Malware Analysis Report

2024-07-28 15:31

Sample ID 240613-12exysscjd
Target 4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e
SHA256 4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e

Threat Level: Known bad

The file 4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:08

Reported

2024-06-13 22:11

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe \??\c:\windows\system\explorer.exe
PID 2128 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe \??\c:\windows\system\explorer.exe
PID 2128 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe \??\c:\windows\system\explorer.exe
PID 2128 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe \??\c:\windows\system\explorer.exe
PID 2332 wrote to memory of 2620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2332 wrote to memory of 2620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2332 wrote to memory of 2620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2332 wrote to memory of 2620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2620 wrote to memory of 2988 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2620 wrote to memory of 2988 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2620 wrote to memory of 2988 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2620 wrote to memory of 2988 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2988 wrote to memory of 2464 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2988 wrote to memory of 2464 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2988 wrote to memory of 2464 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2988 wrote to memory of 2464 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2988 wrote to memory of 2252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2988 wrote to memory of 2252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2988 wrote to memory of 2252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2988 wrote to memory of 2252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2988 wrote to memory of 804 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2988 wrote to memory of 804 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2988 wrote to memory of 804 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2988 wrote to memory of 804 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2988 wrote to memory of 640 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2988 wrote to memory of 640 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2988 wrote to memory of 640 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2988 wrote to memory of 640 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe

"C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2128-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2128-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2128-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2128-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2128-2-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\explorer.exe

MD5 f09373231e6c51abe0b5a30ba7f4a0bb
SHA1 58a7e8fec040f5864efa4dfb5a41495b809d061a
SHA256 cb84d83ef4c2afceb40e80dd74fd13871d7bfb31468bf38fc7af02db2c9f4c3f
SHA512 48d79cb81e868a984c472a4874d658ebd15a9ca7596b00653d39a7790d4c4df831a65727059609d849ba0c5d9f7462984983baf1927f86b133b01b15bfb46829

memory/2128-16-0x00000000023D0000-0x0000000002401000-memory.dmp

memory/2332-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2332-19-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2332-25-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 5c0ed9fc4f492b8d1a5c882490a61761
SHA1 bfa69efcfe4bec7df58a2081db848edba7c22bfd
SHA256 fddf98e43ec69fc1c3ff32bf6c4d039f035fab3b86216f590db0681f1521177a
SHA512 1611905329d3cf617033b461cd5e97978887e4487074510b627d85b16594fc9611d3b045c69994e113a554a5751ae67934bfcafcd1ac3c7518d6107fc73418f5

memory/2332-30-0x00000000032D0000-0x0000000003301000-memory.dmp

memory/2620-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2620-40-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 c09f87c68ecfcfa0315d144e9c3c3b1d
SHA1 c2a5884ba3f84e52240ebf5d0960dce90a09ea0f
SHA256 27956563961af274ed5a0c87071fab07bc9a58e1aaeab512daa619f313921755
SHA512 813db8860f634f9300310ff06d85d6511d559a066e4d78a8578ec33682f564a5bb8d99f299ad3cea922350232cbd0de94a0db726536c013184a16fe8aa935461

memory/2988-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2620-52-0x0000000001E90000-0x0000000001EC1000-memory.dmp

memory/2988-54-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2128-62-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2988-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2988-64-0x00000000024F0000-0x0000000002521000-memory.dmp

memory/2332-66-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2464-67-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2464-73-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2128-79-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2128-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2620-77-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 7781fc28e9cfc7f5f8c7d8fbc251a2ab
SHA1 4b8aad8b58fd52145af92ba5bcfb8a0a779021ce
SHA256 78042b9696a997d75b4bab05d0f92ebf11c2a5f42dbd66df6f98784a27a3e48c
SHA512 da2179218a6d5785b133a521e782de3e867a8873fbb58d03a5c43b35399708023d014e711cbea6d17263610539f8379560ad147e9cd6debd4844c6183de25487

memory/2332-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2988-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2332-91-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:08

Reported

2024-06-13 22:11

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe \??\c:\windows\system\explorer.exe
PID 3448 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe \??\c:\windows\system\explorer.exe
PID 3448 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe \??\c:\windows\system\explorer.exe
PID 2904 wrote to memory of 3032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2904 wrote to memory of 3032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2904 wrote to memory of 3032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3032 wrote to memory of 1028 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3032 wrote to memory of 1028 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3032 wrote to memory of 1028 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1028 wrote to memory of 3724 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1028 wrote to memory of 3724 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1028 wrote to memory of 3724 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1028 wrote to memory of 3392 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1028 wrote to memory of 3392 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1028 wrote to memory of 3392 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1028 wrote to memory of 4728 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1028 wrote to memory of 4728 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1028 wrote to memory of 4728 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1028 wrote to memory of 4364 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1028 wrote to memory of 4364 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1028 wrote to memory of 4364 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe

"C:\Users\Admin\AppData\Local\Temp\4230c744b44b026252ec0961b884a77e164ceae1eec514e0b724c223afbdd90e.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:8

C:\Windows\SysWOW64\at.exe

at 22:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Files

memory/3448-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3448-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3448-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3448-5-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3448-2-0x00000000755F0000-0x000000007574D000-memory.dmp

C:\Windows\System\explorer.exe

MD5 a5c4f007ed066cd3a3be49449f262d73
SHA1 4fca605b70c767e465879f09cbc91b6f41924a4e
SHA256 9a4b1b367248e118aeac3fab6c62dd08ac05c967a8bbe47fe0954b6a68242c79
SHA512 91f4322e7c5cf69fb6559b4199c920b91d18d9b9d5ac6dd5b3e47484cc541df481719d0d514aad48845ea463456770f4a789f6a1089435894b8ce8544756259b

memory/2904-14-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2904-15-0x00000000755F0000-0x000000007574D000-memory.dmp

memory/2904-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2904-18-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 5c3e728f1b50ecb00507d20685634e52
SHA1 13e056ba82edcaf43be0313f250b85e0b0273bf0
SHA256 9c5f0f661ee1049f8e4b8655e70e3ece6be9659acdea82ddc8091fdc93ddf27c
SHA512 34eecd7d5aa9fe97538e8996f35a80c1e504e61067a4a51c7dc1010c4c169d5634416724d8de5eebf3c76ff3022c75ff79e6e978b6b8411414952b1f057d30fa

memory/3032-26-0x00000000755F0000-0x000000007574D000-memory.dmp

memory/3032-31-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 c3d6909e4855d9bdf1c2b5642f193143
SHA1 95741ffbefc9e2fb046b1a6a3bd508ccd301e8e6
SHA256 368c12ee5a01e241defd29e94dd0a665f585d2f72f30800a00b05f5f31eb4e08
SHA512 1bf11dc54797a26f05507b433149683c02d2a36b84e6195867885d6dcea146b7d4c5348b374187c78dbe03e46a1f36fe968414096b5dbb64cfe82bcccd3e55ea

memory/1028-37-0x00000000755F0000-0x000000007574D000-memory.dmp

memory/1028-43-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1028-42-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3448-45-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3724-46-0x00000000755F0000-0x000000007574D000-memory.dmp

memory/3724-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3032-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3448-60-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3448-59-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 7b1eb5e40eb090b6883c667152fb7910
SHA1 2a9d815b6354b7cd28434a0801e25e89dfc88e33
SHA256 bf51abb0835af61962e127020009f5cfa9075b489ea3f7c885c38ee4458d07ea
SHA512 d59566db6ebb253576db51da86baba5ef3eebe4c0f5414d99c9f24c3c0168b27c7b19410e830220872ae104680b3715fbd1c27007bbb698f5636b4ad73b20314

memory/2904-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1028-63-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2904-72-0x0000000000400000-0x0000000000431000-memory.dmp