Malware Analysis Report

2024-11-16 10:54

Sample ID 240614-bzk9hszepg
Target 95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790
SHA256 95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790

Threat Level: Known bad

The file 95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:34

Reported

2024-06-14 01:37

Platform

win7-20240611-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe \??\c:\windows\system\explorer.exe
PID 2392 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe \??\c:\windows\system\explorer.exe
PID 2392 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe \??\c:\windows\system\explorer.exe
PID 2392 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe \??\c:\windows\system\explorer.exe
PID 2304 wrote to memory of 2628 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2304 wrote to memory of 2628 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2304 wrote to memory of 2628 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2304 wrote to memory of 2628 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2628 wrote to memory of 1880 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2628 wrote to memory of 1880 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2628 wrote to memory of 1880 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2628 wrote to memory of 1880 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1880 wrote to memory of 2688 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1880 wrote to memory of 2688 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1880 wrote to memory of 2688 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1880 wrote to memory of 2688 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1880 wrote to memory of 2388 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1880 wrote to memory of 2388 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1880 wrote to memory of 2388 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1880 wrote to memory of 2388 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1880 wrote to memory of 1176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1880 wrote to memory of 1176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1880 wrote to memory of 1176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1880 wrote to memory of 1176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1880 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1880 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1880 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1880 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe

"C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 01:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 01:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 01:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2392-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2392-2-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2392-1-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2392-3-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\explorer.exe

MD5 28a05408d041522f9521a60b2e0f0dc4
SHA1 34fba3044e74d92584171c70229ac57ef0e8f841
SHA256 5c248a9c5615890480df61eb5d3d8d7757743848ff351393f50f67d592e15c67
SHA512 0a065b509584e25c205840cfa105e010af8eab416ab6bcf056072c8a08816b5251bab1508ae7844c74486aed67fe7ea2c3737954bd35beb4f914a70d5c94b114

memory/2392-16-0x0000000002620000-0x0000000002651000-memory.dmp

memory/2392-15-0x0000000002620000-0x0000000002651000-memory.dmp

memory/2304-18-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2304-22-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 02dceea4805af9f423a3a9b33a8bc0fc
SHA1 8869efea7ec262b532d4d3d41bc14097f1612f3f
SHA256 0a6f65b5abfe5ed00a0a1cbb1c1dd05a35a32f4b2dfe80e01efb8faf0ef711c9
SHA512 598515657d06af78be7f375a66017cdb14bab5fcd9dc2e187d556fd2db031ac4fb3149cfa045af1d73a4d57f41c24f31c3a81c74946552ced7f9010ec697dde7

memory/2304-33-0x0000000002870000-0x00000000028A1000-memory.dmp

memory/2628-35-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2628-39-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 a0d25332da25f127e51de31a250aaf18
SHA1 e1925f15ae59311e6eb72b57484c9326a1ec7713
SHA256 63fa5ccf523b70cb8d227ae56217ac442eee4bd822e5677af096e2bdefe5b568
SHA512 aa01c5835e7813c69cdef5338b689ac5b3787cb69a40f9040ff65da7742c5026011a491bb876ebc2edc8593002e3b8ab06a5e72579d622adf3c4587f3bd221d3

memory/2628-52-0x00000000028E0000-0x0000000002911000-memory.dmp

memory/2392-51-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1880-53-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1880-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1880-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2688-64-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2688-70-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2628-75-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2392-76-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 501b17441b10075a6fb325ee02d6a068
SHA1 5423b79a7845aba7bde1b65678353397c9737d8e
SHA256 12f7cb58f7f9839b5e64a9da9d7f4563896f694f25a52902b79c220ffe9c6378
SHA512 8d5016f82ff6270397d981e6f58a29226db62421eb8309961163b3b6fc70fff8692433b940074f38f088ad66ca2e410b4b2981bd7a5f6ebfae9e391d32fb3d2d

memory/2304-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1880-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2304-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2304-89-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:34

Reported

2024-06-14 01:37

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe \??\c:\windows\system\explorer.exe
PID 2364 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe \??\c:\windows\system\explorer.exe
PID 2364 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 1224 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1780 wrote to memory of 1224 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1780 wrote to memory of 1224 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1224 wrote to memory of 4748 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1224 wrote to memory of 4748 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1224 wrote to memory of 4748 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4748 wrote to memory of 4972 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4748 wrote to memory of 4972 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4748 wrote to memory of 4972 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4748 wrote to memory of 4888 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4748 wrote to memory of 4888 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4748 wrote to memory of 4888 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4748 wrote to memory of 4860 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4748 wrote to memory of 4860 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4748 wrote to memory of 4860 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4748 wrote to memory of 4304 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4748 wrote to memory of 4304 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4748 wrote to memory of 4304 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe

"C:\Users\Admin\AppData\Local\Temp\95ace33839efd6348432ad701cca6b3d0826e296abefcba78d218ca416236790.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 01:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 01:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 01:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2364-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2364-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/2364-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2364-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2364-2-0x0000000074E00000-0x0000000074F5D000-memory.dmp

C:\Windows\System\explorer.exe

MD5 6b4689ebd32d99a48903052bdcda99e5
SHA1 383d058af5e95f2732899e0b9053a9f36909cce9
SHA256 f1d97805517725b2a8167d26ef56e59f741db9f604278220eb5956400a5dd2fd
SHA512 840f6424dc416b6e54fe01dd0e4f4061d712c09dd2ebaeb6b14289b90cf30e42c46aed6a7726e8041b071e0a9cad9e08d59fc42381fceb4b72bfc60e0a221ef5

memory/1780-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1780-14-0x0000000074E00000-0x0000000074F5D000-memory.dmp

memory/1780-16-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 6e71241fe6a66b793ea485eec8cce149
SHA1 f71880c34b93ba67e508ead89e619648f75e44c8
SHA256 ddeeaacba2f3f4824a3a83a7ba6cb447cf899f20420314139d2467607fa28f17
SHA512 3d5c63419a44b7bf9191cc2b3752716de8fd3cec80449bf8e808895c122de5ee1eef3663d5af09302a24a2936e79ed06cdfddcd70853955aa9edd0c089981445

memory/1224-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1224-26-0x0000000074E00000-0x0000000074F5D000-memory.dmp

C:\Windows\System\svchost.exe

MD5 3a7fe4f20ff3f582fcb29f0778be9f03
SHA1 dde79b8b5817040a2b4ea4bf6640a1c03862bc34
SHA256 7e22cb695f9b2bc8657fcc97b2133b12a4a506bdd2d7951b7ca61f976c07b79f
SHA512 1952b9f80be714620edc6359491e2df7e979f057bd0b7ddc1e99fe5b5346a3313221da7ead2a7b746867e4cd735b0462e62d596a34cd2352bbcf228bacc1d1b9

memory/4748-36-0x0000000074E00000-0x0000000074F5D000-memory.dmp

memory/4748-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4972-43-0x0000000074E00000-0x0000000074F5D000-memory.dmp

memory/1224-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2364-56-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2364-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4972-51-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 ad2cbdbfe992ad2d836a0106c7ff8774
SHA1 99888352fd4a522ce5104c412d6bdc38dccb4ecf
SHA256 6e5c50fa0a06231e9ee1c3b5eeffa2395b8f17ba0d613080871f1f06b0c7dc40
SHA512 829f55bea98d816bb62c33fac6c2fd8c5e3e8c999fcda246a2931d7721c17c2bd657d18eddac8f64c690fdf9192540275e66b4cb2fe08971f6de0227b02c8ab0

memory/1780-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4748-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1780-69-0x0000000000400000-0x0000000000431000-memory.dmp