Malware Analysis Report

2024-09-09 19:13

Sample ID 240613-xprjfascpq
Target 0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f
SHA256 0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f

Threat Level: Known bad

The file 0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 19:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 19:02

Reported

2024-06-13 19:04

Platform

win7-20240221-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe \??\c:\windows\system\explorer.exe
PID 2220 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe \??\c:\windows\system\explorer.exe
PID 2220 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe \??\c:\windows\system\explorer.exe
PID 2220 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe \??\c:\windows\system\explorer.exe
PID 2092 wrote to memory of 1996 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2092 wrote to memory of 1996 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2092 wrote to memory of 1996 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2092 wrote to memory of 1996 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1996 wrote to memory of 2564 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1996 wrote to memory of 2564 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1996 wrote to memory of 2564 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1996 wrote to memory of 2564 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2564 wrote to memory of 2600 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2564 wrote to memory of 2600 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2564 wrote to memory of 2600 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2564 wrote to memory of 2600 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2564 wrote to memory of 2980 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2564 wrote to memory of 2980 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2564 wrote to memory of 2980 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2564 wrote to memory of 2980 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2564 wrote to memory of 1484 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2564 wrote to memory of 1484 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2564 wrote to memory of 1484 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2564 wrote to memory of 1484 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2564 wrote to memory of 2144 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2564 wrote to memory of 2144 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2564 wrote to memory of 2144 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2564 wrote to memory of 2144 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe

"C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 19:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2220-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2220-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2220-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2220-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2220-2-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\explorer.exe

MD5 e59699ea5fda12ebacf10d1436b150d5
SHA1 af3935da6b6ff66e5f8d7293229f9df66bcca37a
SHA256 29846a0bd36345444b7f27537d985e311dbdd8a543a70b35af3879fb0da75a9e
SHA512 91bd0229ad7fdb6da33f82e351ed967fb487f50d4bd2b10a6d60f909c632c80e847aaaee5240767e72636b774d80e6663ae5c8b3261b0878e225c9e2b477b694

memory/2220-17-0x0000000002BB0000-0x0000000002BE1000-memory.dmp

memory/2220-16-0x0000000002BB0000-0x0000000002BE1000-memory.dmp

memory/2092-19-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2092-23-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 ddd1c9e49ce889790fc4278f03786c40
SHA1 72945ce649f4069369be4f405b54f7146f83e291
SHA256 d4051f245c8dfd4efa25616093745335d53372ad9672bac6b843616bec929ef5
SHA512 763a1081ea7031da775e4da0641c583de7bdb3ba195f344d02e593023f8eb70a8189e44ec340e77808e7d7518ca8bf9af3fda3fc1be766c87afcc80338e472f5

memory/2092-34-0x0000000000750000-0x0000000000781000-memory.dmp

memory/1996-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1996-40-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 6cc84bdac7131dc98e9d2ba4ac280836
SHA1 0b2e5033c8bc59e75a4cf2b9a4ae137c5fef2362
SHA256 d9ce64599b822cb34f1022a3cb080dcba91b46ba669985e408226ff825978588
SHA512 d4282059af3fc56d3d8a805b97112c31cfa8c44f5770b861c435da1880aa6fdd95b3b1d3a1fc0f656dd822995999f643f51e653c12a88de4b2dbcbb3d116fa10

memory/2220-46-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2220-53-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2564-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1996-54-0x0000000002A70000-0x0000000002AA1000-memory.dmp

memory/2564-56-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2564-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2092-64-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2564-67-0x0000000003000000-0x0000000003031000-memory.dmp

memory/2600-68-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2600-74-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1996-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2220-81-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2220-80-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 5204139c6014f4bb776a9c980a463bc6
SHA1 7cd759c190f902ec736704b6614a6f2150c8ac6b
SHA256 281a2e8394d631707e963a1723103ba8ac4adbec09de60d4f1af4893d3b54c6d
SHA512 e9934897f247e8870a0dedbecf516890e0915e91ae83571b70a924f4de84d77128b80b9a6ae2be1f843899f621824a13b75875e1a339dd73783d4c2ae6b1c579

memory/2092-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2564-84-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2092-93-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 19:02

Reported

2024-06-13 19:04

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe \??\c:\windows\system\explorer.exe
PID 232 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe \??\c:\windows\system\explorer.exe
PID 232 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe \??\c:\windows\system\explorer.exe
PID 1168 wrote to memory of 3696 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1168 wrote to memory of 3696 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1168 wrote to memory of 3696 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3696 wrote to memory of 3924 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3696 wrote to memory of 3924 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3696 wrote to memory of 3924 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3924 wrote to memory of 4180 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3924 wrote to memory of 4180 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3924 wrote to memory of 4180 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3924 wrote to memory of 3124 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 3124 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 3124 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 3308 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 3308 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 3308 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 4568 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 4568 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 4568 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe

"C:\Users\Admin\AppData\Local\Temp\0a67837bfb2893889343bd9e8872158c91473daac1441023e4e73661cdcf336f.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 19:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Files

memory/232-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/232-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/232-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/232-2-0x0000000075840000-0x000000007599D000-memory.dmp

memory/232-5-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 534e2d6ea24126336821a382a70cb990
SHA1 da8ca6af8b287d7eed875e2c3d9ff1a89e2b4040
SHA256 f2a305eeea3e5322f905a312def2b0ee1b45b362db277a97d2347a4991b361d0
SHA512 24ce1d4be7f94684c39f13a33c38deae0061bca1e0560981dea309fa2eb11498eb3528e88a9fa93e3e319213e309d9c411337cafef108fae40593f66e0e35534

memory/1168-13-0x0000000075840000-0x000000007599D000-memory.dmp

memory/1168-16-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 9fdc4891104b93ab3dd5763f12a7c46b
SHA1 f4202ac94ca5f3720790dad5b2612beb15d83c1a
SHA256 1e962ec9ba1cf43a17e3743f26a7684dbd57f369f9a8c4fce49f24460475842b
SHA512 fc9345b5ed3b07e0777ab27d0ae50e652dcedd1efe8a9f3548d729798e00d71bfff0c0888566fb231246a7ba84f8a99e762e9002788c780b29eeef3b16990f0a

memory/3696-23-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3696-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3696-26-0x0000000075840000-0x000000007599D000-memory.dmp

memory/3696-30-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 8404bd08bd77421f8bcba9f5ef9b3d95
SHA1 8b6e36193baac48f95decb0f6b5bc125ea2a178f
SHA256 de8184fa9fb89ee31bbce8363a9805a73a42c606f344b38ef81730d775985472
SHA512 20a27fd2d3d75f35e5c5f55692dc5ca28e31cc82c5ee1446edd5c8f3606eb8e968898b9995b832bc79cd81e7231312630fe7756fe2272db8906106620c90a19f

memory/3924-37-0x0000000075840000-0x000000007599D000-memory.dmp

memory/3924-43-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3924-42-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4180-45-0x0000000075840000-0x000000007599D000-memory.dmp

memory/4180-51-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3696-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/232-58-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 a1301352ca28eea1af749a9434bb6081
SHA1 620b00574ffff70dd6b2049f9841055af267ca65
SHA256 a9f1160d051bb1daa3a0d646be4c66542f03cd0f2a4e0d3305bac77809db5484
SHA512 f91ce5cf221515d77214f431b17d6948914acc4ae4894ea8f4fdffdc30d8d5ac72dc274972badd6e03ad06e8b9acef8626c6ae1e320727f1819f63099eef3863

memory/232-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1168-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3924-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1168-71-0x0000000000400000-0x0000000000431000-memory.dmp