Malware Analysis Report

2024-07-28 15:10

Sample ID 240613-1r3k9s1gne
Target 3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791
SHA256 3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791

Threat Level: Known bad

The file 3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 21:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 21:53

Reported

2024-06-13 21:56

Platform

win7-20240419-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe \??\c:\windows\system\explorer.exe
PID 2248 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe \??\c:\windows\system\explorer.exe
PID 2248 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe \??\c:\windows\system\explorer.exe
PID 2248 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe \??\c:\windows\system\explorer.exe
PID 3048 wrote to memory of 2908 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3048 wrote to memory of 2908 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3048 wrote to memory of 2908 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3048 wrote to memory of 2908 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2908 wrote to memory of 2492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2908 wrote to memory of 2492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2908 wrote to memory of 2492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2908 wrote to memory of 2492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2492 wrote to memory of 2460 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 2460 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 2460 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 2460 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2036 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2036 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2036 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2036 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 684 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 684 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 684 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 684 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe

"C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 21:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 21:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 21:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2248-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2248-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2248-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2248-5-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2248-2-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\explorer.exe

MD5 65f6b7ee31fac8e85db25338408c4692
SHA1 cf45404ed664b41fd35e6d12ec7505691aca42a5
SHA256 4dcff45186782720785ac874622401e2a7819a71f801878b055957e46b635269
SHA512 96d58c4d915e7bc92721d08fa19660968fdd43b5c421ceda08ca0b43bfd4a2fa81a0296aa6da12c8707b0541512b4d6ad494a44ba6a1dcdeccd9edf1df625623

memory/3048-17-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2248-19-0x0000000002C40000-0x0000000002C71000-memory.dmp

memory/3048-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2248-20-0x0000000002C40000-0x0000000002C71000-memory.dmp

\Windows\system\spoolsv.exe

MD5 95d548a5bd8950aa92b5f17301dcacd3
SHA1 d29a824bf066796e36645cd69ec28e020de2b983
SHA256 eaa3bda98e473d40cf4a8769eb9e13515ae4b21f13d5cfdcaa195eb040b5a323
SHA512 8a107fad3f0064d5aceac3a127cbf89909178e0e428e628dfbb02560a88311075e19c3ec02e18856e9592697b7f91dfb91bcfa92e3e89be3aab94f44501c53fe

memory/2908-37-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3048-36-0x0000000003140000-0x0000000003171000-memory.dmp

memory/3048-35-0x0000000003140000-0x0000000003171000-memory.dmp

memory/2908-38-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2908-43-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 2f43da499093bb2476f28bea7238f903
SHA1 73f7ca6f6c9c4306e90d893f1724d58f5fbb563d
SHA256 0683cf28052fa905f352dbb1a76c2083da2ab0c86b4f09e6060fceec7cb8bec3
SHA512 7bccc624d67a58061b8923250223aacf60a58fddea25368d59fd32189b4aa563d686fc7e6f305dfac74a9db1f6d23dbf3e1b64c7f04e4d8cf3508e7757970b06

memory/2492-54-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2492-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2492-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2492-65-0x00000000026F0000-0x0000000002721000-memory.dmp

memory/2460-66-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2460-72-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2248-76-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2908-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2248-77-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 c9e8a476d54d5eb43996a6a2ecc193a8
SHA1 89810b2a964f734d8736c60dae831c759152902d
SHA256 a17c2cea9cc687a5e8cb717d93428c851b481165b3977cab9c22118d454d91c2
SHA512 f65295e861bdf30a879c193d970d259734ba4063e269c62f776d1e8b0f252d38fc969ce6f1f5d8bcd4c9d22271a2a29b0a2977e9efe3d39cccb6cf186714ac61

memory/3048-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2492-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3048-92-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 21:53

Reported

2024-06-13 21:56

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 384 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe \??\c:\windows\system\explorer.exe
PID 384 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe \??\c:\windows\system\explorer.exe
PID 384 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe \??\c:\windows\system\explorer.exe
PID 4704 wrote to memory of 5084 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4704 wrote to memory of 5084 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4704 wrote to memory of 5084 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5084 wrote to memory of 424 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 5084 wrote to memory of 424 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 5084 wrote to memory of 424 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 424 wrote to memory of 4312 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 424 wrote to memory of 4312 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 424 wrote to memory of 4312 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 424 wrote to memory of 3496 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 424 wrote to memory of 3496 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 424 wrote to memory of 3496 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 424 wrote to memory of 5004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 424 wrote to memory of 5004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 424 wrote to memory of 5004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 424 wrote to memory of 4012 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 424 wrote to memory of 4012 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 424 wrote to memory of 4012 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe

"C:\Users\Admin\AppData\Local\Temp\3c3a20c1faa25cc42fcfdb6c8b386d0a69f92ff505574979ceecbc1226351791.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 21:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8

C:\Windows\SysWOW64\at.exe

at 21:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 21:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/384-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/384-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/384-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/384-2-0x00000000758F0000-0x0000000075A4D000-memory.dmp

memory/384-6-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 4212496b404b97eadde54211cfb567b4
SHA1 bc8980bd43f8ce659dd945b29e445e2758457aa8
SHA256 d401023904cd08f4ed6d0d876a801d33d1b42e4234ea07f057d1b718a8965af7
SHA512 d86d0a803e4ed0f7e38c361709669424f76b1731efe00791638320ec3eb83a97a8fec5f35d6be893283b76e0ac9b03ad06a6f5882fb57e235ad134172633f69d

memory/4704-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4704-14-0x00000000758F0000-0x0000000075A4D000-memory.dmp

memory/4704-16-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 156824b3ca61f111ec1a8164e32a8e6d
SHA1 5eccfe3981ef3999baa30bedaae4128e3d1a2d13
SHA256 964f86ad64de605d29cb372be24ae00d4808bbae7cdf5df74eaec4158380fa7e
SHA512 692772b7bb1ea01577629136fcf6dc12c050c6cfd6d6b72fe3f42016831e0ebbb05020ccd3dfded0ec115ac6b32a06407bda447fe2d73a246dbc66fcf2d8a454

memory/5084-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5084-26-0x00000000758F0000-0x0000000075A4D000-memory.dmp

memory/5084-30-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 f9bfdc8687319ed6c1237ca5ea84b833
SHA1 3bc04caa3eba5f27875ac8bdcfca526439498064
SHA256 31974092eae93dfdad7bf16ab1150ee718c98b7faf656249ab10af4cfc031c06
SHA512 f123602f37d39397db08d2ea7b4a1794e8d98a34fad8758f80affe542817530433f6833dc7f6c0ba857e4f8d38acfb7ddeaac0505206e15a1f792c81dd663efd

memory/424-37-0x00000000758F0000-0x0000000075A4D000-memory.dmp

memory/424-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4312-44-0x00000000758F0000-0x0000000075A4D000-memory.dmp

memory/5084-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/384-56-0x0000000000401000-0x000000000042E000-memory.dmp

memory/384-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4312-52-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 b3686c0ae6891133025c35c5c74b70f3
SHA1 81e01320c1e0cfef1a7fbd8eb657469bcd4d1daa
SHA256 d1ce6a20c55ed8713b4910f03e014b0516f52b2aba7204a99bccea1fb55b2c46
SHA512 49fcdeaba7b86141f132ae81fd100ea8bc841bfa45e6e0c4d4a8e1f5f51423aaf25f600d1adba7102285960733155994edd8851fcf73c63bc353f9e1bb3e39c2

memory/4704-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/424-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4704-69-0x0000000000400000-0x0000000000431000-memory.dmp