Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 22:49
Static task
static1
Behavioral task
behavioral1
Sample
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe
Resource
win10v2004-20240226-en
General
-
Target
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe
-
Size
65KB
-
MD5
398dd1e0b169bd264f59437fcdc8ce96
-
SHA1
323f022e6b734875afa6f74e5765787092dc6717
-
SHA256
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870
-
SHA512
6c89d4ae1b20660e8a7c460395290698bc6fc10a9ab564ff8c0948f725f7897ced02121a968e7c75d0fca2f4647ee1b00a68b007740e583f7be3797a873f8518
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuF:7WNqkOJWmo1HpM0MkTUmuF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 816 explorer.exe 2004 spoolsv.exe 3228 svchost.exe 4788 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
Processes:
explorer.exesvchost.exe51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exeexplorer.exesvchost.exepid process 1424 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe 1424 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe 816 explorer.exe 816 explorer.exe 816 explorer.exe 816 explorer.exe 816 explorer.exe 816 explorer.exe 816 explorer.exe 816 explorer.exe 816 explorer.exe 816 explorer.exe 816 explorer.exe 816 explorer.exe 816 explorer.exe 816 explorer.exe 3228 svchost.exe 3228 svchost.exe 3228 svchost.exe 3228 svchost.exe 816 explorer.exe 816 explorer.exe 3228 svchost.exe 3228 svchost.exe 816 explorer.exe 816 explorer.exe 3228 svchost.exe 3228 svchost.exe 816 explorer.exe 816 explorer.exe 3228 svchost.exe 3228 svchost.exe 816 explorer.exe 816 explorer.exe 3228 svchost.exe 3228 svchost.exe 816 explorer.exe 816 explorer.exe 816 explorer.exe 3228 svchost.exe 816 explorer.exe 3228 svchost.exe 816 explorer.exe 3228 svchost.exe 816 explorer.exe 3228 svchost.exe 816 explorer.exe 3228 svchost.exe 816 explorer.exe 3228 svchost.exe 816 explorer.exe 3228 svchost.exe 816 explorer.exe 3228 svchost.exe 816 explorer.exe 3228 svchost.exe 816 explorer.exe 3228 svchost.exe 816 explorer.exe 3228 svchost.exe 816 explorer.exe 3228 svchost.exe 3228 svchost.exe 816 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 816 explorer.exe 3228 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1424 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe 1424 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe 816 explorer.exe 816 explorer.exe 2004 spoolsv.exe 2004 spoolsv.exe 3228 svchost.exe 3228 svchost.exe 4788 spoolsv.exe 4788 spoolsv.exe 816 explorer.exe 816 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1424 wrote to memory of 816 1424 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe explorer.exe PID 1424 wrote to memory of 816 1424 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe explorer.exe PID 1424 wrote to memory of 816 1424 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe explorer.exe PID 816 wrote to memory of 2004 816 explorer.exe spoolsv.exe PID 816 wrote to memory of 2004 816 explorer.exe spoolsv.exe PID 816 wrote to memory of 2004 816 explorer.exe spoolsv.exe PID 2004 wrote to memory of 3228 2004 spoolsv.exe svchost.exe PID 2004 wrote to memory of 3228 2004 spoolsv.exe svchost.exe PID 2004 wrote to memory of 3228 2004 spoolsv.exe svchost.exe PID 3228 wrote to memory of 4788 3228 svchost.exe spoolsv.exe PID 3228 wrote to memory of 4788 3228 svchost.exe spoolsv.exe PID 3228 wrote to memory of 4788 3228 svchost.exe spoolsv.exe PID 3228 wrote to memory of 3276 3228 svchost.exe at.exe PID 3228 wrote to memory of 3276 3228 svchost.exe at.exe PID 3228 wrote to memory of 3276 3228 svchost.exe at.exe PID 3228 wrote to memory of 568 3228 svchost.exe at.exe PID 3228 wrote to memory of 568 3228 svchost.exe at.exe PID 3228 wrote to memory of 568 3228 svchost.exe at.exe PID 3228 wrote to memory of 4332 3228 svchost.exe at.exe PID 3228 wrote to memory of 4332 3228 svchost.exe at.exe PID 3228 wrote to memory of 4332 3228 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe"C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 22:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 22:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 22:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
65KB
MD59e6b1c19ce222b1ef9478486ddc8b4d2
SHA155f22d8cba77af269ce3186582835790180c0ce3
SHA256ba3161f698581fab77ec1c5f4bb87f354c6ca16513cbe76eadf2afc2d9615ba5
SHA512a9295b89e9788f2623741bdc0e7f87b4406c6f27970f9c83cd0f3cb4d2f6df4a8b3b76ae4ed969f9bfb7269078597ed3383c32155099e8f9e3d8aa684ea34073
-
C:\Windows\System\explorer.exeFilesize
65KB
MD52f1c660eae189a2b14806e59906e0bf8
SHA1786861354f4983e0cd501f4cd597048eae031f20
SHA256d340d5dfaa5d9af4fa137241fe105a5ac1d4b9f3e400026fe60ed9aa0a4bf4f9
SHA512711f4027d59d3895e7ef70c5fbea1f5711f0637050f795f9d9f43572cc91936ebf0424a38c2b8c8e718d6f83312fa45e270adc6d3950970a0752754c74b09b17
-
C:\Windows\System\spoolsv.exeFilesize
65KB
MD5d739877da042b07d851865a11711b8d9
SHA185f6ece84364738bab9b0a05675c9ea5a519508e
SHA256c8021e4dfd69349c7c71a1e09c395a419c7642d9509ee8e8a40376ddd0e7aa49
SHA5123a3cad3531e52ce56a1a4e3f9964f92b707afca22d2d2e4739cca2bd938cf02a8bdffdf92630b49391cbfb7dfea6f75636ba84195a7c1d7ae5cf5edb9f5d8af2
-
C:\Windows\System\svchost.exeFilesize
65KB
MD51fa376fc91ae42dc9785449116a39e4f
SHA1af1e1d14c4fa5e9177d67e7e64d826d00adfc620
SHA256eb849d2b2682b78ed400b795bc4d6b3ea33d0fd1c2ff255563632f8d1b7d5d05
SHA512b8a5bafefc01357cacc7474c9dea71ee085a550baf4d2438593c06f8e8074a4aebddbbd085bca0987c187a83a0e48f0a5d60c01ebfa78fde8ee6dc379be99133
-
\??\PIPE\atsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/816-73-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/816-60-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/816-13-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/816-14-0x0000000075480000-0x00000000755DD000-memory.dmpFilesize
1.4MB
-
memory/816-16-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1424-36-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/1424-57-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1424-1-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/1424-0-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1424-3-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1424-43-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/1424-46-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1424-2-0x0000000075480000-0x00000000755DD000-memory.dmpFilesize
1.4MB
-
memory/1424-4-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/1424-58-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2004-25-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2004-26-0x0000000075480000-0x00000000755DD000-memory.dmpFilesize
1.4MB
-
memory/2004-55-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3228-38-0x0000000075480000-0x00000000755DD000-memory.dmpFilesize
1.4MB
-
memory/3228-62-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3228-44-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3228-37-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4788-52-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4788-47-0x0000000075480000-0x00000000755DD000-memory.dmpFilesize
1.4MB