Malware Analysis Report

2024-09-09 19:59

Sample ID 240613-2hgswaxaqk
Target 4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64
SHA256 4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64

Threat Level: Known bad

The file 4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:34

Reported

2024-06-13 22:37

Platform

win7-20240508-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe \??\c:\windows\system\explorer.exe
PID 2012 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe \??\c:\windows\system\explorer.exe
PID 2012 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe \??\c:\windows\system\explorer.exe
PID 2012 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe \??\c:\windows\system\explorer.exe
PID 2016 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2016 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2016 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2016 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2568 wrote to memory of 2136 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2568 wrote to memory of 2136 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2568 wrote to memory of 2136 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2568 wrote to memory of 2136 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2136 wrote to memory of 2600 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2136 wrote to memory of 2600 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2136 wrote to memory of 2600 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2136 wrote to memory of 2600 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2136 wrote to memory of 2536 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2136 wrote to memory of 2536 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2136 wrote to memory of 2536 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2136 wrote to memory of 2536 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2136 wrote to memory of 1432 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2136 wrote to memory of 1432 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2136 wrote to memory of 1432 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2136 wrote to memory of 1432 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2136 wrote to memory of 1160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2136 wrote to memory of 1160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2136 wrote to memory of 1160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2136 wrote to memory of 1160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe

"C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2012-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2012-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2012-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2012-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2012-2-0x0000000072940000-0x0000000072A93000-memory.dmp

C:\Windows\system\explorer.exe

MD5 9dde6ed95c4510ee76c88d556c1e5f04
SHA1 2969dd6aaaa081d9c537bc8f82effa9810453e5c
SHA256 569217ec7cf445fc4b25f395d666a8eb86bac77c82df13779dca2770bfabf33e
SHA512 36f05d118a025ec00072f0425830bc908047aaf4c6dfcd9c38366900b22357b3f810c2bfbf63a0d767bcc34b80e042ad45bc9cbe62af723df547052eca47e48d

memory/2016-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2016-30-0x0000000002760000-0x0000000002791000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 4b21aa099d52022d82e02a299d5a7169
SHA1 00b2b7781c2f9ccb5b00c83106b8f40dff3bcfc9
SHA256 6f22076be7bc948bd87bd5452ae679560fc3028b23301553bf9857150b66bb01
SHA512 58122d509173ccafee6a8d09f193077e90d5f564fc6ef463d375dd95b0cd6782e22ff9d7082f5a476243d542e6a65734f2bbcba37416e37c87ddc3ce87b6c6ba

memory/2568-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2568-37-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\system\svchost.exe

MD5 0f95dbac7773add93aeaae3053218d3b
SHA1 9939d3a75eda0337069177dbd54ac5b1065601ab
SHA256 34af6d2ab0159a773b77c43773fa795c1f985a104f0507abc067bae00eb959f2
SHA512 07e78fb0d94334e3f36b19257173bfbd47cb7785c55f1755dc5d24065318fc4df14fb4f6b08c816dda7172a7464f43fce82601a9666befb2983ee4e2b80ba5a0

memory/2136-54-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2136-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2136-66-0x0000000002630000-0x0000000002661000-memory.dmp

memory/2600-72-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 b39320d2bc9f675c82db787849a82038
SHA1 c3990fef10bc62dc020ecebde224855d4a3b657d
SHA256 4c0d08fc1f2cb7cc095485f4fc77566703609d6d5823c9d53da7e4cec227e8d4
SHA512 a4009f247de8ef1c86baeb38ad2de15b95c095c1e3809eb9ab170c2451a1a992736be9bf7fdc3628e091e31c010234a711975a901e5eac25a532a2627fbe2205

memory/2012-78-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2012-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2568-76-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2600-67-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2016-65-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2012-59-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2012-53-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2568-51-0x00000000024A0000-0x00000000024D1000-memory.dmp

memory/2016-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2016-19-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2012-17-0x00000000026C0000-0x00000000026F1000-memory.dmp

memory/2016-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2136-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2016-90-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:34

Reported

2024-06-13 22:37

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe \??\c:\windows\system\explorer.exe
PID 3448 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe \??\c:\windows\system\explorer.exe
PID 3448 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe \??\c:\windows\system\explorer.exe
PID 2692 wrote to memory of 432 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 432 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 432 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 432 wrote to memory of 1688 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 432 wrote to memory of 1688 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 432 wrote to memory of 1688 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1688 wrote to memory of 4384 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1688 wrote to memory of 4384 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1688 wrote to memory of 4384 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1688 wrote to memory of 4932 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1688 wrote to memory of 4932 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1688 wrote to memory of 4932 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1688 wrote to memory of 4424 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1688 wrote to memory of 4424 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1688 wrote to memory of 4424 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1688 wrote to memory of 3696 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1688 wrote to memory of 3696 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1688 wrote to memory of 3696 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe

"C:\Users\Admin\AppData\Local\Temp\4d4d150ea7ab931bf478f87ff50f27db49f00401ed1199a2c35274c3d2de3c64.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Files

memory/3448-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3448-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3448-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3448-2-0x0000000075840000-0x000000007599D000-memory.dmp

memory/3448-4-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 4ff7a51988544d98c1284f6a1396d762
SHA1 83c0650756faf9f2ad24dc5369ba158267fc9cbf
SHA256 279f95533e3418d7d1874238e842c8064720a57a0500bef744b0aa91f029a0a4
SHA512 70504bdb14219697959a47ddd594d1773bc1d48a294c1efd2b1a7dccb4cdae0a8b65c219744710254118844202cf82d617f81a7a19815c75195471f269d35320

memory/2692-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2692-16-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2692-14-0x0000000075840000-0x000000007599D000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 832aa299e9c4b0dec8081e3ef51d90ba
SHA1 701a18fab3a918a2d3ecee6b6218ee0500a04fbd
SHA256 8bb6c28cc8108f2ca266e7fb5a9e63e7c4e613cafb1eb7b1a06ee5060b3867dd
SHA512 850ae6d31a614edbed6ff8d1fd3a85e163c37de33b8c6951cbd4bcd755969cf8ad0a393b1c911a672824884d5e37fd10328de4ae0a83186e4f3a7dbbc8002151

memory/432-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/432-26-0x0000000075840000-0x000000007599D000-memory.dmp

memory/432-31-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 311da4696f2326e317528326e1bcff87
SHA1 dab6e830fd12bb22cb8647ac5fbc54052604e9ff
SHA256 5434cb1b0b0f14b9c7d8fb0f1ee713c06c33624fff43b4b76a83a585f839f454
SHA512 2885127012adeb8034b3b6b0ceab0c3a4edee5de4c4dfa61e5a45dd44ecacb08c11acc56ba0957140cb3f3acb15e71b1ce1d5d5c3b9294635619a3344beba201

memory/1688-37-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1688-38-0x0000000075840000-0x000000007599D000-memory.dmp

memory/4384-44-0x0000000075840000-0x000000007599D000-memory.dmp

memory/4384-50-0x0000000000400000-0x0000000000431000-memory.dmp

memory/432-54-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 bf9cc5add97a43190c73d3430a3b7653
SHA1 65f9b5424016137810130fa8db2fc3317c4a5522
SHA256 9da3a8613ac12a79d493c9bcba538cc8a94fcab0fabfcdf32961c320814f4242
SHA512 182aa73e2b52444e5bea858b6464b2418fe0acfc91acb8d0d1af0498cf140c10f83efdcc5f3f2aa63c8f457b1536d53f7f328586f2e4536102f5ee291ab55af9

memory/3448-56-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3448-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2692-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1688-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2692-69-0x0000000000400000-0x0000000000431000-memory.dmp