Malware Analysis Report

2025-01-06 08:57

Sample ID 240604-ayjtmafa2v
Target 9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70
SHA256 9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70

Threat Level: Known bad

The file 9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:37

Reported

2024-06-04 00:39

Platform

win7-20240215-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe \??\c:\windows\system\explorer.exe
PID 2316 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2316 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2316 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2316 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2584 wrote to memory of 2704 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2584 wrote to memory of 2704 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2584 wrote to memory of 2704 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2584 wrote to memory of 2704 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2704 wrote to memory of 2364 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2704 wrote to memory of 2364 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2704 wrote to memory of 2364 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2704 wrote to memory of 2364 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2704 wrote to memory of 2156 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2704 wrote to memory of 2156 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2704 wrote to memory of 2156 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2704 wrote to memory of 2156 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2704 wrote to memory of 864 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2704 wrote to memory of 864 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2704 wrote to memory of 864 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2704 wrote to memory of 864 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2704 wrote to memory of 2332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2704 wrote to memory of 2332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2704 wrote to memory of 2332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2704 wrote to memory of 2332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe

"C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 00:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 00:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 00:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2108-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2108-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2108-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2108-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2108-3-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\explorer.exe

MD5 880eaafed319c69602e7dfcff7b4acc2
SHA1 8940f4a2cfe72088c1a25b310af958c035544d8c
SHA256 a3dfb09bde7fab7cbad4ab4c6ae34f3a9ef92e99ea552b05970e520eb87b2a58
SHA512 3fc83f715f28c14bed94a1d988ee7125d83550728fca49b0e590924ed4fd82c7f3acbca2e88de29eb843d06aeec7b128a02518227061b9c439238fea6c0a5526

memory/2108-17-0x0000000002570000-0x00000000025A1000-memory.dmp

memory/2316-18-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2316-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2316-29-0x0000000000580000-0x00000000005B1000-memory.dmp

\Windows\system\spoolsv.exe

MD5 959d84e9b4fd80ff49341139e429859c
SHA1 f2a63bf2afcbad7a8286a99a0e52d945d94a3855
SHA256 e1055bb33676d839030ae50bb1b4b3b5320223da0dc4da805b0ec7893f38f4d9
SHA512 093b89bad603be7a2e2622f4d924100adea1d69829ce735f7f333f222a368997ce4e4206eccf340968ffd0f87721e0eabd4c755d1df4a9c5a9a0be6a0da96bd3

memory/2584-40-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 0fc519e96fd749525ef6aaa00da1e2b6
SHA1 b99e651599d4ba37ca6bcb6eeeda66e675795083
SHA256 76f92f6cbaf1abbb56200fd7aa04c5a6b2f4e189d5b2c3c5f47423d2aaf37334
SHA512 8bd792213e84197d60c0af3608fa63610a521639c831d875d4c32ffda041a4c358710186067fb74a7e9f35bb66f6b8f96ef127a9e06cb259645e6b14ae339a96

memory/2108-75-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2108-74-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2108-73-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2584-72-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 7817d27ac8ab79453b24c56d643e9120
SHA1 f820af64ec1e5d82267a7d6b9042483f3dc7f4b1
SHA256 5c769d34adc7eeec88795254301ccd22ab26824f36760c4379196b4e6bdc90d1
SHA512 0f761cc7791aec437ac10a270462d8da374959a8b6d6fd993bc4796e5bc7e29208443748a128f94be9bb98859ec8dc3b54837d4e1471f653a2ffd15f633ddbdd

memory/2364-69-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2364-63-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2364-67-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2704-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2704-53-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2704-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2584-35-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2316-39-0x0000000000580000-0x00000000005B1000-memory.dmp

memory/2316-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2704-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2316-88-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:37

Reported

2024-06-04 00:39

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe \??\c:\windows\system\explorer.exe
PID 4272 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe \??\c:\windows\system\explorer.exe
PID 4272 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe \??\c:\windows\system\explorer.exe
PID 4484 wrote to memory of 2984 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4484 wrote to memory of 2984 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4484 wrote to memory of 2984 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2984 wrote to memory of 1492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2984 wrote to memory of 1492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2984 wrote to memory of 1492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1492 wrote to memory of 3848 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1492 wrote to memory of 3848 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1492 wrote to memory of 3848 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1492 wrote to memory of 2160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1492 wrote to memory of 2160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1492 wrote to memory of 2160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1492 wrote to memory of 3348 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1492 wrote to memory of 3348 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1492 wrote to memory of 3348 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1492 wrote to memory of 1628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1492 wrote to memory of 1628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1492 wrote to memory of 1628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe

"C:\Users\Admin\AppData\Local\Temp\9a81ce1e7c9cd1af8594df42df21fdc239514e247cb41c62aeec8482c387ad70.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 00:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 00:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 00:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/4272-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4272-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4272-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4272-2-0x0000000074DA0000-0x0000000074EFD000-memory.dmp

memory/4272-5-0x0000000000401000-0x000000000042E000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 e56918d88c601ad81e2ee31b38b313ef
SHA1 c3abcfe9978013645e5f7176efdc74d3f043f5be
SHA256 40c004a5bcfd8aef7870e9e8db0ff0724b999f921ae4788be438815be3f2dfff
SHA512 fe141344ac41c98037cfd2a0e72befe5e8d7b378afaca7caf7d1a7e508c2bcb91b717c5d486af2f1dd01871e968092ebe055772043e4d17c9e7733bfe1de5817

memory/4484-16-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4484-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4484-13-0x0000000074DA0000-0x0000000074EFD000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 56dd0f4ba37cdf7ed1247b94c1d5b11c
SHA1 47acbe41c7bbe8fd7cba9eb286c5dca1be784e68
SHA256 fea660b94c6932c819eda34688e2ce8a3ca4203ac3e8d62e11a7951d0d0fea99
SHA512 1a8003cc7466cc35286a3615fd6f637363c7fb14e706481cae820e24554966279f95d6fafdd11b5cea0dd172d5c10ae2f518aa42e2128b7150ec629d160dafde

memory/2984-25-0x0000000074DA0000-0x0000000074EFD000-memory.dmp

memory/2984-29-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 7c5f2195395df861405588fc83e4655c
SHA1 36161d1949f7450db52c0055755782cafab0b9b9
SHA256 7250273e531e569c9aa6469125256acf48b13cf9c35acbcc77611ba638d80682
SHA512 8915413b468806891bee15a52c48cc6d0a322af58d56771734b8188fffd0857e33e416578bf835533b478bbf5db56387c9ba1a95fd6c8570db3352562c1604cd

memory/1492-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1492-37-0x0000000074DA0000-0x0000000074EFD000-memory.dmp

memory/3848-43-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3848-44-0x0000000074DA0000-0x0000000074EFD000-memory.dmp

memory/3848-50-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2984-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4272-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4272-56-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 3823a2fb983f70f03e1c465e253a063e
SHA1 94aafb6a054ead529665a324ef879550c4c40f71
SHA256 0f3f3e701837bede3eae83f438fcee873f15493b4699819e8f05ae62e437992d
SHA512 2f538b2f49754b44d0745977047f34079b30ab9d508c937003fa7c9aadc6e027ff78783e3de97f57c5d7d4459234e1410f373f4e345fc4ce715e52ae6a4f6887

memory/4484-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1492-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4484-69-0x0000000000400000-0x0000000000431000-memory.dmp