Malware Analysis Report

2024-09-09 19:31

Sample ID 240613-2g4k9atakd
Target 4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37
SHA256 4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37

Threat Level: Known bad

The file 4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:34

Reported

2024-06-13 22:36

Platform

win7-20240611-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe \??\c:\windows\system\explorer.exe
PID 2204 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe \??\c:\windows\system\explorer.exe
PID 2204 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe \??\c:\windows\system\explorer.exe
PID 2204 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe \??\c:\windows\system\explorer.exe
PID 2276 wrote to memory of 2760 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2276 wrote to memory of 2760 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2276 wrote to memory of 2760 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2276 wrote to memory of 2760 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2760 wrote to memory of 2576 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2760 wrote to memory of 2576 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2760 wrote to memory of 2576 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2760 wrote to memory of 2576 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2576 wrote to memory of 2604 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2576 wrote to memory of 2604 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2576 wrote to memory of 2604 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2576 wrote to memory of 2604 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2576 wrote to memory of 2436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 2436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 2436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 2436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 1628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 1628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 1628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 1628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 1832 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 1832 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 1832 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 1832 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe

"C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2204-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2204-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2204-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2204-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2204-4-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 53da0eeb690d344765f46dc2eee2c77d
SHA1 03d14c1ef2bf4b2482fae47f57a2ed312bc1554a
SHA256 b02deeed58749001d6c2b00d61810816bc7253fe0fc0aedc0217282e09a810fa
SHA512 ebb81ec74f0b470c3d4811d3f91a73de3171bea47f4c2e7a9c664376da561095e296e2d68ebb503a31ac7552748c9cd0674a84eac849311facc38a769ab76c1b

memory/2276-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2204-19-0x0000000002D30000-0x0000000002D61000-memory.dmp

memory/2276-17-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\spoolsv.exe

MD5 93e940d0be5b31fef98d5cfe6d8d00bd
SHA1 a21fbdfce4e384ecd27fa3d73d836d3bb1d136eb
SHA256 319493326495e42cfd61f8739e04afb24d4e36daa9a547a0cd50fd492cc56567
SHA512 d5760a477eeaa4f874520b6021a4c67e60261d3796c941b2675d76a177a0aee81c6c16e501075a49f50af063cea1b590e9f7670ffc6b6434805d757459872622

memory/2276-35-0x0000000002520000-0x0000000002551000-memory.dmp

memory/2760-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2276-34-0x0000000002520000-0x0000000002551000-memory.dmp

memory/2760-37-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2760-41-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 ba9d488a72ad7da4f68b7e49b77f096d
SHA1 74c801dbd77e0a5168bdd21b7599e79598968087
SHA256 46ff9a4cad7f13f81bfe7a2e50c8d12340f46179d6a15d42e25788c7922faad0
SHA512 00c3bd32562a2df6cb87eb9beddf1fabf31438cead2d3c75bc02fef3524668f159ac32f9970e6c255bad473ad878af636456f49b06a536bdacd25ea8f543c92c

memory/2760-52-0x0000000002750000-0x0000000002781000-memory.dmp

memory/2576-54-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2576-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2204-62-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2604-68-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2276-67-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2576-66-0x0000000002460000-0x0000000002491000-memory.dmp

memory/2204-64-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2604-69-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2604-75-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2204-79-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2760-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2204-78-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 cae987b21848ef30f587a6f606c677db
SHA1 9ca2f88f24ef6d108eb822f69938f4b66e5201fe
SHA256 943ad9d60d131fcdbbbac5e269a5bcdbe2327a29ff553640e4295490e205284a
SHA512 b5b7b2937185de304094fb8150e1d207cd38abb39b78b1d64baa444fd61e83608dfb601f697a8a05f5d2d8e1c02060047135eabc27e67c97d67e36d28fbdef9f

memory/2276-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2576-84-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2276-93-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:34

Reported

2024-06-13 22:36

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3792 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe \??\c:\windows\system\explorer.exe
PID 3792 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe \??\c:\windows\system\explorer.exe
PID 3792 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe \??\c:\windows\system\explorer.exe
PID 1020 wrote to memory of 3588 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1020 wrote to memory of 3588 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1020 wrote to memory of 3588 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3588 wrote to memory of 4800 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3588 wrote to memory of 4800 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3588 wrote to memory of 4800 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4800 wrote to memory of 1532 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4800 wrote to memory of 1532 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4800 wrote to memory of 1532 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4800 wrote to memory of 4428 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4800 wrote to memory of 4428 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4800 wrote to memory of 4428 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4800 wrote to memory of 2788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4800 wrote to memory of 2788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4800 wrote to memory of 2788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4800 wrote to memory of 1056 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4800 wrote to memory of 1056 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4800 wrote to memory of 1056 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe

"C:\Users\Admin\AppData\Local\Temp\4d403332a9b89a996a224239c047250c038c8d011ddc7bd8c694c6442058ab37.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Files

memory/3792-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3792-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3792-2-0x0000000075480000-0x00000000755DD000-memory.dmp

memory/3792-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3792-5-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 34d24eec289970bcdc41f525589c862b
SHA1 f37ae8fba89e404ddec14f2c213b5ef84a2c3e3f
SHA256 467858ca476e45a691aaeed3b1521cb1ff233bdfebc2d69eead29f02f3139530
SHA512 195a926c79737e356f95f8371821e9e2a5a419114255cfcda772e569fe5d681b274a8667154d1b2068f2df905bb00dc2158538fce6fede817e408d51997c2930

memory/1020-13-0x0000000075480000-0x00000000755DD000-memory.dmp

memory/1020-15-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 88f110f863791488a945fe9c44fea4b8
SHA1 9289f092bcbbc4bdc92035133fd769110ce20190
SHA256 c3d29bb40896f1559d6dcf2ab5df4ab4a786181e0105dfa42ead700dac6c508f
SHA512 b64656aa9cbf99d8496c949de6686700acfbf37ee256095636b154d4b5a7ac38a81c9e00fbf0b46a5306d555a0b739eef6c4d0c0200897229973d408e5fa00a2

memory/3588-24-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3588-25-0x0000000075480000-0x00000000755DD000-memory.dmp

C:\Windows\System\svchost.exe

MD5 d2f8d3445d1b8623630f17d214ad5f09
SHA1 12410a70908e1a7b6645ae8cff98c04adafcca24
SHA256 242665628e8e2dcca68dba9e740834af243631b310393a9c2a6c4199a07c8013
SHA512 45f3e2081e20146c57cf175381ecefbd9e316684a3c0486bc94b93b521cf07e2b9c23bf8936bf5422b3f4b01660fb36b95e62b48bf503be82117fe10e6860514

memory/4800-34-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4800-36-0x0000000075480000-0x00000000755DD000-memory.dmp

memory/4800-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1532-43-0x0000000075480000-0x00000000755DD000-memory.dmp

memory/1532-51-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3588-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3792-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3792-54-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 ba181dad95022578cb4c5b36cd4fbe94
SHA1 6d009519495d5480c913eb8af8a646be69fabf4d
SHA256 6a675b58a65ee705d0afe566528c473634f4db8e973c42b33c31648982abdf29
SHA512 b34ac311729a6fb96724a7c4f9d7832247b2a88e8ddf4b7eca2eccbf3a7c4528ceb317f19b5a7fa7c95e4b4e5b475cf51beab7a58b5b529db7f56d597bdc760a

memory/1020-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4800-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1020-67-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e