Malware Analysis Report

2024-09-09 19:16

Sample ID 240613-1qvh9svgmj
Target 3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295
SHA256 3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295

Threat Level: Known bad

The file 3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 21:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 21:51

Reported

2024-06-13 21:54

Platform

win7-20240508-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe \??\c:\windows\system\explorer.exe
PID 2400 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe \??\c:\windows\system\explorer.exe
PID 2400 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe \??\c:\windows\system\explorer.exe
PID 2400 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe \??\c:\windows\system\explorer.exe
PID 2616 wrote to memory of 1212 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2616 wrote to memory of 1212 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2616 wrote to memory of 1212 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2616 wrote to memory of 1212 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1212 wrote to memory of 2520 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1212 wrote to memory of 2520 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1212 wrote to memory of 2520 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1212 wrote to memory of 2520 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2520 wrote to memory of 2912 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2520 wrote to memory of 2912 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2520 wrote to memory of 2912 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2520 wrote to memory of 2912 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2520 wrote to memory of 1544 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2520 wrote to memory of 1544 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2520 wrote to memory of 1544 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2520 wrote to memory of 1544 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2520 wrote to memory of 2244 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2520 wrote to memory of 2244 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2520 wrote to memory of 2244 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2520 wrote to memory of 2244 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2520 wrote to memory of 2332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2520 wrote to memory of 2332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2520 wrote to memory of 2332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2520 wrote to memory of 2332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe

"C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 21:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 21:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 21:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2400-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2400-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2400-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2400-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2400-3-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\explorer.exe

MD5 a5fc1d70053209055b41becff72af955
SHA1 41589cfa25e4bc14b3f161cfcc6a4b3c2cabfcab
SHA256 6c0a2a68e6c3e0edb4474f441de452cfb8b9adaaac4508d059cd9d8b27b41724
SHA512 7903d9979fe322bf23fc412d19f863a633a1011edb44015df25cda9f8e787c9b1c7d088ce46dd101805b2455dcd8706e6fc4cba668ac30bab8f67914f6b512b9

memory/2616-19-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2616-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2616-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2400-17-0x0000000002C40000-0x0000000002C71000-memory.dmp

\Windows\system\spoolsv.exe

MD5 e39b9c4e8a0ce799355eb7188fe45907
SHA1 ccb04e979281d87d1b9e48f52f23ba3b43ffca08
SHA256 f99c5af73022c484a6c1e75209b69d2aa311924f51c0f79ec381a2b55217520c
SHA512 69495d4b46fe482b808438dfc0ef1d9191b812474c2cde6384cb5192c12b0d4b9f5f712f6faf96bfc2406b690e6fc6b74f5cae7177529860e7a5cabe25ecd0ac

memory/2616-36-0x00000000030C0000-0x00000000030F1000-memory.dmp

memory/2616-35-0x00000000030C0000-0x00000000030F1000-memory.dmp

memory/1212-37-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1212-41-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 fe640a4781cdd477d7655fb6a56fb822
SHA1 7b21db82949d4d6b07fd45a4453d9497639f7c88
SHA256 e8f0cd9d47cfeb3d523607787bb1e40f3b317897df7a76c3d990e435bbc811d7
SHA512 17c16dfec1380584e6b6367eb12cb42b7be8ee80845b5aea50bc6d8d3621b44a397a5ae94b0da65c0d68f7526105cda90b7a56cf20a54b60f5a4cb3431116d2c

memory/2520-53-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2520-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2520-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1212-57-0x00000000024F0000-0x0000000002521000-memory.dmp

memory/2400-65-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2912-66-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2912-71-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2400-75-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1212-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2400-76-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 eb68bc6c7978c514565c012d109fe934
SHA1 0fac437150953033551b54cd9248f3f4b8b51ab3
SHA256 dc39df3da947de08970c564422b953acc639266373911726fb4cb00053848c3e
SHA512 23ae8ed01958894b8f89fddacd8dc275698b56a611565133f9fb187bf278ad56d6e31e83d85edf00bd9d595e72703c357a198cb572a65dca360e93ac373b45d7

memory/2616-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2520-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2616-90-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 21:51

Reported

2024-06-13 21:54

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe \??\c:\windows\system\explorer.exe
PID 4804 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe \??\c:\windows\system\explorer.exe
PID 4804 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe \??\c:\windows\system\explorer.exe
PID 4932 wrote to memory of 1612 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4932 wrote to memory of 1612 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4932 wrote to memory of 1612 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1612 wrote to memory of 1520 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1612 wrote to memory of 1520 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1612 wrote to memory of 1520 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1520 wrote to memory of 2016 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1520 wrote to memory of 2016 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1520 wrote to memory of 2016 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1520 wrote to memory of 2976 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 2976 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 2976 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 4004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 4004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 4004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 3360 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 3360 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1520 wrote to memory of 3360 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe

"C:\Users\Admin\AppData\Local\Temp\3b0a10835b3a8ff47ac632a1cf94a13f0c234579d0e765744111780c0a1cf295.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 21:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 21:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 21:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4804-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4804-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4804-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4804-2-0x0000000075940000-0x0000000075A9D000-memory.dmp

memory/4804-4-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 0b3e0d2c0c8ba3a4f887eeda19a3f179
SHA1 79e37a5559199f485ba2d01a65b846e92b14e522
SHA256 c112ccd05e2eef2ff000c73b4e206c775c4ef8c3e892167ffc3b57052f9333cd
SHA512 8cc9291c104d882e3d5827f766cbd54a9824ab0e7ec5ba8918d4ecb60c90f9cd990cacec7f2c1e6906a3cac43e80cf8dff7a12b42061b624811cbf8bcd91a564

memory/4932-13-0x0000000075940000-0x0000000075A9D000-memory.dmp

memory/4932-15-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 7046cbdb486a24382d76f5928c8fe31b
SHA1 8f12206d061fe780ee02e1edea4c844ce2427335
SHA256 48cc5ecf542639283009bf726a711caa4b368346d71f8bde45a9ea269c25e9ba
SHA512 138ee553f4a2e68b93d86a2b79c86a017ea0e9c7de49f2f43d288cf6477a58e98986f8cc024fc543c31e740dd03faf40c42371ca7d7b50fe3724d28c8fa7d371

memory/1612-24-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1612-25-0x0000000075940000-0x0000000075A9D000-memory.dmp

C:\Windows\System\svchost.exe

MD5 6326ccc1531cbbe27136d429dc2623c7
SHA1 157082a47876c58cb76d97c52ce22c3933206f09
SHA256 e21a871782739cfcd621416b92f352039cfeb0558ac9572fbfd83d7221872a7a
SHA512 cb034eb5fd1bb06acab189d0ef7e066b0a9dc96b4fe0bdbfb2ebfd66ea2494cfbc3527fb17c5dfc14cb949caf8d65d5714b3aa0af6bbe750c6b7480b82f1d7cd

memory/1520-35-0x0000000075940000-0x0000000075A9D000-memory.dmp

memory/2016-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2016-42-0x0000000075940000-0x0000000075A9D000-memory.dmp

memory/2016-48-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1612-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4804-53-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 25e28d1207f47de57f7e129ccd882194
SHA1 b03d838997c96d82c5860aaa9199b7652d46328d
SHA256 dab68783962322baef619c7e4309960fb1d28c4bfd33cd308ac3163f638df7a9
SHA512 33e57366d719afbec2901cf5a3909358256fead40784825d2483eef0da7ce9da7c04d05675d54af7958ccab9fad4db0d5cedc02f6d76a2744cea3983fecd1775

memory/4804-55-0x0000000000401000-0x000000000042E000-memory.dmp

memory/4932-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1520-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4932-67-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e