Malware Analysis Report

2025-01-06 10:59

Sample ID 240603-fgnzxadc69
Target e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e
SHA256 e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e

Threat Level: Known bad

The file e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:50

Reported

2024-06-03 04:53

Platform

win7-20240215-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe \??\c:\windows\system\explorer.exe
PID 2876 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe \??\c:\windows\system\explorer.exe
PID 2876 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe \??\c:\windows\system\explorer.exe
PID 2876 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe \??\c:\windows\system\explorer.exe
PID 2504 wrote to memory of 2672 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2504 wrote to memory of 2672 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2504 wrote to memory of 2672 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2504 wrote to memory of 2672 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2672 wrote to memory of 2444 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2672 wrote to memory of 2444 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2672 wrote to memory of 2444 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2672 wrote to memory of 2444 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2444 wrote to memory of 2676 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2444 wrote to memory of 2676 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2444 wrote to memory of 2676 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2444 wrote to memory of 2676 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2444 wrote to memory of 2324 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2444 wrote to memory of 2324 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2444 wrote to memory of 2324 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2444 wrote to memory of 2324 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2444 wrote to memory of 932 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2444 wrote to memory of 932 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2444 wrote to memory of 932 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2444 wrote to memory of 932 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2444 wrote to memory of 2764 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2444 wrote to memory of 2764 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2444 wrote to memory of 2764 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2444 wrote to memory of 2764 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe

"C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2876-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\system\explorer.exe

MD5 303512b6dc61aa493a7609a6ed3be7a1
SHA1 facd0ea075f3eb836c04b27ce04ec32c3aca1e0e
SHA256 73cdd97234c0db3fbcb041723d13fc9a11146e9a58fe495d3b3f72a0ad812b6a
SHA512 6b4daef88bd598ee4ae0a12b97b0ef7ffc9708c1cf449fdb1e9f31a996dbde6b679083b562b5d23a5964529f7d5921473d9953b7e129f6ecd62f4185c42825c6

memory/2876-7-0x0000000002C50000-0x0000000002C90000-memory.dmp

\Windows\system\spoolsv.exe

MD5 a604f461307ab7cdd1ba4dffe45e7fb3
SHA1 a856490f5f4b789eb15bd6e685eddc44ec7bc204
SHA256 0c4986c59fd45860dfb52b62874010eb19332f1f27c915e17a90ca3ba30b7df7
SHA512 968bd62cdab5f831ebe7f24b4003143b4104de28788551eea76ebc02540299e5136985e06b564dccc341826b40d80824348a14d012f30ce518997f53b198c90f

memory/2504-27-0x0000000003120000-0x0000000003160000-memory.dmp

\Windows\system\svchost.exe

MD5 a03d37562b46e91ff7af4e5e7203dbd3
SHA1 20a01626e38a264d08802d4b10b24853a9b9268a
SHA256 f544b5a670a45f0fe36b35cee4e14b3a661abeaafc2756dced159f8be3a81620
SHA512 9a4e8e3ea41dc9c428e4546ecec2eea6b5caae790451a344b8effa8de24bc70e64fbca8a31eb2caf23e453e4421749c4a895c291c95d2ca8a255f17d504ac8c9

memory/2444-48-0x00000000024D0000-0x0000000002510000-memory.dmp

memory/2676-52-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2876-56-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2672-55-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 0f59ef6e0bb197a964e73bc4e2949cf8
SHA1 dab8824ead09bd94653b6dfbe2b24095fa0bf1f9
SHA256 6efa5083eab813e9d6cfbe79e662b287fbd08d2aa3d2fc34a0f5f69634371fdc
SHA512 37fb0f4b9c721b05aa6924d48039f36d055cd8d45961873db0e8422bad99f9e15379a9c081150d3d496c6c2bccfbe0f8ef757a867d78ea69f71148011d3f95de

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:50

Reported

2024-06-03 04:53

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3652 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe \??\c:\windows\system\explorer.exe
PID 3652 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe \??\c:\windows\system\explorer.exe
PID 3652 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe \??\c:\windows\system\explorer.exe
PID 4496 wrote to memory of 1320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4496 wrote to memory of 1320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4496 wrote to memory of 1320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1320 wrote to memory of 4996 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1320 wrote to memory of 4996 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1320 wrote to memory of 4996 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4996 wrote to memory of 4004 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4996 wrote to memory of 4004 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4996 wrote to memory of 4004 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4996 wrote to memory of 4436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4996 wrote to memory of 4436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4996 wrote to memory of 4436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4996 wrote to memory of 3796 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4996 wrote to memory of 3796 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4996 wrote to memory of 3796 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4996 wrote to memory of 4192 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4996 wrote to memory of 4192 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4996 wrote to memory of 4192 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe

"C:\Users\Admin\AppData\Local\Temp\e31b045698e0492a84d9e8d803bdeac5aeda55b1e10c2d86b5e48b6d08c3fa7e.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3652-0-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\System\explorer.exe

MD5 b68ef3ec89cad317c0c898d41fa8e5fd
SHA1 130ff5660a1e3a69c533bc4786f50c12f6331c6a
SHA256 ef31c681a09f5b684d1e973dc676a49fd7af51259a63221795d6d8f5fb2a4a33
SHA512 592ccccf8b89b5d872b78d8bb4db01f19038a1b6b4ba7efbe20e271d0260a45a63532a71ea5970b27652ac7f70f7072c7810ef8fb0f2cf569be6b60252c55381

C:\Windows\System\spoolsv.exe

MD5 414935e859049442b7b73a7e4d3bf04c
SHA1 a9d8d81048b33f303e2cc8746b192c1e98387a36
SHA256 9610e366ed46caef921473cc90c33f6a4884f1353600c67267f0b7f0e721d545
SHA512 7382b59a785b135b39681f31840c483834b215c178baa130a6303f52dc95a81d3b578245c0e64b2b9348f5f23a916eb0988bd8da5ed85f3426f85400d09cab2a

memory/1320-17-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\System\svchost.exe

MD5 b63fc09be122d03bd66ee42be594ccb9
SHA1 92982ed12dcac30a25685a397d8170b69c8e3f31
SHA256 797f0bc3623bf0d2da9f60d3d423cc32ec22d964a828151d1a7679efbbd9183a
SHA512 8fb9babba7afcddecf113895e91c91475d14d1aff80f6ff57a10441f3509bc98288d1bbcd34660a54068935c57add3eda2cde1237db1b041b5ab011eedb8c6e5

memory/4004-33-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3652-36-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1320-37-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 8536ac74ea0c05ee2b178b81cee17c78
SHA1 3724cc8733c5e445833ce521a140deccc5cb9c84
SHA256 808285064b37da8a7163f0a8dc427bff7e4167620abd176db137f088a1fcf11c
SHA512 c8d68696dff276d1e6b0759928b7b21313f8cc43b21e96a4508e5c4623535fb1c349165818edc5d47363675ac35b854b8608d547da0de4d8b914398bbd5c9400

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e