Malware Analysis Report

2025-01-06 08:57

Sample ID 240604-back3sfe2s
Target a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564
SHA256 a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564

Threat Level: Known bad

The file a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:56

Reported

2024-06-04 00:58

Platform

win7-20240508-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe \??\c:\windows\system\explorer.exe
PID 1856 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe \??\c:\windows\system\explorer.exe
PID 1856 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe \??\c:\windows\system\explorer.exe
PID 1856 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe \??\c:\windows\system\explorer.exe
PID 2956 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2956 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2956 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2956 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2584 wrote to memory of 2464 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2584 wrote to memory of 2464 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2584 wrote to memory of 2464 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2584 wrote to memory of 2464 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2464 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2464 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2464 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2464 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2464 wrote to memory of 1236 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2464 wrote to memory of 1236 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2464 wrote to memory of 1236 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2464 wrote to memory of 1236 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2464 wrote to memory of 2752 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2464 wrote to memory of 2752 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2464 wrote to memory of 2752 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2464 wrote to memory of 2752 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2464 wrote to memory of 3060 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2464 wrote to memory of 3060 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2464 wrote to memory of 3060 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2464 wrote to memory of 3060 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe

"C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 00:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 00:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 01:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1856-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1856-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1856-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1856-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1856-2-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\explorer.exe

MD5 11f7aea9bc928c57b593e21b31ab4ffb
SHA1 7fcca675b669e8a741e01195b9f875df9eb44552
SHA256 f1b5e3615e2d2c02b99a2a29cea1f33df6920cab124b6b53952d68afbb68ef25
SHA512 05daa6f3634bd8354fe3c318339a8b0568886a9ab7bf5e230e9b4017bd7dcd2cf87688ef82d2e1aa0af362f01a072b025a02e1786b7f12a38642127bb3887ad2

memory/1856-18-0x00000000027F0000-0x0000000002821000-memory.dmp

memory/2956-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1856-17-0x00000000027F0000-0x0000000002821000-memory.dmp

memory/2956-20-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2956-24-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 ba5256d0ec849496a74f534929d1ba42
SHA1 aa6598b35a451326c95765923b1948ed69079005
SHA256 f23cdbd5261313313aec84e19962dfc05cd77c88951ae16d8c229827f2713b21
SHA512 d26c8eef8c9a36a17a17a5e064c2acf113567362be50d8e7fcd9d5743948b8cf8f31ee07153b1f1a68e0c338d3904d3dbf0e85c1be252816565cbf99d96df2c5

memory/2956-37-0x0000000002B90000-0x0000000002BC1000-memory.dmp

memory/2584-38-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2956-36-0x0000000002B90000-0x0000000002BC1000-memory.dmp

memory/2584-47-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2584-39-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2464-57-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\system\svchost.exe

MD5 f759197c5225bd4f074dd65daf43411f
SHA1 67cd1ba691969bcde9d568dda5268b9524c9e783
SHA256 ce12c878c501bd3c0fc2f0c370b865923659474cbbfee8aab0775fa9789de336
SHA512 2e761d2dcf327e5226e79f486fdc5af72555c4786a516693b2c43a14614ba698a86ce7d9e975eb882b2afa66f7df8ce361de0652d3cdaad4f76e67a4da0bb713

memory/2584-55-0x0000000000520000-0x0000000000551000-memory.dmp

memory/2584-54-0x0000000000520000-0x0000000000551000-memory.dmp

memory/2464-58-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2464-63-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1856-68-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2448-76-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2448-72-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2448-69-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2584-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1856-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1856-82-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 a28e4137d5410d9bd856e25648b7b9bb
SHA1 c599915eb140fc03d3578ec8465104c23f4311f6
SHA256 1d05bca7e524828db00a7dd3ab8d11ab69ed196ae0cbea790ad46e9c93ddd7eb
SHA512 3d7cf6b454bb8bcc80d666d177a9a4add5038bab9eea1df8f9b83b72f8f2e2ccb96c0887148a6474cc4065ed1ab0758981d2951bfdc91cb5d08a5b30c125339b

memory/2956-84-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2956-85-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2464-87-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2956-96-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:56

Reported

2024-06-04 00:58

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe \??\c:\windows\system\explorer.exe
PID 1608 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe \??\c:\windows\system\explorer.exe
PID 1608 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe \??\c:\windows\system\explorer.exe
PID 4240 wrote to memory of 2172 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4240 wrote to memory of 2172 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4240 wrote to memory of 2172 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2172 wrote to memory of 3376 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2172 wrote to memory of 3376 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2172 wrote to memory of 3376 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3376 wrote to memory of 4936 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3376 wrote to memory of 4936 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3376 wrote to memory of 4936 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3376 wrote to memory of 3104 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3376 wrote to memory of 3104 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3376 wrote to memory of 3104 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3376 wrote to memory of 3012 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3376 wrote to memory of 3012 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3376 wrote to memory of 3012 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3376 wrote to memory of 912 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3376 wrote to memory of 912 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3376 wrote to memory of 912 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe

"C:\Users\Admin\AppData\Local\Temp\a041e4d3def6ffb57e398c14a3ea744a45e91d34c34a5e22f2a246d715ec2564.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 00:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 00:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 01:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1608-1-0x00000000001D0000-0x00000000001D4000-memory.dmp

memory/1608-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1608-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1608-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1608-2-0x0000000074EF0000-0x000000007504D000-memory.dmp

C:\Windows\System\explorer.exe

MD5 bacdb114ec83c2164bfd6e154223efc0
SHA1 27e5822ccf2f065c742787a9c6665fc63830782d
SHA256 95ab05b283c39c21535be763d7df7daab61369e1a81641b54fa2c484c2475aa1
SHA512 bfb514cb1ace9efe46b218505f6de2da76cc61c58ac2e4733b381fdef3040391f970c8b3a102f9227fa86f503867027d0e04e6049a8fa26a82ed660e504a2ab0

memory/4240-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4240-14-0x0000000074EF0000-0x000000007504D000-memory.dmp

memory/4240-16-0x0000000000400000-0x0000000000431000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 47418dbd89f9fdb4de48e043f1581f82
SHA1 019bb1d5fc49f58f0a5104a299e3d061c6c8e4b4
SHA256 ad9f42212a740999830b19393d8fb0c506169ba9a5332438281ee58f09ed35b9
SHA512 a0aa2c43a35a90b0b52f79f6c7cc428fcaf05ff088eae8003b1c933d455e89000107e8414dad2dee2f6a034fcaab634fea8cfba8037ca0959552ad96ba49cda7

memory/2172-29-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2172-25-0x0000000074EF0000-0x000000007504D000-memory.dmp

C:\Windows\System\svchost.exe

MD5 bdd82582ec169388fee7513fefdc180c
SHA1 14ca6c50bd1ae24aceba398fc1ca1b6274e6c147
SHA256 6ac57db9fdc717976205148ab6148671c89172d7e3937f1ea2f3d31102b57faf
SHA512 0278181a322e96f256f5371b0a47335b651abedccc14ecbbf829620cdabaf8b075756512bd43586667a75a16a98ab7defb74451c8067489305591f07e335b261

memory/3376-37-0x0000000074EF0000-0x000000007504D000-memory.dmp

memory/3376-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4936-43-0x0000000074EF0000-0x000000007504D000-memory.dmp

memory/4936-51-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 6999107a0f21029104317664a65bdf50
SHA1 bb6ef66b1bba4036594cb55080feca8c85ecf1c9
SHA256 e97767d09a7c979f26d32b4859155f8baac2a6f805d5a958e3816ce8955d4387
SHA512 5b6cb1c0a2342daba25fa1cd6c865e580708948c4fc6117028fb89f1fa697916de911f5ec3732893408983098e050119cac0b900368d2c9cea473ef4c1da6a6f

memory/1608-57-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1608-55-0x00000000001D0000-0x00000000001D4000-memory.dmp

memory/1608-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2172-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4240-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3376-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4240-69-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e