Malware Analysis Report

2024-07-28 14:55

Sample ID 240613-xl65qayalb
Target 005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe
SHA256 005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f

Threat Level: Known bad

The file 005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 18:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 18:57

Reported

2024-06-13 19:00

Platform

win7-20240419-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 2248 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 2248 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 2248 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 3048 wrote to memory of 2620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3048 wrote to memory of 2620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3048 wrote to memory of 2620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3048 wrote to memory of 2620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2620 wrote to memory of 2492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2620 wrote to memory of 2492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2620 wrote to memory of 2492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2620 wrote to memory of 2492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2492 wrote to memory of 2460 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 2460 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 2460 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 2460 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 1640 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 1640 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 1640 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 1640 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2876 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2876 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2876 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 2876 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 1428 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 1428 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 1428 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2492 wrote to memory of 1428 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe

"C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 18:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2248-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2248-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2248-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2248-5-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2248-2-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\explorer.exe

MD5 95afdec53c17ba322d20d7e39346e688
SHA1 04edabdd5a6b2be4a0bb283b7b2a7d5a591d1883
SHA256 09ddcf8ef9132a142fd9d4f5775a6ef694c6cabaedac607905ccd94ee40351ab
SHA512 5bb56513d2fbdd21dd2766f35d39b1fe03eb810e4a2db8ec256a07c5549be5c221cf8eedf2d15212c152fbf92333d35f22e1d9f54deb55457bd225674c03cb4e

memory/3048-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2248-18-0x0000000003210000-0x0000000003241000-memory.dmp

memory/2248-17-0x0000000003210000-0x0000000003241000-memory.dmp

memory/3048-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3048-21-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/3048-25-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 c41887b723265fb9e074c3e1e975a33e
SHA1 30882fc6f79bbbbd1c0bc6e162cf4bd3a3941bab
SHA256 5fdbb779ca808c7cfc9e3516ef4c8c47627f52a673bd27c94947dc635dbae1ff
SHA512 412c567b38e97ceae63f4206f9d25e3caea8be3577cbd85dc7f30f2a5f6ab1763ff818b8c041a90be3d9ec55e16e334fef21e742108b55d87c1925115bac0316

memory/3048-37-0x00000000030E0000-0x0000000003111000-memory.dmp

memory/2620-38-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2620-43-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 df3e4c6ed1b46a56955bb86294762d99
SHA1 8b20aaf2f2d28942e447dcb04a5d2f112daed6fb
SHA256 46664929ea247f814a8e57c22cce9b43de23bd5b027224d7360276937f90cba3
SHA512 4cfdbd38f4483ae507ab90ec7d2aa87c51f4027bc0f3676517bdd55720646663ff9c931b3b2e115e24947b7e3c480ea74cfb966c0799d96fc25d60dd337b2445

memory/2620-53-0x00000000025A0000-0x00000000025D1000-memory.dmp

memory/2492-67-0x0000000002480000-0x00000000024B1000-memory.dmp

memory/2248-66-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2492-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2248-59-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2492-55-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2460-68-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2460-74-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2620-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2248-79-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2248-80-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 49b62cef500aa313cd712f5fefbd4d95
SHA1 3c4a0f9ee338162cb95f035d488eb4c4a726f5a8
SHA256 9a3b00315c28468f997425fb0585a7d38139f1d5fc68f9fe6836f0c3f6f6a7cf
SHA512 ffe313114ea645c823cfea20d5a64f660ec9b34e83718e2fd4acc0b5e009fc3d37e9bc38a222302bd2f0361fc087861b6110fc04d67dfc3abd3919192a8a99fb

memory/3048-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3048-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2492-85-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3048-94-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 18:57

Reported

2024-06-13 19:00

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 3952 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 3952 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe \??\c:\windows\system\explorer.exe
PID 3300 wrote to memory of 1164 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3300 wrote to memory of 1164 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3300 wrote to memory of 1164 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1164 wrote to memory of 3180 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1164 wrote to memory of 3180 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1164 wrote to memory of 3180 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3180 wrote to memory of 548 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3180 wrote to memory of 548 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3180 wrote to memory of 548 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3180 wrote to memory of 4176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3180 wrote to memory of 4176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3180 wrote to memory of 4176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3180 wrote to memory of 960 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3180 wrote to memory of 960 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3180 wrote to memory of 960 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3180 wrote to memory of 4940 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3180 wrote to memory of 4940 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3180 wrote to memory of 4940 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe

"C:\Users\Admin\AppData\Local\Temp\005b257a3cda09e21bd2d93ce949b131f3be28b5d3916204b9df552de23e457f.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 18:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3952-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3952-2-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3952-3-0x00007FFAB2B30000-0x00007FFAB2D25000-memory.dmp

memory/3952-1-0x0000000075A00000-0x0000000075B5D000-memory.dmp

C:\Windows\System\explorer.exe

MD5 b5571edf55c3f5d35fb8ff53d5550f45
SHA1 a098e58c95f40dcb90f277141e61fcdd914cc68c
SHA256 0360be85a4faece4304c41ee970e69ed0e0fbf423c5f9251436121f54176b061
SHA512 b3b2f6e1b18671f9d41fd291c44cf7652e59ec0bdc82705f74ff8cac49d9446dbc131394af7682a000684edcc79ed7fc48273fbb8423567c1d4355397264f534

memory/3300-15-0x00007FFAB2B30000-0x00007FFAB2D25000-memory.dmp

memory/3300-14-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3300-12-0x0000000075A00000-0x0000000075B5D000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 61e2800d55e3f05bf858c87201c33ba8
SHA1 0a202d7202f0fa0dc4bb7805cd7ad48f8b2dca03
SHA256 db5a3ce616acc5b7cc83eb459a82bbfe02b98b012da246337279711693a79da6
SHA512 99b66a0c74d97328a522af3c6e979555dc398d7716df28aea2065b43cba019866fe3bce2a2b41d4d0a9e10cd8fd1b64f02258d50cf8ded1042751f0e37f6df51

memory/1164-23-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1164-29-0x00007FFAB2B30000-0x00007FFAB2D25000-memory.dmp

memory/1164-33-0x00007FFAB2B30000-0x00007FFAB2D25000-memory.dmp

C:\Windows\System\svchost.exe

MD5 8e7ce24cc856aa5cfd335c9f6c0d2cbd
SHA1 36b42bb9c9351bf4e9a27f0eea3cd5f371a9cf4d
SHA256 33eefacfdf6a83c9ed4b3b8393733d1d903333cb422c9fab2e1e9c0ed205e6c5
SHA512 fc7b66de0019ba8d7e2709c8be10d559ba010e601d8d2a3f350d2820a2e017e63cfcebaa1a49d76e1f8d25be62d10484c34fd342d6bba1796bd48e6e06c923c2

memory/1164-25-0x0000000075A00000-0x0000000075B5D000-memory.dmp

memory/3180-37-0x0000000075A00000-0x0000000075B5D000-memory.dmp

memory/3180-42-0x00007FFAB2B30000-0x00007FFAB2D25000-memory.dmp

memory/548-44-0x0000000075A00000-0x0000000075B5D000-memory.dmp

memory/548-49-0x0000000000400000-0x0000000000431000-memory.dmp

memory/548-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3952-58-0x00007FFAB2B30000-0x00007FFAB2D25000-memory.dmp

memory/3952-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1164-56-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 de14ad051998f9d40dccba2e8984b02d
SHA1 1744774091c40f08087bb0b14c93ad6666d16382
SHA256 f9a1c085e9b38949909e3cffec799ef17e8323315af3a227db1346c9f63c7f3d
SHA512 4f2665c1e43a70a139dcbf53e64b0060743c46eeade0e91c3613ffd60265552468d6bc193c8c63b1fe4f7a59bf80d03cbaa8038a4f24b02bc9069a83031a0879

memory/3300-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3180-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3300-62-0x00007FFAB2B30000-0x00007FFAB2D25000-memory.dmp

memory/3300-73-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e