7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae.exe
Size

216KB
MD5

82980df5841ac2c05270f6e82134cd9a
SHA1

623e1d9f2f389d4732f53a053ebf1a7ae0b6a2a8
SHA256

7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae
SHA512

33985729a1b36bda9e59cd9eef4224d37c2125a23366a604b5b2778e79702f970dcaf1d3ac5020201ebb534ae6547e83100927dacf6d2d41060f85f4d96dd539
SSDEEP

3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6uBL9iA:7vEN2U+T6i5LirrllHy4HUcMQY6C9iA

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2064	explorer.exe
2668	spoolsv.exe
2524	svchost.exe
2608	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2196	7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae.exe
2196	7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae.exe
2064	explorer.exe
2064	explorer.exe
2668	spoolsv.exe
2668	spoolsv.exe
2524	svchost.exe
2524	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2524	svchost.exe
2524	svchost.exe
2064	explorer.exe
2524	svchost.exe
2064	explorer.exe
2064	explorer.exe
2524	svchost.exe
2524	svchost.exe
2064	explorer.exe
2064	explorer.exe
2524	svchost.exe
2524	svchost.exe
2064	explorer.exe
2064	explorer.exe
2524	svchost.exe
2524	svchost.exe
2064	explorer.exe
2064	explorer.exe
2524	svchost.exe
2524	svchost.exe
2064	explorer.exe
2064	explorer.exe
2524	svchost.exe
2524	svchost.exe
2064	explorer.exe
2064	explorer.exe
2524	svchost.exe
2524	svchost.exe
2064	explorer.exe
2524	svchost.exe
2064	explorer.exe
2064	explorer.exe
2524	svchost.exe
2524	svchost.exe
2064	explorer.exe
2524	svchost.exe
2064	explorer.exe
2064	explorer.exe
2524	svchost.exe
2064	explorer.exe
2524	svchost.exe
2524	svchost.exe
2064	explorer.exe
2064	explorer.exe
2524	svchost.exe
2524	svchost.exe
2064	explorer.exe
2524	svchost.exe
2064	explorer.exe
2064	explorer.exe
2524	svchost.exe
2524	svchost.exe
2064	explorer.exe
2524	svchost.exe
2064	explorer.exe
2064	explorer.exe
2524	svchost.exe
2064	explorer.exe
2524	svchost.exe
2064	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2064	explorer.exe
2524	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2196	7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae.exe
2196	7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae.exe
2064	explorer.exe
2064	explorer.exe
2668	spoolsv.exe
2668	spoolsv.exe
2524	svchost.exe
2524	svchost.exe
2608	spoolsv.exe
2608	spoolsv.exe
2064	explorer.exe
2064	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2064	2196	7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae.exe	28
PID 2196 wrote to memory of 2064	2196	7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae.exe	28
PID 2196 wrote to memory of 2064	2196	7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae.exe	28
PID 2196 wrote to memory of 2064	2196	7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae.exe	28
PID 2064 wrote to memory of 2668	2064	explorer.exe	29
PID 2064 wrote to memory of 2668	2064	explorer.exe	29
PID 2064 wrote to memory of 2668	2064	explorer.exe	29
PID 2064 wrote to memory of 2668	2064	explorer.exe	29
PID 2668 wrote to memory of 2524	2668	spoolsv.exe	30
PID 2668 wrote to memory of 2524	2668	spoolsv.exe	30
PID 2668 wrote to memory of 2524	2668	spoolsv.exe	30
PID 2668 wrote to memory of 2524	2668	spoolsv.exe	30
PID 2524 wrote to memory of 2608	2524	svchost.exe	31
PID 2524 wrote to memory of 2608	2524	svchost.exe	31
PID 2524 wrote to memory of 2608	2524	svchost.exe	31
PID 2524 wrote to memory of 2608	2524	svchost.exe	31
PID 2524 wrote to memory of 2512	2524	svchost.exe	32
PID 2524 wrote to memory of 2512	2524	svchost.exe	32
PID 2524 wrote to memory of 2512	2524	svchost.exe	32
PID 2524 wrote to memory of 2512	2524	svchost.exe	32
PID 2524 wrote to memory of 2192	2524	svchost.exe	36
PID 2524 wrote to memory of 2192	2524	svchost.exe	36
PID 2524 wrote to memory of 2192	2524	svchost.exe	36
PID 2524 wrote to memory of 2192	2524	svchost.exe	36
PID 2524 wrote to memory of 2168	2524	svchost.exe	38
PID 2524 wrote to memory of 2168	2524	svchost.exe	38
PID 2524 wrote to memory of 2168	2524	svchost.exe	38
PID 2524 wrote to memory of 2168	2524	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae.exe
"C:\Users\Admin\AppData\Local\Temp\7634cd402846900e69435d1161ea9317c0cc72f8a63992006cc0833764b486ae.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2064
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
216KB

MD5
80a0f66c4d705a89bfbe8665ea6768b4

SHA1
74a342a1f6ddf0170c291d4d4943e9d880c62d64

SHA256
3b957fab22a7e1be42719cf8af6c3f5324f82e8ec0593819aa5e861386947ba9

SHA512
e74a7d3c330c8affa57e76153c9e7282a8c3980e56fc4759a994e135b9d73dfe3d763e17da2934b622cae37b7a9ce07a40f1a27ae3a5ce7ceb5455ba899c97e4

Download Submit
\Windows\system\explorer.exe

Filesize
216KB

MD5
0187ef5b3f0c280ec9935105d0d118a9

SHA1
9ac8e133bf26e4ff07109d8d1f605c138139e058

SHA256
e2b42699181e5542433c1659b2d04a351ee5789865462e7812c64f9e6dc8ad6c

SHA512
e963fa9b80fc2ca29d34209d34d5f2fb67b01cc1cb2b664980a37f3f8eb1fcb3c3a108954b7dd659c6cb8551f423dd99d291c49778efbc260a1ed1f665dcdc13

Download Submit
\Windows\system\spoolsv.exe

Filesize
216KB

MD5
86027ce5c476429e39965bc9a1430bc5

SHA1
da8e2fab650c704350d5cb4b380424c99ae1ec62

SHA256
69ade3cb6f69868851a0a23ca8e81b6367d829371c8888e4b9214b36e123fbc4

SHA512
87d128ef03c006f84e28e5b36604c28dbbc78fa2ad0231ea85d097ff830dab1c62014da3ff1521bd5e4e42e7b48a3250781960d8c5125ef77234c6f3d2d1c848

Download Submit
\Windows\system\svchost.exe

Filesize
216KB

MD5
7eac20e87206750fdc32035239443e13

SHA1
a6d5e2e88bc4f246c54cfc6cc9cd5faaffd55307

SHA256
e73bdfc304bdd2773397e365e6238a38bf5d9af33e420104197963fbb9dcd29b

SHA512
8516659ab504aefc214b1cc426b32e4168340ba0569db1c4cc2b69582325d13d7c1d2197ffe65ea05727afe2bba7d145a684badd264ebc7eb87156d2f6a0e5c9

Download Submit
memory/2064-27-0x00000000005F0000-0x0000000000621000-memory.dmp

Filesize
196KB

Download
memory/2196-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2196-8-0x0000000001E60000-0x0000000001E91000-memory.dmp

Filesize
196KB

Download
memory/2196-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2608-51-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2668-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download