7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95

Analysis

max time kernel
118s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 01:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe
Size

2.3MB
MD5

703e39b826f8f94fc1d1423cee8b5abf
SHA1

51e6e6f9ddb023f7d749c26157931ecfb27c4615
SHA256

7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95
SHA512

639aa4158cb878816e853b976871ca4fe678eb45042b28e0cd550731acdd5387ab4ba06bc5023e41a8103d77cc1507911a2af6297ecdf4a05a2e9ea60782f91e
SSDEEP

49152:SLDEfWcnLJ6I3BUz8fsK5CdoQmTZMCpylljm:tXnL73XHdFHpqm

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
5072	explorer.exe
2292	spoolsv.exe
4088	svchost.exe
4776	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 30 IoCs

pid	Process
372	7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe
5072	explorer.exe
2292	spoolsv.exe
2292	spoolsv.exe
4088	svchost.exe
4088	svchost.exe
4776	spoolsv.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
372	7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe
372	7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
5072	explorer.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
5072	explorer.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
5072	explorer.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
5072	explorer.exe
4088	svchost.exe
4088	svchost.exe
5072	explorer.exe
5072	explorer.exe
4088	svchost.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
4088	svchost.exe
5072	explorer.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe
5072	explorer.exe
4088	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5072	explorer.exe
4088	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
372	7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe
372	7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe
5072	explorer.exe
5072	explorer.exe
2292	spoolsv.exe
2292	spoolsv.exe
4088	svchost.exe
4088	svchost.exe
4776	spoolsv.exe
4776	spoolsv.exe
5072	explorer.exe
5072	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 5072	372	7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe	80
PID 372 wrote to memory of 5072	372	7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe	80
PID 372 wrote to memory of 5072	372	7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe	80
PID 5072 wrote to memory of 2292	5072	explorer.exe	81
PID 5072 wrote to memory of 2292	5072	explorer.exe	81
PID 5072 wrote to memory of 2292	5072	explorer.exe	81
PID 2292 wrote to memory of 4088	2292	spoolsv.exe	82
PID 2292 wrote to memory of 4088	2292	spoolsv.exe	82
PID 2292 wrote to memory of 4088	2292	spoolsv.exe	82
PID 4088 wrote to memory of 4776	4088	svchost.exe	83
PID 4088 wrote to memory of 4776	4088	svchost.exe	83
PID 4088 wrote to memory of 4776	4088	svchost.exe	83
PID 4088 wrote to memory of 5108	4088	svchost.exe	84
PID 4088 wrote to memory of 5108	4088	svchost.exe	84
PID 4088 wrote to memory of 5108	4088	svchost.exe	84
PID 4088 wrote to memory of 2464	4088	svchost.exe	94
PID 4088 wrote to memory of 2464	4088	svchost.exe	94
PID 4088 wrote to memory of 2464	4088	svchost.exe	94

C:\Users\Admin\AppData\Local\Temp\7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe
"C:\Users\Admin\AppData\Local\Temp\7f29b947179c3a396bececffe1ffbe5e00db15a0016eff06725df585912a5a95.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5072
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4776
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:5108
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2464
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
2.3MB

MD5
92800b822c9384d7962af9fc7ab9a2a4

SHA1
752e0166b254a4d61dbdfc1229e7276c623f1e6a

SHA256
4eb87c18cd0049fc5081bbf59bbc2eeb5365db2964c1c1c43f5bcfae7a23aa0b

SHA512
93aa46e82cb58fd74fffd9fb5d2c735dd4f4de185e1e244bd307ebffd65dd41c0b41fe30f93cbc44552f32fb5eded8a303ac6ee5ef8ccd563b10fc1b489db979

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
2.3MB

MD5
ab93c6044b61eead733666ea83a13baf

SHA1
0033cd59df2eaf87878309f59b6e98cf95025ed7

SHA256
bbbd9aff50691c5550fbc40d054f8beb617abd03fa2d9df52fbf494f6d2af769

SHA512
7c304683a0d44b773601951d87b43465f8f8d6482dc4682dee8cd6f33a2d0c2bdb02406165549a5e677ef0e645a398c8b63e0b1d7cc2395f332d4d3ec7fb810c

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
2.3MB

MD5
6d1d8484c6da85eafbe60a1a0c47dfa4

SHA1
6947aea38a74b1d500ce8844207394ad101a9e75

SHA256
191a00332dc99e801385d4da552f2a1e8125a6d3accc7f26c8f2c2e4ba4c2ebb

SHA512
2309c898a3601ffc64a52327898a00f93bc96bdbe06abe1fca182f92f73ca573bd65f4aef75b28bd2d2205e9299bffd3fff4dfee03f4f5f953b52f86de189fd6

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
2.3MB

MD5
98e5f0ee29f6441e14d441c746615154

SHA1
ee1d2e1ee5940f2ad1cd84ee660d4ecdb0d50fb1

SHA256
c711789f7c0eee87f412955f63965987736f264d5e104998e554e11335fee448

SHA512
79efd248fd2d58da68f5fcccbc449f64b4178fbbfd29ff0f66bfc9086466aabc9ac3b4b0c3dab8dd33a04343f790642e3316a194b6066d953b15af8154ab85cd

Download Submit
memory/372-44-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/372-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/372-0-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/372-46-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2292-45-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2292-20-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/2292-21-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2292-43-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4088-66-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4088-64-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4088-30-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4088-76-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4088-58-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4088-74-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4088-49-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4088-70-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4088-68-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4088-52-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4088-56-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4088-54-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4088-62-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4776-35-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/4776-40-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-57-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-67-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-61-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-55-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-53-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-63-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-10-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-65-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-51-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-59-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-69-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-50-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/5072-71-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-73-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-48-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download
memory/5072-11-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/5072-75-0x0000000000400000-0x0000000000C8A000-memory.dmp

Filesize
8.5MB

Download