d159a77b69c79c0425a91e
SHA1 5256aa918c49e452a0e7b03a2c8f5623b347b4e6
SHA256 cf4b68a4aa063539d2d37e7b4b1821b93631605e32fb14e80f5334ee5259b860
SHA512 aa089394e61ab05871abe1d4bdc9a8702e02fb3e7cd4c18c0a90dd1df709396646e91ab16b752faccb3decffb8a6d1260841dc636fdf90c128da8a179d259ddf

memory/2512-24-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2512-25-0x0000000075750000-0x00000000758AD000-memory.dmp

C:\Windows\System\svchost.exe

MD5 f034ac54b3bba24427ce2c06cb10a534
SHA1 26e4d92e0644aada6e97ff43555b52a5ac399baa
SHA256 c541dab7f29c925d533efb27b104617bc8acef8e7b7874dd7f16eb29ba21d9d3
SHA512 e6ad45cb88691ee0b1e38b64dc93c6868aac0b048aa76dffe2a3e997a97d72faca04235cad712229f75404c6e1f057d6ed1155e223c92ff03cd922f598d6afea

memory/1520-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1520-36-0x0000000075750000-0x00000000758AD000-memory.dmp

memory/1520-40-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1064-43-0x0000000075750000-0x00000000758AD000-memory.dmp

memory/1064-49-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2512-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1880-57-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1880-56-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/1880-55-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 153f87c0cf522f6167ab57022e1e4102
SHA1 14db0c70e3824d92db0dca7f880abf7e17c4d2de
SHA256 7388320b8eb9c93ef1f440f9b0cc7d1087ab423798e54e06682758777f84aa4c
SHA512 63ffdfecc78db79d5e59f0fb5576b0826f5a3ddb9d45bbdb1336a4709a74b2ebce9215544fa6a9e1bf4b8e941be6f8a426bbd1790ee14465790da01a40aad132

memory/3584-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1520-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3584-70-0x0000000000400000-0x0000000000431000-memory.dmp