Malware Analysis Report

2025-01-06 13:01

Sample ID 240614-ej2s4sybnj
Target c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61
SHA256 c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61

Threat Level: Known bad

The file c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:59

Reported

2024-06-14 04:01

Platform

win7-20240611-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe \??\c:\windows\system\explorer.exe
PID 2996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe \??\c:\windows\system\explorer.exe
PID 2996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe \??\c:\windows\system\explorer.exe
PID 2996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe \??\c:\windows\system\explorer.exe
PID 2588 wrote to memory of 2652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2588 wrote to memory of 2652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2588 wrote to memory of 2652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2588 wrote to memory of 2652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2652 wrote to memory of 2912 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2652 wrote to memory of 2912 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2652 wrote to memory of 2912 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2652 wrote to memory of 2912 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2912 wrote to memory of 2568 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2912 wrote to memory of 2568 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2912 wrote to memory of 2568 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2912 wrote to memory of 2568 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2912 wrote to memory of 548 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2912 wrote to memory of 548 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2912 wrote to memory of 548 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2912 wrote to memory of 548 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2912 wrote to memory of 1088 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2912 wrote to memory of 1088 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2912 wrote to memory of 1088 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2912 wrote to memory of 1088 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2912 wrote to memory of 1472 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2912 wrote to memory of 1472 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2912 wrote to memory of 1472 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2912 wrote to memory of 1472 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe

"C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2996-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2996-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2996-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2996-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2996-4-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 6ba6da40a089ea9347d17cab1181e0a9
SHA1 9753ce1745593b7fd770bf072ffe7dd129bc654d
SHA256 253b9f35304f5b41f2cf30541a6af1b8e3a4512e7127b01938b5857f9bca881a
SHA512 5ad797b8562799f4085d4175e8bdad083c216adcb80c89d1a94fd4aa901e3d985a690fa1b16a0a23010dedf37fa2222d8d9eb58a6226e90b09ce227d0bba422b

memory/2588-22-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2588-20-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2588-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2996-17-0x0000000002500000-0x0000000002531000-memory.dmp

memory/2996-16-0x0000000002500000-0x0000000002531000-memory.dmp

\Windows\system\spoolsv.exe

MD5 9922b18698a2e44b9e3973f1e36bbaa7
SHA1 090657b9ad9a327e076045b0d57027f473e49c79
SHA256 84c7dd931013ea084dc9092bac5ca52b9014c5787d410d281c52101c663ac310
SHA512 a877a95d408aad578eb1e64108988ef3ffc5de6ced53b925e30739aa719069ceb9cf2e7e7a5d089921583f78431bfc6b988fec3b5fbd5b297425c6c4eb8054cd

memory/2588-36-0x00000000006D0000-0x0000000000701000-memory.dmp

memory/2652-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2652-37-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2996-48-0x0000000000020000-0x0000000000024000-memory.dmp

\Windows\system\svchost.exe

MD5 940dacfb6a06bb64f720a111349bb59e
SHA1 6fe812ea951bc917933b4cf285238511384fac27
SHA256 752fb0129d9839ae736a8adb4ed8d74c6f7d4411165ab3d81206abb54dc140df
SHA512 14781a7c649d0a69a1fd93b43874c87f2e48553ee64c274595a56fc32ccbc08dfb56f06c16b7e93bd488c38df133a78acac6d1ed585b4f153d6560be723a5eb4

memory/2996-54-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2652-55-0x0000000002E30000-0x0000000002E61000-memory.dmp

memory/2912-56-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2912-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2912-66-0x0000000000650000-0x0000000000681000-memory.dmp

memory/2568-67-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2996-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2996-78-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2652-74-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2568-72-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 d5f0a082a82ede6b725c42c7c3fd8403
SHA1 b2788905c6480a4eaffac0ac341a533334622c59
SHA256 71bb4fda84b2e27cd2cceb0a367af69b8474beaff5a91c289de6d3562bc12ad3
SHA512 f7a1c56c2790b73932973288e24678adb20c2db211182083ffbbe7ee89cfeee7bb646a757edda259110ae79a1db26663d4fc1363a1c097a6bb7bb7c735ec451a

memory/2588-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2588-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2912-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2588-92-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:59

Reported

2024-06-14 04:01

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3772 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe \??\c:\windows\system\explorer.exe
PID 3772 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe \??\c:\windows\system\explorer.exe
PID 3772 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe \??\c:\windows\system\explorer.exe
PID 5024 wrote to memory of 3272 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5024 wrote to memory of 3272 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5024 wrote to memory of 3272 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3272 wrote to memory of 4696 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3272 wrote to memory of 4696 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3272 wrote to memory of 4696 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4696 wrote to memory of 3220 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4696 wrote to memory of 3220 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4696 wrote to memory of 3220 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4696 wrote to memory of 3588 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4696 wrote to memory of 3588 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4696 wrote to memory of 3588 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4696 wrote to memory of 4684 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4696 wrote to memory of 4684 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4696 wrote to memory of 4684 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4696 wrote to memory of 2356 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4696 wrote to memory of 2356 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4696 wrote to memory of 2356 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe

"C:\Users\Admin\AppData\Local\Temp\c981e3681b0c9d2cde622aa687fbb2a5e575aa7ffcdafe39a158fab785839d61.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3772-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3772-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3772-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3772-2-0x0000000075790000-0x00000000758ED000-memory.dmp

memory/3772-7-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 68acbbd4f134c2b222a56a312acbff64
SHA1 7b0bdafcd4195a4eec13f150a514502fa211cfb2
SHA256 0391bad24864f4057c5d5bf4ded5fad97c05709724e922f44ccd378009497bad
SHA512 78f5749bf05bc487563904c875aac0c27892e54d3ef1b048668d55aaf8c3b32e0ca17b0a7cc0e3c8b61f3e943cb68a23949651f9ebcf0a10cb701ca57f0a22e4

memory/5024-13-0x0000000075790000-0x00000000758ED000-memory.dmp

memory/5024-15-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 7e3ca59930c177120c972da80dfa4b21
SHA1 85351a022d7ce2622e8b9f5ee6b8cc8a7bf6f918
SHA256 fcacea982191bedcabf02fa0c7ee1e4f50c37043701563bee34364ffaf704bc5
SHA512 79d0e1036176f16d658549af989ece68711c8758a9b49ea1ed9b1ac38162af5fbfc1bb1df2c63875a54817a778ceb9a6b225a42f59a2301cc74dd1ddb9bb9245

memory/3272-24-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3272-25-0x0000000075790000-0x00000000758ED000-memory.dmp

memory/3272-29-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 869d44eae360b11d62fd4a9a6f0e4d30
SHA1 006b1521b06142bb6ae86da64aa0bee512715110
SHA256 f02a9bf5decc27f6c1507bea59daa73fc887175b04704d4a974dd36660c3bf00
SHA512 90c7bd5c1bedcce9f3f0731e94b036cb2eaa07beeb381d9e6e514850d64255277e934449a9a130c6e8cff385a75ec3e9ec332e5b0a7ae94c9de50cb2ca866f66

memory/4696-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4696-37-0x0000000075790000-0x00000000758ED000-memory.dmp

memory/3220-43-0x0000000075790000-0x00000000758ED000-memory.dmp

memory/3220-48-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3772-56-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3772-55-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3772-54-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 f601a14791a6da8cd890e1a84ee136de
SHA1 cd202deab40c6b2c358e6d36954672ec68851848
SHA256 7dc11207de1a6950ec7753b1ebf51e81f135e0f3ca1f92ff7317463a80221ea5
SHA512 78193f285208d6867c1de6edb7b93050749cce05c2954021bf536061732a434f1b7cf98249218cc61328b7df88488a98c87845a5c018433e9dca4e79d246db72

memory/3272-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5024-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4696-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5024-69-0x0000000000400000-0x0000000000431000-memory.dmp