Malware Analysis Report

2024-09-09 20:14

Sample ID 240613-2rw9xstemg
Target 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870
SHA256 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870

Threat Level: Known bad

The file 51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:49

Reported

2024-06-13 22:52

Platform

win7-20240508-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe \??\c:\windows\system\explorer.exe
PID 2104 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe \??\c:\windows\system\explorer.exe
PID 2104 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe \??\c:\windows\system\explorer.exe
PID 2104 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe \??\c:\windows\system\explorer.exe
PID 2424 wrote to memory of 2616 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2424 wrote to memory of 2616 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2424 wrote to memory of 2616 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2424 wrote to memory of 2616 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2616 wrote to memory of 2672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2616 wrote to memory of 2672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2616 wrote to memory of 2672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2616 wrote to memory of 2672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2672 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2672 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2672 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2672 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2672 wrote to memory of 1784 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1784 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1784 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1784 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 2032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 2032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 2032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 2032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe

"C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2104-2-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2104-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2104-1-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2104-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2104-3-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\explorer.exe

MD5 5cb4fd174f1c0afaa5f35e108ef0ba1d
SHA1 8072fde6a9b6dfbbca11f65a4643af0ca83fe297
SHA256 e1435b626b61ca3b46c7a95e6dd1893e951f672286d7b08e6ba517e1203ee9ff
SHA512 d6de2c2caef58f2bd664574dca7d45dc1793d946b700765974cb24dad43455d62e08531cb24cc6c892e8bb38d05b9b66bb906389c6409cc25a2e4e7c92763b87

memory/2424-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2104-17-0x0000000002AE0000-0x0000000002B11000-memory.dmp

memory/2424-19-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2424-23-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 7a525a85003a8c10263b82ce1dff3a7e
SHA1 96cbeae5b338ebd4bbd06458fab5787dfa35cf3a
SHA256 0323550c71c87a370bdc88327d86fe4b9abcd90ab40a62e5b671bcbf2359e752
SHA512 8242e97d33e09c84a524050c916e036a70bdee615a66e5341f92ba01ed0b3216fd60f54a899d1ef3671cc96cb51bd7d6be738837f8def78a68537d1f4ee3488b

C:\Windows\system\svchost.exe

MD5 e88968d71777a8f7f9e319a73799ad9c
SHA1 b5641d04ae5d1040698f2b210d6de9954432191c
SHA256 5974125c186429669b8b9d46677b24e900f61477fd9ba112b12bd502223f55f9
SHA512 49ecbc98213a6afd9871b86b21651931bccdc226b17cd832e6d340d5d56737c146d29d081cc65c6df279ffe4e820b2f98d54dd1f2af2a1c3add5f320f56b33ed

memory/2616-46-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2616-42-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2616-37-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2424-35-0x0000000002850000-0x0000000002881000-memory.dmp

memory/2424-34-0x0000000002850000-0x0000000002881000-memory.dmp

memory/2672-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2672-55-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2672-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2496-65-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2616-75-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2496-73-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2496-71-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2672-70-0x0000000002740000-0x0000000002771000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 ac96345989637a928bca0989adef625e
SHA1 69643238ac0fa55b375aae937a848fd19ba4310c
SHA256 bcab1f059f844d21b78025826dfdbe6b9f4f661800675058c0861ad89600bb3b
SHA512 277ea8e6f4050b4df094fef69287e4dc77fd1f3611f49747bcc28f93c5a605581286ab9a02992d30d340a60b805f56b88c3f435a88807252d39a995e8761c12e

memory/2104-81-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2104-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2424-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2672-84-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2424-93-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:49

Reported

2024-06-13 22:52

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe \??\c:\windows\system\explorer.exe
PID 1424 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe \??\c:\windows\system\explorer.exe
PID 1424 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe \??\c:\windows\system\explorer.exe
PID 816 wrote to memory of 2004 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 816 wrote to memory of 2004 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 816 wrote to memory of 2004 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2004 wrote to memory of 3228 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2004 wrote to memory of 3228 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2004 wrote to memory of 3228 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3228 wrote to memory of 4788 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3228 wrote to memory of 4788 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3228 wrote to memory of 4788 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3228 wrote to memory of 3276 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3228 wrote to memory of 3276 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3228 wrote to memory of 3276 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3228 wrote to memory of 568 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3228 wrote to memory of 568 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3228 wrote to memory of 568 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3228 wrote to memory of 4332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3228 wrote to memory of 4332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3228 wrote to memory of 4332 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe

"C:\Users\Admin\AppData\Local\Temp\51fb2a086644269d7813b251e6520581716cf48c06a4f10b809aa1dd7c23d870.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\at.exe

at 22:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/1424-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1424-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/1424-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1424-2-0x0000000075480000-0x00000000755DD000-memory.dmp

memory/1424-4-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 2f1c660eae189a2b14806e59906e0bf8
SHA1 786861354f4983e0cd501f4cd597048eae031f20
SHA256 d340d5dfaa5d9af4fa137241fe105a5ac1d4b9f3e400026fe60ed9aa0a4bf4f9
SHA512 711f4027d59d3895e7ef70c5fbea1f5711f0637050f795f9d9f43572cc91936ebf0424a38c2b8c8e718d6f83312fa45e270adc6d3950970a0752754c74b09b17

memory/816-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/816-14-0x0000000075480000-0x00000000755DD000-memory.dmp

memory/816-16-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 d739877da042b07d851865a11711b8d9
SHA1 85f6ece84364738bab9b0a05675c9ea5a519508e
SHA256 c8021e4dfd69349c7c71a1e09c395a419c7642d9509ee8e8a40376ddd0e7aa49
SHA512 3a3cad3531e52ce56a1a4e3f9964f92b707afca22d2d2e4739cca2bd938cf02a8bdffdf92630b49391cbfb7dfea6f75636ba84195a7c1d7ae5cf5edb9f5d8af2

memory/2004-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2004-26-0x0000000075480000-0x00000000755DD000-memory.dmp

C:\Windows\System\svchost.exe

MD5 1fa376fc91ae42dc9785449116a39e4f
SHA1 af1e1d14c4fa5e9177d67e7e64d826d00adfc620
SHA256 eb849d2b2682b78ed400b795bc4d6b3ea33d0fd1c2ff255563632f8d1b7d5d05
SHA512 b8a5bafefc01357cacc7474c9dea71ee085a550baf4d2438593c06f8e8074a4aebddbbd085bca0987c187a83a0e48f0a5d60c01ebfa78fde8ee6dc379be99133

memory/3228-37-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1424-36-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3228-38-0x0000000075480000-0x00000000755DD000-memory.dmp

memory/3228-44-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1424-43-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1424-46-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4788-47-0x0000000075480000-0x00000000755DD000-memory.dmp

memory/4788-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2004-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1424-58-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1424-57-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 9e6b1c19ce222b1ef9478486ddc8b4d2
SHA1 55f22d8cba77af269ce3186582835790180c0ce3
SHA256 ba3161f698581fab77ec1c5f4bb87f354c6ca16513cbe76eadf2afc2d9615ba5
SHA512 a9295b89e9788f2623741bdc0e7f87b4406c6f27970f9c83cd0f3cb4d2f6df4a8b3b76ae4ed969f9bfb7269078597ed3383c32155099e8f9e3d8aa684ea34073

memory/816-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3228-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/816-73-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e