Malware Analysis Report

2024-07-28 14:54

Sample ID 240613-w7mgrs1hpn
Target 005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f
SHA256 005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f

Threat Level: Known bad

The file 005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 18:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 18:33

Reported

2024-06-13 18:36

Platform

win7-20231129-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 2060 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 2060 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 2060 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 2576 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3032 wrote to memory of 2576 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3032 wrote to memory of 2576 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3032 wrote to memory of 2576 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2576 wrote to memory of 2452 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2576 wrote to memory of 2452 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2576 wrote to memory of 2452 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2576 wrote to memory of 2452 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2452 wrote to memory of 2116 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2452 wrote to memory of 2116 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2452 wrote to memory of 2116 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2452 wrote to memory of 2116 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2452 wrote to memory of 2952 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2452 wrote to memory of 2952 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2452 wrote to memory of 2952 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2452 wrote to memory of 2952 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2452 wrote to memory of 1984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2452 wrote to memory of 1984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2452 wrote to memory of 1984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2452 wrote to memory of 1984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2452 wrote to memory of 1260 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2452 wrote to memory of 1260 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2452 wrote to memory of 1260 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2452 wrote to memory of 1260 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe

"C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 18:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 18:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 18:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2060-2-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2060-1-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2060-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2060-0-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2060-6-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 9081baa05cc9417ba30cdac2c5ba92d5
SHA1 5350e352e4e3b6631175f48a692e19345994c3f0
SHA256 8bdff063a379011b91c2b75588c305a9f06904c28138d30b21f6de83eee7a743
SHA512 cc305187c10c8aba718590379c0df859564b33fc67f8e7691bb672ccc884ea57a6f8f68af75534315a049e33c031833d94e28d042e51f15ef0e742487f61ff66

memory/3032-19-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/3032-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2060-17-0x00000000030E0000-0x0000000003111000-memory.dmp

memory/2060-16-0x00000000030E0000-0x0000000003111000-memory.dmp

\Windows\system\spoolsv.exe

MD5 42cc015a1a8d9f560c76e60c22cddbe5
SHA1 fd070e5ada0aed88830a2523e9c1a10b1a497463
SHA256 3e78aafd6d274b031d5edd98910725e88a5ed22ef1b89f6b00a54cdaeda68227
SHA512 fdfc97a7334b7f4d0c06c3392b5b44fc3a375428ed6f22d974a040e207fb7824322de71c4167748b4b356364dbd0dbb55d8fd9bc65d1712c1c272d9ff0a722ee

memory/3032-34-0x00000000024D0000-0x0000000002501000-memory.dmp

memory/2576-37-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2576-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2576-38-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2576-46-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 66301de6be5f91bb961b1d1959d6c5ff
SHA1 6d4e99506f7dc08ea802b523b5cd4a256e222751
SHA256 482c511ff90956b867b731234e71db6e385f06f8b6ffa7758830ff4dec796427
SHA512 fbd1c518b658fc826a1effe2bf41979d581b9971dc6d140aab233323355cb1c2459700a733dab1f0975dcba15febca1cbce7d599efe0423959063e84c9d979e1

memory/2452-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2452-65-0x0000000002500000-0x0000000002531000-memory.dmp

memory/2060-64-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2452-63-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2452-55-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2116-67-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2116-73-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2576-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2060-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2060-79-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 c93930d202169b408c92bdac71733fff
SHA1 240e4ac1d231390f3be4bae7bfb32fb8c2de3d4a
SHA256 4de5ae6a19d109d291e1461213460b041424904981fb0afd7e58b8a96713c402
SHA512 becf5da270f5bf7bacd64b5721e3e0f6256b7b37bb63a848e1d402b655fe5929e5dadfd9e19d149547b51f443e12d0248289f9ed1a2ae9f6bbb922c5a8a647fd

memory/3032-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2452-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3032-92-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 18:33

Reported

2024-06-13 18:36

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 3132 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 3132 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 3716 wrote to memory of 4596 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3716 wrote to memory of 4596 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3716 wrote to memory of 4596 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4596 wrote to memory of 1840 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4596 wrote to memory of 1840 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4596 wrote to memory of 1840 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1840 wrote to memory of 3732 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1840 wrote to memory of 3732 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1840 wrote to memory of 3732 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1840 wrote to memory of 1352 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1840 wrote to memory of 1352 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1840 wrote to memory of 1352 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1840 wrote to memory of 5064 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1840 wrote to memory of 5064 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1840 wrote to memory of 5064 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1840 wrote to memory of 4896 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1840 wrote to memory of 4896 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1840 wrote to memory of 4896 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe

"C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 18:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4648,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8

C:\Windows\SysWOW64\at.exe

at 18:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 18:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 35.242.123.52.in-addr.arpa udp

Files

memory/3132-1-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3132-2-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3132-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3132-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3132-0-0x0000000074D50000-0x0000000074EAD000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 0c0cefba02830cab8e017c8da7776b5c
SHA1 2ecab143c640353a7329f97a8ca69660e3b324d7
SHA256 535bfef23b7831d8740738699657b454e2d8dc4dbc360dceb01cde5cd4f65d99
SHA512 e1942facb72b18f2baf7be7e3b8964b2c964de52739f37f569103ed6feaef12d9dda72cd813f3df491e4d6d7debf82aa22df706a631ccc66b07e5a20d00f922a

memory/3716-14-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3716-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3716-15-0x0000000074D50000-0x0000000074EAD000-memory.dmp

memory/3716-18-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 ae1a2e14097796f9e13556f97552f9f8
SHA1 4b1821affba2c43109b9f964e53fcaebd6332836
SHA256 6943d0a21fdad3330ff15d7dbbcf386ed988b464c5ae8d540b59d2c728872bf0
SHA512 435106c25cdb87b0160651a691fecadfeba0d0f728d286c7fca04c561a75071d88b494128cf2819018b0a64a588b29657e72eff558bd183fc766d0b98fe366ec

memory/4596-26-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4596-27-0x0000000074D50000-0x0000000074EAD000-memory.dmp

C:\Windows\System\svchost.exe

MD5 d77eb12eac003641bc199e5879c230b3
SHA1 f5d2fcfca834c42f3b9a578416d299707bd9fda9
SHA256 131fc7e6091880b9a3ba1321d8ac9204dfe19dc5058f99d332d186f0aecb28a0
SHA512 03f8af5feb5f236457b999189392847632c2659c25586af8682c15224f20b0275300faf4c6651d97eca3bff06515779f594f9c9c1239341506150fe0d0094d68

memory/1840-42-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1840-37-0x0000000074D50000-0x0000000074EAD000-memory.dmp

memory/3732-44-0x0000000074D50000-0x0000000074EAD000-memory.dmp

memory/3732-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4596-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3132-57-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3132-56-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 11798790b4a1f566382067d7ca2c827f
SHA1 60d8205433a2dfe16fd4d05478c1bd255453e417
SHA256 99ebd1954d6cbaf7400f551a3fd3cb4eac99147087d3561e8d4a9b79183f0474
SHA512 c6051ef0d9a22a431ec7a1713221397935c5649d230b44fad3b58117991686bf17cb736da2193cfa73c9552c7bc4f982b18a5383d48fda326697d04eb04d28a5

memory/3716-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1840-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3716-70-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e