475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593

General

Target

475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exe
Size

66KB
MD5

1afc4ee33eec9dae3545816ff451ba11
SHA1

6463f7d76707103aa29f65e289ba67a13e99afd9
SHA256

475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593
SHA512

943e194b4f42a756d3af8609771fad0a54ef190ae18889c8230447c3759957560dba54e0a2ae9b065f9c7a510bca6d71ae98c00a5abbaf95baa7e404aa7e329f
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiY:IeklMMYJhqezw/pXzH9iY

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

808 explorer.exe
2008 spoolsv.exe
220 svchost.exe
2560 spoolsv.exe

pid	process
808	explorer.exe
2008	spoolsv.exe
220	svchost.exe
2560	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exeexplorer.exesvchost.exe

pid	process
2944	475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exe
2944	475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exe
808	explorer.exe
808	explorer.exe
808	explorer.exe
808	explorer.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe
220	svchost.exe
220	svchost.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe
808	explorer.exe
808	explorer.exe
220	svchost.exe
220	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

808 explorer.exe
220 svchost.exe

pid	process
808	explorer.exe
220	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2944	475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exe
2944	475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exe
808	explorer.exe
808	explorer.exe
2008	spoolsv.exe
2008	spoolsv.exe
220	svchost.exe
220	svchost.exe
2560	spoolsv.exe
2560	spoolsv.exe
808	explorer.exe
808	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2944 wrote to memory of 808	2944	475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exe	explorer.exe
PID 2944 wrote to memory of 808	2944	475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exe	explorer.exe
PID 2944 wrote to memory of 808	2944	475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exe	explorer.exe
PID 808 wrote to memory of 2008	808	explorer.exe	spoolsv.exe
PID 808 wrote to memory of 2008	808	explorer.exe	spoolsv.exe
PID 808 wrote to memory of 2008	808	explorer.exe	spoolsv.exe
PID 2008 wrote to memory of 220	2008	spoolsv.exe	svchost.exe
PID 2008 wrote to memory of 220	2008	spoolsv.exe	svchost.exe
PID 2008 wrote to memory of 220	2008	spoolsv.exe	svchost.exe
PID 220 wrote to memory of 2560	220	svchost.exe	spoolsv.exe
PID 220 wrote to memory of 2560	220	svchost.exe	spoolsv.exe
PID 220 wrote to memory of 2560	220	svchost.exe	spoolsv.exe
PID 220 wrote to memory of 4316	220	svchost.exe	at.exe
PID 220 wrote to memory of 4316	220	svchost.exe	at.exe
PID 220 wrote to memory of 4316	220	svchost.exe	at.exe
PID 220 wrote to memory of 4860	220	svchost.exe	at.exe
PID 220 wrote to memory of 4860	220	svchost.exe	at.exe
PID 220 wrote to memory of 4860	220	svchost.exe	at.exe
PID 220 wrote to memory of 4556	220	svchost.exe	at.exe
PID 220 wrote to memory of 4556	220	svchost.exe	at.exe
PID 220 wrote to memory of 4556	220	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exe
"C:\Users\Admin\AppData\Local\Temp\475c1ab12499b9455ab64d12dc1b405dc4f09324f48b819cdc9f6537517a5593.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\SysWOW64\at.exe
at 22:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:4316

C:\Windows\SysWOW64\at.exe
at 22:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:4860

C:\Windows\SysWOW64\at.exe
at 22:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:4556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
66KB

MD5
388aa20b8f39c9f0d7c6ee79b884c310

SHA1
b39a8c33e39c498695d370bf5e52591ce13c56e0

SHA256
aa9c19a2526b1fdf452424115d198540bcc3bb0ffd2022b8b81a386dad5df481

SHA512
ff7dcd9642fb2c0e68cba7559f39a20307fe82cf1b326d7c2b9e7a91c4c435fc8efd28d34c3585d766b08f36306ce357dada3c6d020a29fa1280d1acfe38088a

Download Submit
C:\Windows\System\explorer.exe
Filesize
66KB

MD5
15d13165dee194007b25f7872716e3c0

SHA1
d602cceb73842a3d62b8b68a66e9e13bc9928922

SHA256
0f9b44b4767ae9498255023ab1f9a272cb550aae3d6ef2f373a92b13cdd38086

SHA512
81ac2f5316a1ee9d14c11fee6a6f257dec4e93d61f11f706735995786beff1c2018984bd13a2524d6c18039e0499f23f6cf2ed22ef61c79efd4638ccfa1db3bd

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
66KB

MD5
538bace0e551b7559056366fe2621b55

SHA1
1e5f40364654d85aa18ca6362bb463f4d2cd2c98

SHA256
f11763b29fbf14379e81c05507e7907859a516cccd55f4ffb2375ecd35467796

SHA512
66b4d1d9460f50402da6ef392ea4ddd7b601c8e9d1b83f654180a12d46f32d397727dd93d1ed41cb5b8c187d82ff207a8333556915c1cf7bb5e53ede26c7934e

Download Submit
C:\Windows\System\svchost.exe
Filesize
66KB

MD5
a4df163255b9a36fcbd7651ac2614fe3

SHA1
da5c6338f636f10049907329c035cbc4cefaf99e

SHA256
1910d58f84aac141244915ea97e5e16b04a4001fb2a1c85573a3804a83ddbc2c

SHA512
294999db060d745341fdbac55660f773aa86b7391d29c8d53e0450d2befa62086856c5f54d8143cbd1dbf4fb33a189d33c2a575f7a7879df14cf60b98612def6

Download Submit
memory/220-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/220-36-0x0000000074E00000-0x0000000074F5D000-memory.dmp

Filesize
1.4MB

Download
memory/220-40-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/220-35-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/808-13-0x0000000074E00000-0x0000000074F5D000-memory.dmp

Filesize
1.4MB

Download
memory/808-16-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/808-68-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/808-57-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2008-52-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2008-25-0x0000000074E00000-0x0000000074F5D000-memory.dmp

Filesize
1.4MB

Download
memory/2008-24-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2560-43-0x0000000074E00000-0x0000000074F5D000-memory.dmp

Filesize
1.4MB

Download
memory/2560-48-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2944-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/2944-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2944-55-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2944-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2944-2-0x0000000074E00000-0x0000000074F5D000-memory.dmp

Filesize
1.4MB

Download
memory/2944-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2944-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads