Malware Analysis Report

2025-01-06 12:55

Sample ID 240614-eyqdmavdqg
Target d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d
SHA256 d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d

Threat Level: Known bad

The file d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:21

Reported

2024-06-14 04:23

Platform

win7-20240419-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe \??\c:\windows\system\explorer.exe
PID 2936 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe \??\c:\windows\system\explorer.exe
PID 2936 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe \??\c:\windows\system\explorer.exe
PID 2936 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe \??\c:\windows\system\explorer.exe
PID 2072 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2072 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2072 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2072 wrote to memory of 2584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2584 wrote to memory of 2488 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2584 wrote to memory of 2488 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2584 wrote to memory of 2488 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2584 wrote to memory of 2488 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2488 wrote to memory of 2144 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2488 wrote to memory of 2144 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2488 wrote to memory of 2144 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2488 wrote to memory of 2144 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2488 wrote to memory of 2684 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 2684 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 2684 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 2684 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 2316 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 2316 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 2316 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 2316 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 2988 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 2988 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 2988 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 2988 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe

"C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2936-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2936-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2936-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2936-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2936-2-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\explorer.exe

MD5 6b02228b56df0853748b6ab234fc32e4
SHA1 ef006bd3a297bf8cd2007fa933f931fa2e69db55
SHA256 f3d64648422a77eb9a1bb8e4ef7074dd472c4aeb114cc9ffd33f0b9f1fbd6b1b
SHA512 4ce9de71e16dc214c6aeae73711432bab08dfe7d5495fca67063da1517c405d0be199f3f2ac930446d0bbe47b4ef0e95a20163d8c5229f6ba85f24b0b7f0a2b3

memory/2936-16-0x00000000026F0000-0x0000000002721000-memory.dmp

memory/2072-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2072-19-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2072-24-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 059d25b305cf520b78fd3a07e765d057
SHA1 565d21a46af564b1b85f908a2c5207b44b086c3f
SHA256 0fb7d401061bbea10c077aec76d1a5f40bc6fa31c7e7e17beac08fd641e9d9ee
SHA512 a1fee8000a61f073ab912bf0250c965d9f7eb7b4cadef94110e441badd0eb942ebf7d0fa7437950fb2234398eb7e0a211d04671ad0c910fa177d69d9daf0ba7a

memory/2072-35-0x0000000002C30000-0x0000000002C61000-memory.dmp

memory/2584-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2584-40-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 cc6a93dbaa4691b560ba3135fc8179a0
SHA1 6af15da6f227571ed5125f60b840329fc72ed103
SHA256 d55aba707f9a04f9481ca1efabb9cfd3689e811443f79f55599cad86b7ac9aa2
SHA512 4c10e0bd68b489263c6fc9707b2141105e2085a5b4cd3b7024159a2d7e309196905317eb1c58c3240980e3ba8b10dd8312e5d4b57647f64d380e844ca7a00b71

memory/2584-48-0x00000000006C0000-0x00000000006F1000-memory.dmp

memory/2488-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2936-61-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2488-67-0x0000000002400000-0x0000000002431000-memory.dmp

memory/2936-66-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2488-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2584-57-0x00000000006C0000-0x00000000006F1000-memory.dmp

memory/2488-53-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2144-68-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2144-74-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2584-75-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2936-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2936-80-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 42069ee60734f08b2b860f57876b33ba
SHA1 fd554c83c9796fd43dad4bd57f9c3b5299d28d6d
SHA256 a4540e435763ce73754b4818b5f1b443232cc54431634db859f1478485fe93f6
SHA512 511240abae9578fd35c191a261aca44a6b445c804d9c2984b55e7d89889bd83165af8c4b1a67b181a81eb1fc897e0368077348d075bd1144d8c8bab2714bdffa

memory/2072-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2488-84-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2072-93-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:21

Reported

2024-06-14 04:23

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4536 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe \??\c:\windows\system\explorer.exe
PID 4536 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe \??\c:\windows\system\explorer.exe
PID 4536 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe \??\c:\windows\system\explorer.exe
PID 4256 wrote to memory of 1780 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4256 wrote to memory of 1780 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4256 wrote to memory of 1780 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1780 wrote to memory of 1168 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1780 wrote to memory of 1168 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1780 wrote to memory of 1168 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1168 wrote to memory of 5048 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1168 wrote to memory of 5048 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1168 wrote to memory of 5048 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1168 wrote to memory of 4492 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1168 wrote to memory of 4492 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1168 wrote to memory of 4492 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1168 wrote to memory of 3148 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1168 wrote to memory of 3148 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1168 wrote to memory of 3148 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1168 wrote to memory of 3132 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1168 wrote to memory of 3132 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1168 wrote to memory of 3132 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe

"C:\Users\Admin\AppData\Local\Temp\d24d5d94b19213123b488fdc26a8ca69648805118d728447b564750946757e1d.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4536-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4536-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4536-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4536-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/4536-2-0x00000000752B0000-0x000000007540D000-memory.dmp

C:\Windows\System\explorer.exe

MD5 e6668f299a2a032196bc5d69eff42a76
SHA1 9c276f5c303524340b0444725754c913b39a7bd4
SHA256 5f9622f93fec553adfcf3a235513a5e8b69e4e0a1b3bb3936c3b6a5b12a78ed8
SHA512 970cc0c4f3c94152520bedb3487955e2bcf7ded9e4ee660f615aaa7b43379cb8540296c01d1ed878e33b4ed26e570b56ed7238ed0472dec7dee85c48dccc8326

memory/4256-16-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4256-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4256-14-0x00000000752B0000-0x000000007540D000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 a2c3a5cd390972c73c4e7987f2a695ce
SHA1 5f273a1008a4446b710559cb413b8f6b258a5bf7
SHA256 09839349221e3f49a2bb5c8f6373d44db6723eeb919cde27b27e8da9a19c5b4c
SHA512 bd6d74f32d72480a32da6a06e7cf49d7f4185623571f6a260c0e5b580f7be971cb263d56bfb65e94a8a724893a6f0e8067fb77c1f6739633619bb6a54ee08004

memory/1780-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1780-26-0x00000000752B0000-0x000000007540D000-memory.dmp

C:\Windows\System\svchost.exe

MD5 125d0a654f588f8c62e4445e07e17bab
SHA1 46cfcfa1e2cb5041b22a9fe68578b3b866254718
SHA256 14ccc0fb86b89468a26ef830e180f63b76ee27a4b41cc44b6d0d4875b9debaaf
SHA512 2a3c98bd18371189264eb07e6f5a2d13dd09a91fc19085b3f47e5f612f76556fe6248be6ad256164a1abb08ed33f7217f4e10efb1bdc03dc7d39b0dedf681919

memory/1168-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1168-36-0x00000000752B0000-0x000000007540D000-memory.dmp

memory/5048-43-0x00000000752B0000-0x000000007540D000-memory.dmp

memory/1780-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5048-51-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4536-57-0x0000000000401000-0x000000000042E000-memory.dmp

memory/4536-56-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4536-55-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 780881e32bdfee51f1e1846db79a5037
SHA1 b6ac6f4ea73b3c1537dd489667b9ba4a5363943d
SHA256 66a1ade6ccf200910372b224e581b6610b37fa7e0f844ed5aa5f169dcd13808f
SHA512 8d4c6486cd4360882bc8a29592516e59be0deb4518444e60fbe5ce948fb4a678e83b8b53223d3c545360902d58e326ca61c137e78624c20072926cc4f347e599

memory/4256-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1168-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4256-70-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e