3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6

General

Target

3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe
Size

66KB
MD5

23aa9b9c01f9b6a3c5661b2dc652cb2e
SHA1

d0ba8f8db0654ddeff99e7885fdc7a2972a3a4ee
SHA256

3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6
SHA512

63871b0cee982464fc37b48ea1365e6203ccdf19df21091c44e05ccb0b4dd22b73921b548a2158e553c5f920ab91f99a13a90e3df291919ec8c6b515ecb05669
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiP:IeklMMYJhqezw/pXzH9iP

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2504 explorer.exe
2372 spoolsv.exe
1940 svchost.exe
2804 spoolsv.exe

pid	process
2504	explorer.exe
2372	spoolsv.exe
1940	svchost.exe
2804	spoolsv.exe

Loads dropped DLL 8 IoCs

Processes:

3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exeexplorer.exespoolsv.exesvchost.exe

pid	process
1912	3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe
1912	3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe
2504	explorer.exe
2504	explorer.exe
2372	spoolsv.exe
2372	spoolsv.exe
1940	svchost.exe
1940	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exeexplorer.exesvchost.exe

pid	process
1912	3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
1940	svchost.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe
2504	explorer.exe
1940	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2504 explorer.exe
1940 svchost.exe

pid	process
2504	explorer.exe
1940	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1912	3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe
1912	3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe
2504	explorer.exe
2504	explorer.exe
2372	spoolsv.exe
2372	spoolsv.exe
1940	svchost.exe
1940	svchost.exe
2804	spoolsv.exe
2804	spoolsv.exe
2504	explorer.exe
2504	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1912 wrote to memory of 2504	1912	3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe	explorer.exe
PID 1912 wrote to memory of 2504	1912	3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe	explorer.exe
PID 1912 wrote to memory of 2504	1912	3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe	explorer.exe
PID 1912 wrote to memory of 2504	1912	3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe	explorer.exe
PID 2504 wrote to memory of 2372	2504	explorer.exe	spoolsv.exe
PID 2504 wrote to memory of 2372	2504	explorer.exe	spoolsv.exe
PID 2504 wrote to memory of 2372	2504	explorer.exe	spoolsv.exe
PID 2504 wrote to memory of 2372	2504	explorer.exe	spoolsv.exe
PID 2372 wrote to memory of 1940	2372	spoolsv.exe	svchost.exe
PID 2372 wrote to memory of 1940	2372	spoolsv.exe	svchost.exe
PID 2372 wrote to memory of 1940	2372	spoolsv.exe	svchost.exe
PID 2372 wrote to memory of 1940	2372	spoolsv.exe	svchost.exe
PID 1940 wrote to memory of 2804	1940	svchost.exe	spoolsv.exe
PID 1940 wrote to memory of 2804	1940	svchost.exe	spoolsv.exe
PID 1940 wrote to memory of 2804	1940	svchost.exe	spoolsv.exe
PID 1940 wrote to memory of 2804	1940	svchost.exe	spoolsv.exe
PID 1940 wrote to memory of 2340	1940	svchost.exe	at.exe
PID 1940 wrote to memory of 2340	1940	svchost.exe	at.exe
PID 1940 wrote to memory of 2340	1940	svchost.exe	at.exe
PID 1940 wrote to memory of 2340	1940	svchost.exe	at.exe
PID 1940 wrote to memory of 1692	1940	svchost.exe	at.exe
PID 1940 wrote to memory of 1692	1940	svchost.exe	at.exe
PID 1940 wrote to memory of 1692	1940	svchost.exe	at.exe
PID 1940 wrote to memory of 1692	1940	svchost.exe	at.exe
PID 1940 wrote to memory of 960	1940	svchost.exe	at.exe
PID 1940 wrote to memory of 960	1940	svchost.exe	at.exe
PID 1940 wrote to memory of 960	1940	svchost.exe	at.exe
PID 1940 wrote to memory of 960	1940	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe
"C:\Users\Admin\AppData\Local\Temp\3fc8084e724f10c0b6f94416c18032a2e1a6ebcb3021d76e9b9c655301d01bb6.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Windows\SysWOW64\at.exe
at 22:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2340

C:\Windows\SysWOW64\at.exe
at 22:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:1692

C:\Windows\SysWOW64\at.exe
at 22:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:960

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
66KB

MD5
16984d695ec7e4d505916b05a486ba00

SHA1
3048ee3ece424f7d33397e82933a59f251e289bf

SHA256
00b580b6617cf53ea29e425cda76d02c2cce5c0a76dd49c31c1cce654d5c8e15

SHA512
0a84a18a6679731388cb48b31b808ccac15dcad9bbf89e1d565e02669d3dff72719239edb8faf7cebe88cbc6380111bcffb7fb683802eb58c851891cf5dcae6f

Download Submit
\Windows\system\explorer.exe
Filesize
66KB

MD5
6b055b78a8798dc0ad6a48e71950cf3c

SHA1
4c5abd7c36226ac6603596b5e105ace6d64df96f

SHA256
a8d6ab07cbb14f6c22a22fa710be7d263c8d2749e9bb975f2748883b5361a205

SHA512
4483a121d8a1b3d4fbcc138a6b7acdc91a6a170925292440391dfd7f434aa5197bf4e571494b12751f558b1959f026a0a555a5002e82c3785f4d7c7f2661903e

Download Submit
\Windows\system\spoolsv.exe
Filesize
66KB

MD5
5da64f42a4646c6d1d7f057a74b8cb98

SHA1
fa9a72111b010387f19b6cb8e6a67febb0d10977

SHA256
1f6b18de15b273dd5e532c8f446d32fe1f55361e3d98dbbcf2eb51b48cbf1819

SHA512
9f53c457e91afc41fb55be8863e4a40d180bba7c534838576d963ead829c4b2f5d9bcdc28044e1a6a599909e8d89e59cbf9084bdb17532dd74bbbb7eead1092b

Download Submit
\Windows\system\svchost.exe
Filesize
66KB

MD5
841e1e37a0852ec6bcb77b5322fcb376

SHA1
c84bf4d781f9dc49dfbd7b89ddc87f85e67f8f15

SHA256
eb73463d468ddfef67f82a3d0315f702f54834b6be42a7a2e698f583ac41e7f1

SHA512
d4fe0f7944cd2a91f89882100b35e9881d1019b3aedf02059001b8569b770361fc0ebf94a53f1e26d4f24ca678b2f9d02c7e955bda848d98dbd19fb37c5cd7d2

Download Submit
memory/1912-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1912-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1912-16-0x0000000002C90000-0x0000000002CC1000-memory.dmp

Filesize
196KB

Download
memory/1912-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1912-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1912-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1912-56-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1912-80-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1912-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1912-52-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1940-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1940-58-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1940-57-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1940-62-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2372-42-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2372-38-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2372-37-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2372-54-0x0000000002600000-0x0000000002631000-memory.dmp

Filesize
196KB

Download
memory/2504-19-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2504-68-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2504-35-0x00000000025F0000-0x0000000002621000-memory.dmp

Filesize
196KB

Download
memory/2504-34-0x00000000025F0000-0x0000000002621000-memory.dmp

Filesize
196KB

Download
memory/2504-21-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2504-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2504-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2504-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2804-69-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2804-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads