40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3

General

Target

40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe
Size

66KB
MD5

413662d111665c07348cb24c4b4e7b70
SHA1

acc2db7b38796b161439324ecc24a8268733f914
SHA256

40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3
SHA512

13f0e941005fbdd2d219c0ad2f129ad0d8472af33813a0cdd1f28963df7018aff1ac26205eb588127d6e132705ef4e0fde747d6b3dae852c6ae9ac5972e5c1d4
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi6:IeklMMYJhqezw/pXzH9i6

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2668 explorer.exe
2604 spoolsv.exe
1604 svchost.exe
2384 spoolsv.exe

pid	process
2668	explorer.exe
2604	spoolsv.exe
1604	svchost.exe
2384	spoolsv.exe

Loads dropped DLL 8 IoCs

Processes:

40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2132	40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe
2132	40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe
2668	explorer.exe
2668	explorer.exe
2604	spoolsv.exe
2604	spoolsv.exe
1604	svchost.exe
1604	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exeexplorer.exesvchost.exe

pid	process
2132	40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
1604	svchost.exe
1604	svchost.exe
1604	svchost.exe
2668	explorer.exe
2668	explorer.exe
1604	svchost.exe
2668	explorer.exe
1604	svchost.exe
1604	svchost.exe
2668	explorer.exe
2668	explorer.exe
1604	svchost.exe
2668	explorer.exe
1604	svchost.exe
1604	svchost.exe
2668	explorer.exe
2668	explorer.exe
1604	svchost.exe
1604	svchost.exe
2668	explorer.exe
1604	svchost.exe
2668	explorer.exe
2668	explorer.exe
1604	svchost.exe
1604	svchost.exe
2668	explorer.exe
1604	svchost.exe
2668	explorer.exe
1604	svchost.exe
2668	explorer.exe
2668	explorer.exe
1604	svchost.exe
2668	explorer.exe
1604	svchost.exe
1604	svchost.exe
2668	explorer.exe
2668	explorer.exe
1604	svchost.exe
2668	explorer.exe
1604	svchost.exe
2668	explorer.exe
1604	svchost.exe
2668	explorer.exe
1604	svchost.exe
1604	svchost.exe
2668	explorer.exe
2668	explorer.exe
1604	svchost.exe
1604	svchost.exe
2668	explorer.exe
2668	explorer.exe
1604	svchost.exe
1604	svchost.exe
2668	explorer.exe
1604	svchost.exe
2668	explorer.exe
2668	explorer.exe
1604	svchost.exe
2668	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2668 explorer.exe
1604 svchost.exe

pid	process
2668	explorer.exe
1604	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2132	40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe
2132	40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe
2668	explorer.exe
2668	explorer.exe
2604	spoolsv.exe
2604	spoolsv.exe
1604	svchost.exe
1604	svchost.exe
2384	spoolsv.exe
2384	spoolsv.exe
2668	explorer.exe
2668	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2132 wrote to memory of 2668	2132	40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe	explorer.exe
PID 2132 wrote to memory of 2668	2132	40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe	explorer.exe
PID 2132 wrote to memory of 2668	2132	40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe	explorer.exe
PID 2132 wrote to memory of 2668	2132	40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe	explorer.exe
PID 2668 wrote to memory of 2604	2668	explorer.exe	spoolsv.exe
PID 2668 wrote to memory of 2604	2668	explorer.exe	spoolsv.exe
PID 2668 wrote to memory of 2604	2668	explorer.exe	spoolsv.exe
PID 2668 wrote to memory of 2604	2668	explorer.exe	spoolsv.exe
PID 2604 wrote to memory of 1604	2604	spoolsv.exe	svchost.exe
PID 2604 wrote to memory of 1604	2604	spoolsv.exe	svchost.exe
PID 2604 wrote to memory of 1604	2604	spoolsv.exe	svchost.exe
PID 2604 wrote to memory of 1604	2604	spoolsv.exe	svchost.exe
PID 1604 wrote to memory of 2384	1604	svchost.exe	spoolsv.exe
PID 1604 wrote to memory of 2384	1604	svchost.exe	spoolsv.exe
PID 1604 wrote to memory of 2384	1604	svchost.exe	spoolsv.exe
PID 1604 wrote to memory of 2384	1604	svchost.exe	spoolsv.exe
PID 1604 wrote to memory of 1984	1604	svchost.exe	at.exe
PID 1604 wrote to memory of 1984	1604	svchost.exe	at.exe
PID 1604 wrote to memory of 1984	1604	svchost.exe	at.exe
PID 1604 wrote to memory of 1984	1604	svchost.exe	at.exe
PID 1604 wrote to memory of 1700	1604	svchost.exe	at.exe
PID 1604 wrote to memory of 1700	1604	svchost.exe	at.exe
PID 1604 wrote to memory of 1700	1604	svchost.exe	at.exe
PID 1604 wrote to memory of 1700	1604	svchost.exe	at.exe
PID 1604 wrote to memory of 2092	1604	svchost.exe	at.exe
PID 1604 wrote to memory of 2092	1604	svchost.exe	at.exe
PID 1604 wrote to memory of 2092	1604	svchost.exe	at.exe
PID 1604 wrote to memory of 2092	1604	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe
"C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\SysWOW64\at.exe
at 22:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:1984

C:\Windows\SysWOW64\at.exe
at 22:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:1700

C:\Windows\SysWOW64\at.exe
at 22:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2092

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
66KB

MD5
f666a6e05a59ad287acbeed0c724d83b

SHA1
fd697d9d4d30f6d9926c33713845c7191cef8e97

SHA256
e39a488665805564e93295e380446b3418ca69e82e1fc5a647fc959e95ceff35

SHA512
de4e1e2360a1fc693cd2b03cbb0a4c0c745bbf7bbd3a2dd3d89e91fb358d752728e51dfab8e4cefa260e0800e9c98d6f46932d27f2c3a6a929ade81f4a082604

Download Submit
\??\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\system\explorer.exe
Filesize
66KB

MD5
1a3386c44d954d520bd00634b26b615c

SHA1
57c218d9206e989c7943e70ce21185c82e6d0827

SHA256
d46f4a6c6f0bb72d40afcc4c00362abd08b33d5fbe9dffd5dc5f9a4878243a74

SHA512
ee4a98cdc4cb3e957db1c7e13bf7855660514cf76c9cc4ed5ba5bc02114d6c22957f4331507bd039ea963ce79e79aaf56c83b3aee84d3bb620ab4a8cf31c5099

Download Submit
\Windows\system\spoolsv.exe
Filesize
66KB

MD5
d7cc3494e7c87bfdeebe30db563543f7

SHA1
b166f7edd589552674e8fc35519070fc8af5ade4

SHA256
ff403b96c1ad7a7de886826d59002deabc71826662c5cdfd166438932bef972a

SHA512
3a8dec62a82f5d9bbf5aa96472e629aba249a24b53cc9ea80a3f901358f8954f8035fafccce33090e80ebba6a77dfef89209c3a5a7b7863c90f868ab5a336343

Download Submit
\Windows\system\svchost.exe
Filesize
66KB

MD5
8af24537b5bd95a42c8d16036710cfb1

SHA1
5fc7d4b94aed2b7a83463582f771c1661bffcbe7

SHA256
fcf52e7904a4f228755ce2df5ed69e5bf2678e34b2c9937c169b110b11c080b2

SHA512
b414add8cb5d4056c6f8c73ba9a81a270065392c105898b3f27615c8c5e27e1e90897ff761ef8cf84f19dc46149574028b2d848ae033b0f90986e471127a115a

Download Submit
memory/1604-54-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1604-66-0x0000000000840000-0x0000000000871000-memory.dmp

Filesize
196KB

Download
memory/1604-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1604-67-0x0000000000840000-0x0000000000871000-memory.dmp

Filesize
196KB

Download
memory/1604-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2132-17-0x0000000001E90000-0x0000000001EC1000-memory.dmp

Filesize
196KB

Download
memory/2132-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2132-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2132-65-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2132-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2132-79-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2132-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2132-59-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2132-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2132-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2384-73-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2384-68-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2604-53-0x0000000001F30000-0x0000000001F61000-memory.dmp

Filesize
196KB

Download
memory/2604-42-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2604-37-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2604-77-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2668-36-0x00000000030E0000-0x0000000003111000-memory.dmp

Filesize
196KB

Download
memory/2668-22-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2668-20-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2668-81-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2668-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2668-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2668-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads