Malware Analysis Report

2024-09-09 19:16

Sample ID 240613-1vkvma1hnh
Target 3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11
SHA256 3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11

Threat Level: Known bad

The file 3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 21:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 21:58

Reported

2024-06-13 22:00

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe \??\c:\windows\system\explorer.exe
PID 1040 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe \??\c:\windows\system\explorer.exe
PID 1040 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe \??\c:\windows\system\explorer.exe
PID 1040 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe \??\c:\windows\system\explorer.exe
PID 2936 wrote to memory of 2724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2936 wrote to memory of 2724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2936 wrote to memory of 2724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2936 wrote to memory of 2724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2724 wrote to memory of 2552 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2724 wrote to memory of 2552 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2724 wrote to memory of 2552 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2724 wrote to memory of 2552 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2552 wrote to memory of 2404 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2552 wrote to memory of 2404 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2552 wrote to memory of 2404 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2552 wrote to memory of 2404 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2552 wrote to memory of 1852 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2552 wrote to memory of 1852 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2552 wrote to memory of 1852 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2552 wrote to memory of 1852 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2552 wrote to memory of 2020 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2552 wrote to memory of 2020 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2552 wrote to memory of 2020 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2552 wrote to memory of 2020 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2552 wrote to memory of 452 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2552 wrote to memory of 452 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2552 wrote to memory of 452 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2552 wrote to memory of 452 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe

"C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1040-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1040-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1040-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1040-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1040-3-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\explorer.exe

MD5 89752b9cc858bde0e6c2b738f45bcd93
SHA1 31d70169e98a8e664106b0deae2a36e9e1389985
SHA256 bcb1bfd72c1f4dadcaee19a3624c92703caeee96a65d2f7a68c29a87b607336d
SHA512 2db04bbb2f5b48ca4df68e4a765f6949b48ad3d0724ab2ed0532d25e65525b821989feb5b4db5a425b7b4f3101d613d22da4fc4cf841020393a3af126b5771a0

memory/2936-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1040-17-0x00000000031A0000-0x00000000031D1000-memory.dmp

memory/2936-19-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2936-21-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 379c56f8d23d2990cdc1136c9da10888
SHA1 946a5dc2fbaccaabbce2576f24832422a87f7435
SHA256 9d57578ee293a29f747c8e578a38b9d491276e3eb93a690405335553a6d50f0f
SHA512 b0b19443c63ccf23f5dd90b1c465a2ab3d74165be99d9f8a82723f6ce397d2500c323d2ab8a282cc6471d0316e8e0f42877bbf96c9353cc42019943d18b2ca06

memory/2936-40-0x00000000026D0000-0x0000000002701000-memory.dmp

memory/2724-46-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 77c78d6f9b786016d126c60349d7870a
SHA1 7e89559d9ce8f7e0ffb44e99210c710198d43aab
SHA256 e6fbb9a93ba46f7a625586a201cab9456a24856adbac5453f6ff178f6e1c9c68
SHA512 a634edd32d1878cf4122c315a546d5a1e620fdd06091d15f2994d5ce2613077b4b34676ea9b6798c4e52ff99c6c0b65602dffc9fdc6f1ad1712164084865f764

memory/2724-45-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2936-39-0x00000000026D0000-0x0000000002701000-memory.dmp

memory/2724-35-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2552-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2552-55-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1040-60-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2552-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2724-76-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2404-73-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2552-72-0x0000000002420000-0x0000000002451000-memory.dmp

memory/1040-71-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2404-66-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1040-81-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1040-80-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 8c8839f7765bcc40795b4210cf3e7da8
SHA1 fa0b044968987d68716077824af6bd0925a5b652
SHA256 3a94d5c7a23d83b4d777f983d47a7cbbc7309ed17ad895351eae6c66d98fa1c1
SHA512 e4fb6aa37a876ea1ba420710967a8cec192d5a8e907ad900d62a32c5833afe1b965d035c944b92263ed613b8164a34e3f4c591a8284925c716ae91577b2cba86

memory/2936-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2552-85-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2936-94-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 21:58

Reported

2024-06-13 22:00

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe \??\c:\windows\system\explorer.exe
PID 3628 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe \??\c:\windows\system\explorer.exe
PID 3628 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe \??\c:\windows\system\explorer.exe
PID 3148 wrote to memory of 2740 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3148 wrote to memory of 2740 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3148 wrote to memory of 2740 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2740 wrote to memory of 760 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2740 wrote to memory of 760 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2740 wrote to memory of 760 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 760 wrote to memory of 2528 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 760 wrote to memory of 2528 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 760 wrote to memory of 2528 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 760 wrote to memory of 3160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 760 wrote to memory of 3160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 760 wrote to memory of 3160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 760 wrote to memory of 4396 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 760 wrote to memory of 4396 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 760 wrote to memory of 4396 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 760 wrote to memory of 2240 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 760 wrote to memory of 2240 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 760 wrote to memory of 2240 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe

"C:\Users\Admin\AppData\Local\Temp\3e4744523ed4ccf599d92b91d20f47b46015011e420fb00547645793046abe11.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8

C:\Windows\SysWOW64\at.exe

at 22:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp

Files

memory/3628-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3628-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3628-2-0x0000000075460000-0x00000000755BD000-memory.dmp

memory/3628-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3628-5-0x0000000000401000-0x000000000042E000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 2b6cfd788b915e6769168abec67d6548
SHA1 73a038de4965feab6a2abe1d8fc0fe5be5eb6cbb
SHA256 75734b482f58a2a66e535df26b84ba1560fb23f91d3c945889aa7549782b9b27
SHA512 b967f29ee7c8ea799e7d3b928bafdda0552cb2b1dfac462cc6047c23d5b1b2cf6a0450c03ad82f2645275e2026dc85e0283b3e1da7efa28c7bb777e3e65be5dd

memory/3148-14-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3148-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3148-15-0x0000000075460000-0x00000000755BD000-memory.dmp

memory/3148-17-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 398c2ba524eec53b17cfef3ab48e0021
SHA1 1f32eef35993472fb9627130205f1be42bba0c8b
SHA256 72cafe33b3946c078fa647ad9718f92b737511cb71936fbe67a09cf858e7ff69
SHA512 01b97cc2bb480e9445a9a1828139582e713e097b17149bca14815ea7c492417868c94867699c567ad72d91e6de0290e4d0dad4ebec996730eed9d1496cc40590

memory/2740-26-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2740-27-0x0000000075460000-0x00000000755BD000-memory.dmp

memory/2740-32-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 25bd3d7340fc5a8daed1823b80171c22
SHA1 14b91c5797384d1bd40b3fa5528e51aa170ce169
SHA256 00a547a17c82505bed5a2473e1f3740f9aaad06641e7008da34f77cf2fdf2095
SHA512 b709b9aa474adf9104514315a12f53f72e38f6516ffe8619f884d10df97291d0f1fe8134b53a0105a94377cd15445566805de4b0f835e238dacbd147ec151231

memory/760-38-0x0000000075460000-0x00000000755BD000-memory.dmp

memory/2528-44-0x0000000075460000-0x00000000755BD000-memory.dmp

memory/2528-50-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2740-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3628-57-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3628-58-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3628-56-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 551facc03c4124b264a1721199a13c74
SHA1 bb074b74cb93e4f7113f5804d464f84a0cc4fde6
SHA256 d547491cba7e78944ec1d72c33fdd788a1b5dfd7b9a7c9b1788bcea29cbf33ed
SHA512 90d8e50ccd1e5619b4b38500ffbca0878fef9450df6e7bad28315086fc13be7d4e6bcdb2f8e5df67c3416530a8b18dbd0fbfce3af46767dbeb899e5dff2fda58

memory/3148-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/760-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3148-71-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e