f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe
Size

206KB
MD5

765abd0efdd3288f2181237ba07b6e05
SHA1

dc76aa3717681c63485ae7837969f34e129168fb
SHA256

f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4
SHA512

8207d55a0924bfd3218692330d28c985726b27acd025f6d67bc7e3e6858411049cf1ca6736622eedcfb8398cf954bb6caa68138cf19a4324575720da371934f8
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLQ:5vEN2U+T6i5LirrllHy4HUcMQY6KQ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2240	explorer.exe
2052	spoolsv.exe
2652	svchost.exe
2820	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1084	f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe
1084	f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe
2240	explorer.exe
2240	explorer.exe
2052	spoolsv.exe
2052	spoolsv.exe
2652	svchost.exe
2652	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1084	f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2652	svchost.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe
2652	svchost.exe
2240	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2240	explorer.exe
2652	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1084	f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe
1084	f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe
2240	explorer.exe
2240	explorer.exe
2052	spoolsv.exe
2052	spoolsv.exe
2652	svchost.exe
2652	svchost.exe
2820	spoolsv.exe
2820	spoolsv.exe
2240	explorer.exe
2240	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2240	1084	f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe	28
PID 1084 wrote to memory of 2240	1084	f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe	28
PID 1084 wrote to memory of 2240	1084	f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe	28
PID 1084 wrote to memory of 2240	1084	f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe	28
PID 2240 wrote to memory of 2052	2240	explorer.exe	29
PID 2240 wrote to memory of 2052	2240	explorer.exe	29
PID 2240 wrote to memory of 2052	2240	explorer.exe	29
PID 2240 wrote to memory of 2052	2240	explorer.exe	29
PID 2052 wrote to memory of 2652	2052	spoolsv.exe	30
PID 2052 wrote to memory of 2652	2052	spoolsv.exe	30
PID 2052 wrote to memory of 2652	2052	spoolsv.exe	30
PID 2052 wrote to memory of 2652	2052	spoolsv.exe	30
PID 2652 wrote to memory of 2820	2652	svchost.exe	31
PID 2652 wrote to memory of 2820	2652	svchost.exe	31
PID 2652 wrote to memory of 2820	2652	svchost.exe	31
PID 2652 wrote to memory of 2820	2652	svchost.exe	31
PID 2652 wrote to memory of 2548	2652	svchost.exe	32
PID 2652 wrote to memory of 2548	2652	svchost.exe	32
PID 2652 wrote to memory of 2548	2652	svchost.exe	32
PID 2652 wrote to memory of 2548	2652	svchost.exe	32
PID 2652 wrote to memory of 2220	2652	svchost.exe	36
PID 2652 wrote to memory of 2220	2652	svchost.exe	36
PID 2652 wrote to memory of 2220	2652	svchost.exe	36
PID 2652 wrote to memory of 2220	2652	svchost.exe	36
PID 2652 wrote to memory of 2060	2652	svchost.exe	38
PID 2652 wrote to memory of 2060	2652	svchost.exe	38
PID 2652 wrote to memory of 2060	2652	svchost.exe	38
PID 2652 wrote to memory of 2060	2652	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe
"C:\Users\Admin\AppData\Local\Temp\f6ca759ba80b7013106f43f728f73b8dbfe54e47e8da616a0a94f564a20144c4.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2240
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2820
    - - C:\Windows\SysWOW64\at.exe
        
        at 05:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2548
    - - C:\Windows\SysWOW64\at.exe
        
        at 05:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2220
    - - C:\Windows\SysWOW64\at.exe
        
        at 05:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
7ca41723c602e76eaebebbe9c92d5422

SHA1
dc52113d6b231e63c7eac576968cd2ab132bef30

SHA256
309325bcba5f5ee7b33e5e92bde7cfd695e1225b6bbd7e54e86ed821d03b3ebe

SHA512
be21e5179f6569361e0d725c0ba952442548ca53feab621050cf0792de80b2ebf9a1e391eadd49db636d57a5f5475ad3f913b4a4243fe07c2618226596098972

Download Submit
C:\Windows\system\svchost.exe

Filesize
206KB

MD5
98710e639ac9d2af86757588576735e4

SHA1
cf8c7ae332caaaebf682a8de538ee65ca60c085f

SHA256
59de326399139c31474d15fbb219b404c3537d296e58ce67ca3d944889ac83c6

SHA512
c6d36d33122614b97b74ed4836206d945274bb83313fd11d6e3312e8f2d897b408d64883f8529f6331b1bd6142ea77d56c9e31936c702d6054577c64fa4c08f5

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
8b67497df1dac752b7a90fb37336c6fc

SHA1
b67bc1942a24de4b89cac01b096c14d273c58e75

SHA256
fbb92591a7555e324d7f403d4bdb69e337e1029f28593fd28f66a296308b2bab

SHA512
75f55d89436c857cdcc2b5d1e4ec7d60df7edc4cb6cfbf524916fdd275256c8378af44f406e0b1cdf75029b420f0bc92e0a906ca7c156ffcc9041ebb4f35614a

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
d68f1763a8595f72e6182eb6b505f400

SHA1
7227e1043f5c21e76f26c1258d9e1a499c3043c7

SHA256
f329c91ca1477c05cfdd7e8f774f758e1b01867225ed7ad1a6764b2221bb5192

SHA512
b8c9a295311bc2088f41230812c55e036c16212858bb0ca3ca7ad4975f1b483a721baa58a70eca708a329491bad1698ba62d52c45f4263d6c801ec67a453deeb

Download Submit
memory/1084-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1084-14-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/1084-13-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/1084-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download