Malware Analysis Report

2024-09-09 19:17

Sample ID 240613-1ywfjawbkr
Target 40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3
SHA256 40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3

Threat Level: Known bad

The file 40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:04

Reported

2024-06-13 22:06

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe \??\c:\windows\system\explorer.exe
PID 2132 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe \??\c:\windows\system\explorer.exe
PID 2132 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe \??\c:\windows\system\explorer.exe
PID 2132 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe \??\c:\windows\system\explorer.exe
PID 2668 wrote to memory of 2604 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2668 wrote to memory of 2604 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2668 wrote to memory of 2604 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2668 wrote to memory of 2604 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2604 wrote to memory of 1604 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2604 wrote to memory of 1604 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2604 wrote to memory of 1604 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2604 wrote to memory of 1604 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1604 wrote to memory of 2384 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1604 wrote to memory of 2384 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1604 wrote to memory of 2384 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1604 wrote to memory of 2384 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1604 wrote to memory of 1984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1604 wrote to memory of 1984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1604 wrote to memory of 1984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1604 wrote to memory of 1984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1604 wrote to memory of 1700 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1604 wrote to memory of 1700 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1604 wrote to memory of 1700 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1604 wrote to memory of 1700 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1604 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1604 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1604 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1604 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe

"C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2132-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2132-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2132-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2132-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2132-2-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\explorer.exe

MD5 1a3386c44d954d520bd00634b26b615c
SHA1 57c218d9206e989c7943e70ce21185c82e6d0827
SHA256 d46f4a6c6f0bb72d40afcc4c00362abd08b33d5fbe9dffd5dc5f9a4878243a74
SHA512 ee4a98cdc4cb3e957db1c7e13bf7855660514cf76c9cc4ed5ba5bc02114d6c22957f4331507bd039ea963ce79e79aaf56c83b3aee84d3bb620ab4a8cf31c5099

memory/2668-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2668-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2668-20-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2132-17-0x0000000001E90000-0x0000000001EC1000-memory.dmp

memory/2668-22-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 d7cc3494e7c87bfdeebe30db563543f7
SHA1 b166f7edd589552674e8fc35519070fc8af5ade4
SHA256 ff403b96c1ad7a7de886826d59002deabc71826662c5cdfd166438932bef972a
SHA512 3a8dec62a82f5d9bbf5aa96472e629aba249a24b53cc9ea80a3f901358f8954f8035fafccce33090e80ebba6a77dfef89209c3a5a7b7863c90f868ab5a336343

memory/2668-36-0x00000000030E0000-0x0000000003111000-memory.dmp

memory/2604-37-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2604-42-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 8af24537b5bd95a42c8d16036710cfb1
SHA1 5fc7d4b94aed2b7a83463582f771c1661bffcbe7
SHA256 fcf52e7904a4f228755ce2df5ed69e5bf2678e34b2c9937c169b110b11c080b2
SHA512 b414add8cb5d4056c6f8c73ba9a81a270065392c105898b3f27615c8c5e27e1e90897ff761ef8cf84f19dc46149574028b2d848ae033b0f90986e471127a115a

memory/2604-53-0x0000000001F30000-0x0000000001F61000-memory.dmp

memory/1604-54-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1604-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2132-59-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1604-67-0x0000000000840000-0x0000000000871000-memory.dmp

memory/1604-66-0x0000000000840000-0x0000000000871000-memory.dmp

memory/2132-65-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2384-68-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2384-73-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2604-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2132-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2132-79-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 f666a6e05a59ad287acbeed0c724d83b
SHA1 fd697d9d4d30f6d9926c33713845c7191cef8e97
SHA256 e39a488665805564e93295e380446b3418ca69e82e1fc5a647fc959e95ceff35
SHA512 de4e1e2360a1fc693cd2b03cbb0a4c0c745bbf7bbd3a2dd3d89e91fb358d752728e51dfab8e4cefa260e0800e9c98d6f46932d27f2c3a6a929ade81f4a082604

memory/2668-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1604-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2668-92-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:04

Reported

2024-06-13 22:06

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3536 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe \??\c:\windows\system\explorer.exe
PID 3536 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe \??\c:\windows\system\explorer.exe
PID 3536 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe \??\c:\windows\system\explorer.exe
PID 2480 wrote to memory of 2348 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2480 wrote to memory of 2348 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2480 wrote to memory of 2348 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2348 wrote to memory of 4644 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2348 wrote to memory of 4644 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2348 wrote to memory of 4644 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4644 wrote to memory of 3620 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4644 wrote to memory of 3620 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4644 wrote to memory of 3620 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4644 wrote to memory of 4992 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4644 wrote to memory of 4992 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4644 wrote to memory of 4992 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4644 wrote to memory of 2980 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4644 wrote to memory of 2980 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4644 wrote to memory of 2980 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4644 wrote to memory of 4112 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4644 wrote to memory of 4112 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4644 wrote to memory of 4112 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe

"C:\Users\Admin\AppData\Local\Temp\40774a3ade92d309177f3dadedd89e4dba5a5d65ab757ac2a35b03c76b328fb3.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3536-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3536-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3536-2-0x0000000075A00000-0x0000000075B5D000-memory.dmp

memory/3536-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3536-4-0x0000000000401000-0x000000000042E000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 43fdc245ff3731d0d3e98057745fc9e9
SHA1 3ab92221ab9f31e88aa149954ee88a48bff3c2b6
SHA256 63807ef6a00e10264f0a04b4954326f253770ca3255003c7a25f16fd980cb55c
SHA512 b5cbd549f93deeb964ca3514d7d9ea595886ddf36503bad7da0dc27dd3d8a5fd2cb691de78b51ea87a65c3f7794e8a076f6a94356ee7d47a0f29a7976189c8e4

memory/2480-14-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2480-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2480-15-0x0000000075A00000-0x0000000075B5D000-memory.dmp

memory/2480-20-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 0886f2cd450e79c6ff26765839c07b0b
SHA1 7f0de4b2b46cf2ea9fdaa77562109bd62ba7809d
SHA256 611ada94f4313b3772d8935b1504590a9a675b73a23ffcb1131be57b911fea5c
SHA512 08b6792ba259afb055bfc777addac75548b43bf76e9d00031a56180928e9bd8db05b6f1ccca513e65406940bb04162e43154c1bf14aec22aba05e5c2d356d1af

memory/2348-26-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2348-29-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2348-27-0x0000000075A00000-0x0000000075B5D000-memory.dmp

C:\Windows\System\svchost.exe

MD5 32cff0be578e98ab6871f85ba215ce82
SHA1 5d278c9d1ce94d9fb08a76a348367b6d6b972762
SHA256 9a574ee06364103eeec6fdf62273a13d5296bec19ab187087f4b317af25d4b5d
SHA512 bd7bc95a015a6fdb78bd57ec23b8289d020aef3d67751ebed7b21f1fa5f71cc69cc7f97afe10b303bd7fd1e6a84f1da6b7a8ec30329220ea7dba55eb1f05faad

memory/4644-38-0x0000000075A00000-0x0000000075B5D000-memory.dmp

memory/3620-44-0x0000000075A00000-0x0000000075B5D000-memory.dmp

memory/2348-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3536-58-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3536-57-0x00000000001C0000-0x00000000001C4000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 65e6b99eec5499c9bb0c447c0a690050
SHA1 030a30342f48d2bcfe8cdab5322d5c59c3ea269a
SHA256 c42d5a7fe33edb0ff8ebd3138b8902cd3848bf4fae0386e00e43ff09986b1645
SHA512 4a67e4fa6a64dfd01d59c38d12b0bed1801063801611f6d7519c68d4ff072c660f8cbf7be927a0177d9c23fa13a9302da0e4cea0a053a9ce25acd8bb032d3e1b

memory/3536-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3620-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2480-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4644-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2480-71-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e