Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 22:49
Static task
static1
Behavioral task
behavioral1
Sample
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe
Resource
win10v2004-20240226-en
General
-
Target
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe
-
Size
65KB
-
MD5
398dd1e0b169bd264f59437fcdc8ce96
-
SHA1
323f022e6b734875afa6f74e5765787092dc6717
-
SHA256
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870
-
SHA512
6c89d4ae1b20660e8a7c460395290698bc6fc10a9ab564ff8c0948f725f7897ced02121a968e7c75d0fca2f4647ee1b00a68b007740e583f7be3797a873f8518
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuF:7WNqkOJWmo1HpM0MkTUmuF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2424 explorer.exe 2616 spoolsv.exe 2672 svchost.exe 2496 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exeexplorer.exespoolsv.exesvchost.exepid process 2104 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe 2104 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe 2424 explorer.exe 2424 explorer.exe 2616 spoolsv.exe 2616 spoolsv.exe 2672 svchost.exe 2672 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exeexplorer.exe51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exeexplorer.exesvchost.exepid process 2104 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2424 explorer.exe 2672 svchost.exe 2672 svchost.exe 2424 explorer.exe 2424 explorer.exe 2672 svchost.exe 2672 svchost.exe 2424 explorer.exe 2424 explorer.exe 2672 svchost.exe 2672 svchost.exe 2424 explorer.exe 2424 explorer.exe 2672 svchost.exe 2672 svchost.exe 2424 explorer.exe 2424 explorer.exe 2672 svchost.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2424 explorer.exe 2672 svchost.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2424 explorer.exe 2672 svchost.exe 2672 svchost.exe 2424 explorer.exe 2424 explorer.exe 2672 svchost.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2672 svchost.exe 2424 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2424 explorer.exe 2672 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2104 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe 2104 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe 2424 explorer.exe 2424 explorer.exe 2616 spoolsv.exe 2616 spoolsv.exe 2672 svchost.exe 2672 svchost.exe 2496 spoolsv.exe 2496 spoolsv.exe 2424 explorer.exe 2424 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2104 wrote to memory of 2424 2104 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe explorer.exe PID 2104 wrote to memory of 2424 2104 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe explorer.exe PID 2104 wrote to memory of 2424 2104 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe explorer.exe PID 2104 wrote to memory of 2424 2104 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe explorer.exe PID 2424 wrote to memory of 2616 2424 explorer.exe spoolsv.exe PID 2424 wrote to memory of 2616 2424 explorer.exe spoolsv.exe PID 2424 wrote to memory of 2616 2424 explorer.exe spoolsv.exe PID 2424 wrote to memory of 2616 2424 explorer.exe spoolsv.exe PID 2616 wrote to memory of 2672 2616 spoolsv.exe svchost.exe PID 2616 wrote to memory of 2672 2616 spoolsv.exe svchost.exe PID 2616 wrote to memory of 2672 2616 spoolsv.exe svchost.exe PID 2616 wrote to memory of 2672 2616 spoolsv.exe svchost.exe PID 2672 wrote to memory of 2496 2672 svchost.exe spoolsv.exe PID 2672 wrote to memory of 2496 2672 svchost.exe spoolsv.exe PID 2672 wrote to memory of 2496 2672 svchost.exe spoolsv.exe PID 2672 wrote to memory of 2496 2672 svchost.exe spoolsv.exe PID 2672 wrote to memory of 1784 2672 svchost.exe at.exe PID 2672 wrote to memory of 1784 2672 svchost.exe at.exe PID 2672 wrote to memory of 1784 2672 svchost.exe at.exe PID 2672 wrote to memory of 1784 2672 svchost.exe at.exe PID 2672 wrote to memory of 2032 2672 svchost.exe at.exe PID 2672 wrote to memory of 2032 2672 svchost.exe at.exe PID 2672 wrote to memory of 2032 2672 svchost.exe at.exe PID 2672 wrote to memory of 2032 2672 svchost.exe at.exe PID 2672 wrote to memory of 1944 2672 svchost.exe at.exe PID 2672 wrote to memory of 1944 2672 svchost.exe at.exe PID 2672 wrote to memory of 1944 2672 svchost.exe at.exe PID 2672 wrote to memory of 1944 2672 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe"C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 22:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 22:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 22:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
65KB
MD5ac96345989637a928bca0989adef625e
SHA169643238ac0fa55b375aae937a848fd19ba4310c
SHA256bcab1f059f844d21b78025826dfdbe6b9f4f661800675058c0861ad89600bb3b
SHA512277ea8e6f4050b4df094fef69287e4dc77fd1f3611f49747bcc28f93c5a605581286ab9a02992d30d340a60b805f56b88c3f435a88807252d39a995e8761c12e
-
C:\Windows\system\svchost.exeFilesize
65KB
MD5e88968d71777a8f7f9e319a73799ad9c
SHA1b5641d04ae5d1040698f2b210d6de9954432191c
SHA2565974125c186429669b8b9d46677b24e900f61477fd9ba112b12bd502223f55f9
SHA51249ecbc98213a6afd9871b86b21651931bccdc226b17cd832e6d340d5d56737c146d29d081cc65c6df279ffe4e820b2f98d54dd1f2af2a1c3add5f320f56b33ed
-
\Windows\system\explorer.exeFilesize
65KB
MD55cb4fd174f1c0afaa5f35e108ef0ba1d
SHA18072fde6a9b6dfbbca11f65a4643af0ca83fe297
SHA256e1435b626b61ca3b46c7a95e6dd1893e951f672286d7b08e6ba517e1203ee9ff
SHA512d6de2c2caef58f2bd664574dca7d45dc1793d946b700765974cb24dad43455d62e08531cb24cc6c892e8bb38d05b9b66bb906389c6409cc25a2e4e7c92763b87
-
\Windows\system\spoolsv.exeFilesize
65KB
MD57a525a85003a8c10263b82ce1dff3a7e
SHA196cbeae5b338ebd4bbd06458fab5787dfa35cf3a
SHA2560323550c71c87a370bdc88327d86fe4b9abcd90ab40a62e5b671bcbf2359e752
SHA5128242e97d33e09c84a524050c916e036a70bdee615a66e5341f92ba01ed0b3216fd60f54a899d1ef3671cc96cb51bd7d6be738837f8def78a68537d1f4ee3488b
-
memory/2104-3-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2104-4-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2104-0-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2104-17-0x0000000002AE0000-0x0000000002B11000-memory.dmpFilesize
196KB
-
memory/2104-81-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2104-80-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2104-2-0x0000000000020000-0x0000000000024000-memory.dmpFilesize
16KB
-
memory/2104-1-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2424-93-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2424-82-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2424-35-0x0000000002850000-0x0000000002881000-memory.dmpFilesize
196KB
-
memory/2424-34-0x0000000002850000-0x0000000002881000-memory.dmpFilesize
196KB
-
memory/2424-23-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2424-19-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2424-18-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2496-73-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2496-65-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2496-71-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2616-37-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2616-75-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2616-42-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2616-46-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2672-70-0x0000000002740000-0x0000000002771000-memory.dmpFilesize
196KB
-
memory/2672-59-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2672-55-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2672-54-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2672-84-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB