Malware Analysis Report

2024-09-09 20:00

Sample ID 240613-2d8e2awgrk
Target 4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b
SHA256 4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b
Tags
evasion persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b

Threat Level: Known bad

The file 4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b was found to be: Known bad.

Malicious Activity Summary

evasion persistence upx

UPX dump on OEP (original entry point)

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

UPX dump on OEP (original entry point)

Modifies Installed Components in the registry

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:29

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:29

Reported

2024-06-13 22:31

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3708 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe \??\c:\windows\system\explorer.exe
PID 3708 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe \??\c:\windows\system\explorer.exe
PID 3708 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe \??\c:\windows\system\explorer.exe
PID 668 wrote to memory of 1612 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 668 wrote to memory of 1612 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 668 wrote to memory of 1612 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1612 wrote to memory of 3672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1612 wrote to memory of 3672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1612 wrote to memory of 3672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3672 wrote to memory of 4720 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3672 wrote to memory of 4720 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3672 wrote to memory of 4720 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3672 wrote to memory of 2208 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3672 wrote to memory of 2208 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3672 wrote to memory of 2208 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3672 wrote to memory of 2916 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3672 wrote to memory of 2916 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3672 wrote to memory of 2916 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3672 wrote to memory of 2332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3672 wrote to memory of 2332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3672 wrote to memory of 2332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe

"C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\at.exe

at 22:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/3708-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\System\explorer.exe

MD5 8fce4a89085070a0eb496587470d2fbb
SHA1 c399d7ad64528837eb736012bea5f8f1ef042420
SHA256 6396c045ca4349e57c26bade1c8da412c3f54bbca5daa0a0fa528f74dc595edb
SHA512 f7225920e119d15cd3fa102b14faf3ed2ab2e04d14cd6fb09768e6584bef77e7e1e6b05c7e01886d6d011730e62e925c8fda4b2d8b8f516c7be11e5f28d9f6e1

C:\Windows\System\spoolsv.exe

MD5 0933875b2ec7954faf452997cc1180ab
SHA1 c44001e2bcfe30f092b8ad6c21d3bf2376de298c
SHA256 d599fa40463eb2ef46b27cbba54bbd011abd30849fe703cd3204eb50c6d7cd36
SHA512 6d729c452355744d95aff4c5e7a9f72cc2d58210fa13e09feb554344c4102348aadc8b9c10f62b2199fea2f026dfe65e85bff13c3228c6dbd4629939a959b612

C:\Windows\System\svchost.exe

MD5 e422906dee0d390a8efc47f4fb15fe8d
SHA1 29a9ab26ccb21e07a976e989d65cc93a6e7d7b13
SHA256 f984e1ef4b92dba27a254936017a06781b8493be7d2a01c06a718a0e12098b41
SHA512 10aec4bcb044ff453c82ea50dc60b4753e45c4427e78caaee7cfe8db35b7956ef8470382bcc354fd01792b206f52650a176acb05cb5d16ba6dd6dc4c4efefa2d

memory/4720-32-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 305aaad006e01c29e06217a8dbd0a52d
SHA1 52832ac5a2ec1b2c77122d4c6cd53a37b32b162d
SHA256 a8251b91e087aeb754520f4c86372ad705742b499dbadc8d864782e35c78b87e
SHA512 db36ccb8271f804e45d326264af2768fca6ff86574917a5a0198ef491adf890f8b4824a5b6e0366d9a6d55a33d05ffba327542361cc95328fe8d5a19f6396a67

memory/1612-36-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3708-37-0x0000000000400000-0x0000000000435000-memory.dmp

memory/668-38-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3672-39-0x0000000000400000-0x0000000000435000-memory.dmp

memory/668-50-0x0000000000400000-0x0000000000435000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:29

Reported

2024-06-13 22:31

Platform

win7-20240419-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe \??\c:\windows\system\explorer.exe
PID 3008 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe \??\c:\windows\system\explorer.exe
PID 3008 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe \??\c:\windows\system\explorer.exe
PID 3008 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe \??\c:\windows\system\explorer.exe
PID 1720 wrote to memory of 2668 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1720 wrote to memory of 2668 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1720 wrote to memory of 2668 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1720 wrote to memory of 2668 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2668 wrote to memory of 1796 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2668 wrote to memory of 1796 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2668 wrote to memory of 1796 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2668 wrote to memory of 1796 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1796 wrote to memory of 2888 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1796 wrote to memory of 2888 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1796 wrote to memory of 2888 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1796 wrote to memory of 2888 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1796 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1796 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1796 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1796 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1796 wrote to memory of 2812 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1796 wrote to memory of 2812 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1796 wrote to memory of 2812 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1796 wrote to memory of 2812 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1796 wrote to memory of 716 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1796 wrote to memory of 716 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1796 wrote to memory of 716 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1796 wrote to memory of 716 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe

"C:\Users\Admin\AppData\Local\Temp\4b1fee5d2a1c6ffbb0e2f2fcc7c061e08badce1a788a48360f877302f2025d1b.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/3008-0-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\system\explorer.exe

MD5 57e14d7d15d338e7c6a4b3eadcc7b152
SHA1 f4456af4c73b8bbcbcf2067cb12ad8463d80849b
SHA256 fcfea2b1449c978f111c93e0f0372b97e764b407cf7a1cc955f1beed6205ba7c
SHA512 fc194b3c415a1a2d929c578f6ef45e326f0b2f0156574ac198019ed61056dcb2b3efdd2e522226c22270ee33a6826cefe56a19bc2c6fbf991e3cb6f84f895068

memory/3008-8-0x0000000002830000-0x0000000002865000-memory.dmp

memory/3008-14-0x0000000002830000-0x0000000002865000-memory.dmp

\Windows\system\spoolsv.exe

MD5 d247a0a3a87e2910fa941d3090969535
SHA1 53dcf81da5a9612c16f8b55b21363090540a3f53
SHA256 a31f78a127af66409354648e09dadd679877ed7b55ecc32948bc3e1f485a0288
SHA512 f7002002cd399a245e40f7c1f6ebea94bc044e06ebc835fc0eab0382a895666a6a86bccd5a5c0d5cb67f493fdaef970505e9f6e2975ca77e911a7a896c684e7d

memory/2668-29-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1720-28-0x0000000000510000-0x0000000000545000-memory.dmp

\Windows\system\svchost.exe

MD5 6c4e0d8924351cc78428f591383eb904
SHA1 0800d5d6d65386b387208aa5c9d094e60495a88d
SHA256 b84d6e68e813442bf0913999000d32021469f63aed0a637606c7c25675976e6e
SHA512 d403436ae81edaa461fcc1bdc8071524cde353a9d7b571a01d01ae2d9186f2ea8a0b6370c7466d619782e9dfd3cf734f5bc5fcdc469e9660c5f64c3b40f1b690

memory/1796-46-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2888-55-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3008-61-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2668-60-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 afd9b7c9d9b916cbffe0e4bbec628c43
SHA1 4066d698b966837f07c4158bb56ef46ae862b9b3
SHA256 036d33f3468f244a8c88ff96b24ec1fc9772e63da9a410f9b47367919ce62c0c
SHA512 0ed72cadf60b026ff2e1f39b02a22c314151b4fe7943d09cbc63f1d8491a041aa137dfed97a69d76d772d1c8748e00b5cae0f9909c4ba700da0208ac3a9b2005

memory/1796-64-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1720-63-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1720-73-0x0000000000400000-0x0000000000435000-memory.dmp