Malware Analysis Report

2024-09-09 20:15

Sample ID 240613-2ghnsaxalj
Target 4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62
SHA256 4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62

Threat Level: Known bad

The file 4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:33

Reported

2024-06-13 22:35

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe \??\c:\windows\system\explorer.exe
PID 4788 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe \??\c:\windows\system\explorer.exe
PID 4788 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe \??\c:\windows\system\explorer.exe
PID 2604 wrote to memory of 1236 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2604 wrote to memory of 1236 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2604 wrote to memory of 1236 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1236 wrote to memory of 4672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1236 wrote to memory of 4672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1236 wrote to memory of 4672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4672 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4672 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4672 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4672 wrote to memory of 2340 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4672 wrote to memory of 2340 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4672 wrote to memory of 2340 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4672 wrote to memory of 844 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4672 wrote to memory of 844 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4672 wrote to memory of 844 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4672 wrote to memory of 1708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4672 wrote to memory of 1708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4672 wrote to memory of 1708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe

"C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Files

memory/4788-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4788-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4788-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4788-2-0x00000000755C0000-0x000000007571D000-memory.dmp

memory/4788-5-0x0000000000401000-0x000000000042E000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 b3c1ab72242ffa1dbed50935c90cc790
SHA1 f03fe3699e24a5dbf886186de3155be3062a1c3d
SHA256 254ed4ea65a8d89d723b0ceeed12d43806c88699de731483a89879f3b9493f0f
SHA512 93747ade67032f4a68cdaae4c92723b2fee1c902504e025bd37a95eb1a80ee668fd324b243aaab3c20120041ffb10e48e22a2f9c0eb5ad9849e967e98971eb99

memory/2604-14-0x00000000755C0000-0x000000007571D000-memory.dmp

memory/2604-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2604-13-0x0000000000400000-0x0000000000431000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 4e88c6898fc78eb5b5c576fb914fc7c6
SHA1 c80c5dd0f362bb62f77167f2371e1c99de011ad4
SHA256 32f026270bba9f457f248925f5b20e82b7a4bcdb1421c20f91c0a240647f4d4a
SHA512 0867881771c99df959fe312d49cce42fe51cb64753fce3f671a7ab606f532460c11cdf93bf63b2007e0f82dcd1150fa494c4f1d96d78ad3bf945383c1400737d

memory/1236-27-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1236-25-0x00000000755C0000-0x000000007571D000-memory.dmp

\??\c:\windows\system\svchost.exe

MD5 1693b242b8e42ac97ed55c95abd1d5b7
SHA1 16df0efe4afc4079aa97551641e51e1b7542590f
SHA256 99c9bb06fa878ced711a6636df9299ebd516eee46574409b27bc1ad1b863120e
SHA512 a4340a274b55e898c1aeda151f0a949040c9c9fce3d4621aae74ec914005974a5f03f47cb1bf32342c0c53de2779eb359717ede8604eded90a84e2c0bcff8bf9

memory/4672-36-0x00000000755C0000-0x000000007571D000-memory.dmp

memory/4788-45-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2092-43-0x00000000755C0000-0x000000007571D000-memory.dmp

memory/4672-40-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2092-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4788-58-0x0000000000401000-0x000000000042E000-memory.dmp

memory/4788-57-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 182117a266478b8c8aeaed0404fcd72f
SHA1 89ff6564a6c28dae64e963d6045de4244884d182
SHA256 149a7027abfc7974fa76eb5a4cd9c9188e87b6a573ca7b17c413e55c39e65b7c
SHA512 d3a0bc9eec4d1f69ca4e2e6b0469edfb13b694f48dc5a24b2a1fb8997422f6876e67d84dc579ac400d1b2cf44613a759bec6c3516f70c1261d783d52a7ae5626

memory/1236-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2604-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4672-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2604-70-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:33

Reported

2024-06-13 22:35

Platform

win7-20240611-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe \??\c:\windows\system\explorer.exe
PID 1756 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe \??\c:\windows\system\explorer.exe
PID 1756 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe \??\c:\windows\system\explorer.exe
PID 1756 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe \??\c:\windows\system\explorer.exe
PID 1460 wrote to memory of 2800 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1460 wrote to memory of 2800 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1460 wrote to memory of 2800 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1460 wrote to memory of 2800 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2800 wrote to memory of 2588 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2800 wrote to memory of 2588 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2800 wrote to memory of 2588 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2800 wrote to memory of 2588 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2588 wrote to memory of 2488 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2588 wrote to memory of 2488 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2588 wrote to memory of 2488 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2588 wrote to memory of 2488 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2588 wrote to memory of 2380 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 2380 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 2380 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 2380 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 572 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 572 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 572 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 572 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 2372 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 2372 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 2372 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 2372 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe

"C:\Users\Admin\AppData\Local\Temp\4cc7ad437210c6063e246a845ce9549499ba1fe2836a43171b9d91045dbd6e62.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1756-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1756-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1756-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1756-3-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\explorer.exe

MD5 2551627d0f4688dc244a8d1efa0faa4c
SHA1 0f092e5e6172a773d5ec8629e78297efd3433583
SHA256 01bf81eb280f0d48941b652b7989c3cb1481870cbfc9724b4a132de6b2c6ee22
SHA512 3bfc28c83169e308c63e6e6c360eb1c102f43d583033201ffb6f8431003d502b8ed9926401641d16c6b3792f2d1a6c03a0898acb06c7a4f91b58d6fd199b97cd

memory/1756-12-0x0000000002560000-0x0000000002591000-memory.dmp

memory/1756-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1756-18-0x0000000002560000-0x0000000002591000-memory.dmp

memory/1460-20-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1460-22-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 d8eecf3f5e9d9ad972ac935d319b82c9
SHA1 4993747c3d45e9bbd8787562e03fbc74c49a151e
SHA256 ce56cc37da7f07e1bfab47ecf7445c863373412ade7936d80ce6b96d7396b633
SHA512 8bfc6a31c275ab49039ff9d42b07b3de08c05eaa211b3dfc3d173e34da376fe86b0c95117b68e256cec7fee1d19e7db3292f003a6167699fde2f8b558515b553

\Windows\system\svchost.exe

MD5 875adf781e752e959eefd65d94c198f3
SHA1 5e99842c6b703d79340804829783b9787bb333de
SHA256 98e81ce9b06a87adb2f31caa2d74b25cdcbbe96d23c22b03575c6e6b18c3a77a
SHA512 0e5428a5ddfb7c820cbc2dd8e5360c32000ca3aa92ab8891badc045cfede21c31dbbac75de69a9fcff71a9c0e7912ed99a957b64204d351efe1a370c80846399

memory/2588-54-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1460-66-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2488-67-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1756-79-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1756-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2800-76-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 3ddcab4789937d1aca4f6d2a6f9aeacc
SHA1 af07b5a8ac8f61f773433c796904ed3d4d0d4de7
SHA256 523438e24c2a818cb3c7d2fe945696a7f3cc2494ea008b4fb7eb13d1c18462f3
SHA512 3ca81e5744dd50aa6c95e7a459685abfe3cf48bde0dcebde1128d572f41bf24c0fa5f9f85a8b3f6cdf3443f9efbcbf0a8675b373c87f4b0fe3012fa79e8f7927

memory/2488-72-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2588-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1756-58-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2588-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2588-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1756-52-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2800-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2800-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1460-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2588-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1460-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1460-91-0x0000000000400000-0x0000000000431000-memory.dmp