Malware Analysis Report

2024-11-16 10:49

Sample ID 240614-cg4hta1eqb
Target a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa
SHA256 a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa

Threat Level: Known bad

The file a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:06

Platform

win7-20231129-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe \??\c:\windows\system\explorer.exe
PID 2180 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe \??\c:\windows\system\explorer.exe
PID 2180 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe \??\c:\windows\system\explorer.exe
PID 2180 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe \??\c:\windows\system\explorer.exe
PID 2912 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2912 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2912 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2912 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2584 wrote to memory of 2708 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2584 wrote to memory of 2708 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2584 wrote to memory of 2708 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2584 wrote to memory of 2708 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2708 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2708 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2708 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2708 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2708 wrote to memory of 2888 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2888 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2888 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2888 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2872 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2872 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2872 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2872 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 3032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 3032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 3032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 3032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe

"C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 02:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2180-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2180-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2180-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2180-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2180-4-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 dcab432f3492b1156f84044fbca06543
SHA1 16a23a23dc12e070ef757eddb6eb27b7e9eddf42
SHA256 f4fe6f0f95c9687d9a1907e595324290deebf24532dda88b9b90f4d6fd6fd2cc
SHA512 075ae8bd738e0c3873e38c2eb90dcfa37b566db5495b0bab1c3a50ee89ee3e57465fa94507e25c12d0eb37b3ad0d884cd8e79d94c98483298d4f8b9a86d450a0

memory/2180-13-0x0000000002810000-0x0000000002841000-memory.dmp

memory/2912-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2912-18-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\spoolsv.exe

MD5 ec0ccef008996062226f8904f44e9f4b
SHA1 ad0d3e5673321c23e51de38fa95edd67460618b0
SHA256 cbf4b45ee62c383f9c51dd1a0fe5d40828ef3e3487175f34f51eb5e60ef3daaa
SHA512 c63fb3cf6b9eb2809da5770964a5176e21ff70af652a81f0f6162bd8a850df9a7aa23c5fc2472cc768232b107f7889980004150731abd715329350193135bf36

memory/2584-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2912-34-0x0000000003140000-0x0000000003171000-memory.dmp

memory/2584-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2584-40-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 31a000085e08abafbbb5c12413be0517
SHA1 f7db5b46983de5da14d84801952dd97eeeda3f91
SHA256 622857b77cb6a465bd86a2f336f03cdabeda2cf0b15a0ddc54a38667017d6a4d
SHA512 bdc26532227b4da15cbe5c92728f32f34a8550a030004f5ccf0431b58b86e276d8d471f646f946a4debe959d3af2402e955ea7ec9a32194a7c5fbba8508e47da

memory/2584-52-0x00000000028B0000-0x00000000028E1000-memory.dmp

memory/2708-53-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2708-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2708-63-0x0000000002440000-0x0000000002471000-memory.dmp

memory/2496-64-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2180-76-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2180-77-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2584-74-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2496-72-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 38bcc36708d37b18f663ab913f1a1513
SHA1 65877c9c6054baff9d5f2526c874a64563aea1d0
SHA256 c549a990d2ae4dedd502630228eb3c4ac686baa691b9651b71061a6fcb59d206
SHA512 f05b6f5d923246b50c9fd77b4fe2c421f7707a3fa7a19f79866eacd6b539f4960382f1d06944b1a3a3fd888ef2cd5b00de2b52f97898e81050264bcf79ad9a5e

memory/2912-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2708-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2912-90-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:06

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe \??\c:\windows\system\explorer.exe
PID 760 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe \??\c:\windows\system\explorer.exe
PID 760 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe \??\c:\windows\system\explorer.exe
PID 2916 wrote to memory of 3636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2916 wrote to memory of 3636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2916 wrote to memory of 3636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3636 wrote to memory of 2060 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3636 wrote to memory of 2060 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3636 wrote to memory of 2060 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2060 wrote to memory of 5088 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2060 wrote to memory of 5088 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2060 wrote to memory of 5088 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2060 wrote to memory of 2356 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2060 wrote to memory of 2356 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2060 wrote to memory of 2356 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2060 wrote to memory of 3056 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2060 wrote to memory of 3056 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2060 wrote to memory of 3056 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2060 wrote to memory of 3928 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2060 wrote to memory of 3928 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2060 wrote to memory of 3928 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe

"C:\Users\Admin\AppData\Local\Temp\a2359cf95b1baec0f57a0d410d76ff235c08acab2d001cdfc4d52a95e77e68aa.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 02:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/760-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/760-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/760-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/760-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/760-2-0x0000000074D50000-0x0000000074EAD000-memory.dmp

C:\Windows\System\explorer.exe

MD5 d197c11203794adc0d132fa6282bf908
SHA1 dc70723a4119165aca63dfe65422b79175ea2c11
SHA256 a34a75af886e2c0d70d969692a53d7e70a7d0418c2163cc293b6f563feb6dcab
SHA512 e12dfd77e2010e2994c714d580eee4368770f19cbe75ebe314e600ff2537dbd2a5e3ae692e9925cf0657a461e50ca786744022ab7fd04b710e63e7444108157b

memory/2916-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2916-14-0x0000000074D50000-0x0000000074EAD000-memory.dmp

memory/2916-16-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 816cdcc3720ee48da8f1f6e261cd9665
SHA1 b1d4cc0bb9b6909986c51cff8b0709180b329492
SHA256 d6e21b12415a4d314e1b83bef21dabc848a928674eaf995267e5a62774584fee
SHA512 5bfd916266d5d650ef17ada31ab379ca909078b5599b0c5aba2a8ca08fa84045c6b2ab342b46ab28cd2b755134aa522a583a811201cbb85b2b5eb7f7429e4dd2

memory/3636-25-0x0000000074D50000-0x0000000074EAD000-memory.dmp

C:\Windows\System\svchost.exe

MD5 5f963ee6e49d6c01ad1435169b61c7f6
SHA1 e34486a554ea58031e0e59c0a2bacdaef199652d
SHA256 28b135c7739f0a67c5f02cc828d9ab8b428f4e037c2a0aa3d71d96f5a51d2a94
SHA512 3352f7128e096f83ddb141e22b165c85f7a4a2f14e5cb9af8017d13c2fc2dd5f2fdf8b873551b4049830f84dc9a5d54b79a296978d42d0a8796e1b8de28d962d

memory/2060-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2060-36-0x0000000074D50000-0x0000000074EAD000-memory.dmp

memory/2060-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5088-43-0x0000000074D50000-0x0000000074EAD000-memory.dmp

memory/5088-51-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3636-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/760-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/760-58-0x0000000000401000-0x000000000042E000-memory.dmp

memory/760-57-0x00000000001C0000-0x00000000001C4000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 5bd6fc5307542083818d481b6c34bf6d
SHA1 3a27084eaf88119de944231d30b5ce98f10f3c42
SHA256 48a0e0aba059532b24256672f3f7d9ddb3ff3272e905dedcc19b81d86e88f899
SHA512 985d34b2d26f102e886aa52c4075329760fecdfa25e69253a3a2f1a3c148a146835de750f13c54873bc172cc103bbbdf8fc110d0a642f58e582cb730d92444ae

memory/2916-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2060-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2916-70-0x0000000000400000-0x0000000000431000-memory.dmp