1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe
Size

206KB
MD5

57eb5252c1c32b79c0a8a159d3746ed4
SHA1

363a253435345172a4e93e2e9b5e697bd9026f33
SHA256

1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a
SHA512

12e01bb5e4cd0778ddfeb89a49cfc01459d99a8607798c09d037abd754397d0a02f80acf30a6ac7069b1b58219328ca799a2e854cf50bcd31a768eed5ff2cccc
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unl:zvEN2U+T6i5LirrllHy4HUcMQY6e

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2476	explorer.exe
2060	spoolsv.exe
2800	svchost.exe
2684	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2952	1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe
2952	1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe
2476	explorer.exe
2476	explorer.exe
2060	spoolsv.exe
2060	spoolsv.exe
2800	svchost.exe
2800	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2800	svchost.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe
2476	explorer.exe
2800	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2476	explorer.exe
2800	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2952	1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe
2952	1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe
2476	explorer.exe
2476	explorer.exe
2060	spoolsv.exe
2060	spoolsv.exe
2800	svchost.exe
2800	svchost.exe
2684	spoolsv.exe
2684	spoolsv.exe
2476	explorer.exe
2476	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2476	2952	1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe	28
PID 2952 wrote to memory of 2476	2952	1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe	28
PID 2952 wrote to memory of 2476	2952	1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe	28
PID 2952 wrote to memory of 2476	2952	1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe	28
PID 2476 wrote to memory of 2060	2476	explorer.exe	29
PID 2476 wrote to memory of 2060	2476	explorer.exe	29
PID 2476 wrote to memory of 2060	2476	explorer.exe	29
PID 2476 wrote to memory of 2060	2476	explorer.exe	29
PID 2060 wrote to memory of 2800	2060	spoolsv.exe	30
PID 2060 wrote to memory of 2800	2060	spoolsv.exe	30
PID 2060 wrote to memory of 2800	2060	spoolsv.exe	30
PID 2060 wrote to memory of 2800	2060	spoolsv.exe	30
PID 2800 wrote to memory of 2684	2800	svchost.exe	31
PID 2800 wrote to memory of 2684	2800	svchost.exe	31
PID 2800 wrote to memory of 2684	2800	svchost.exe	31
PID 2800 wrote to memory of 2684	2800	svchost.exe	31
PID 2800 wrote to memory of 2688	2800	svchost.exe	32
PID 2800 wrote to memory of 2688	2800	svchost.exe	32
PID 2800 wrote to memory of 2688	2800	svchost.exe	32
PID 2800 wrote to memory of 2688	2800	svchost.exe	32
PID 2800 wrote to memory of 304	2800	svchost.exe	36
PID 2800 wrote to memory of 304	2800	svchost.exe	36
PID 2800 wrote to memory of 304	2800	svchost.exe	36
PID 2800 wrote to memory of 304	2800	svchost.exe	36
PID 2800 wrote to memory of 2900	2800	svchost.exe	38
PID 2800 wrote to memory of 2900	2800	svchost.exe	38
PID 2800 wrote to memory of 2900	2800	svchost.exe	38
PID 2800 wrote to memory of 2900	2800	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe
"C:\Users\Admin\AppData\Local\Temp\1db8c87ffb3f7291885afe5d9be823bb4ddd7825fa4d09e32e530eaca43edc8a.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2476
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2684
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:304
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
026bfe5558693e70c472124e0889a715

SHA1
fb7eb26571de5c91d39a05a747c5e8ba8ef39309

SHA256
1d60ddcf55785a1684b70603f8c98a3789b45d9597483203579c9524e02c8a7d

SHA512
85360bf9cb261bf34a4268f49c49e5b2fe47140b4234b811ced80afdff7ee7b6b7ae3c0c4ec6dadff3388b114653139542d3749ec095fa0335982ccb2de3601b

Download Submit
\??\PIPE\atsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
294749d83d5642d3436f5a12c5727246

SHA1
4803bf17b2447303a30c8fd1560dfedd8d04bd00

SHA256
7ac8d819bf2f56341d2f9a4e9c9eda9c91cca5e7c86ee1ed544e16941abb315d

SHA512
4479fc2120c6c912ce657361d155ff3f6c4c96dedc35f29dd82bc5b0f92d89a29d076eb9a20a786d10240993b939ddab1365e0f855f9c52b6128a9907eaeb08f

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
4932e63608d9ffec5b84b388b4141e19

SHA1
0e550f1ad717aba44bb6e937711bef096f40310a

SHA256
0cdf3f00e0fff630de09be55dd52f403357339f02e33c5761d29a6c2b8ae14c9

SHA512
851161477c166bf674b5feb3a22aec3ea56e4d9b813c7fb9ecd422c328cd354331e865a8969989b8a537575457dd769596210f0620bd71a78e39d60913852698

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
2a6972c5dd1351a68058f38e67d75173

SHA1
80cac6b7db87f806072541c9d5d267a55fcdd1ed

SHA256
b6663e165679c10028f0d2c65978ec0e3424a4a758665d56cdf34771a8539e99

SHA512
5a3cb631072e735eee70fd946f4690bab9b1711f23e336e734506a9e129da3e3f49b8e7cbcc16d2d18eb6816fd0f4f3ce522bec45d693ead02a6d23e3a9d2f71

Download Submit