Malware Analysis Report

2025-01-06 12:10

Sample ID 240614-fnm17awbne
Target de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66
SHA256 de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66

Threat Level: Known bad

The file de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 05:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 05:01

Reported

2024-06-14 05:03

Platform

win7-20240611-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 920 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe \??\c:\windows\system\explorer.exe
PID 920 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe \??\c:\windows\system\explorer.exe
PID 920 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe \??\c:\windows\system\explorer.exe
PID 920 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe \??\c:\windows\system\explorer.exe
PID 2696 wrote to memory of 2804 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2696 wrote to memory of 2804 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2696 wrote to memory of 2804 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2696 wrote to memory of 2804 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2804 wrote to memory of 2508 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2804 wrote to memory of 2508 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2804 wrote to memory of 2508 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2804 wrote to memory of 2508 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2508 wrote to memory of 2488 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2508 wrote to memory of 2488 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2508 wrote to memory of 2488 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2508 wrote to memory of 2488 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2508 wrote to memory of 1880 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2508 wrote to memory of 1880 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2508 wrote to memory of 1880 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2508 wrote to memory of 1880 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2508 wrote to memory of 1340 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2508 wrote to memory of 1340 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2508 wrote to memory of 1340 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2508 wrote to memory of 1340 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2508 wrote to memory of 1468 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2508 wrote to memory of 1468 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2508 wrote to memory of 1468 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2508 wrote to memory of 1468 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe

"C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 05:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/920-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/920-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/920-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/920-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/920-4-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 4fefff25025a5b9dc3f0ad3cd21fc79d
SHA1 5e5899a1d8493977e0cb4460bd9452915cab5167
SHA256 a28ca682561ab23b41bc114f8f6acc88244cc8615a861e9bd31781984639973a
SHA512 ff2c95d2956f34bd20ee9fb8b882616312b905138205042aaafbc30c71be7070228db25ad2b2e419e7c18514c9786be2a73600a8fa52fd713a92eaf313511f60

memory/2696-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/920-17-0x00000000025E0000-0x0000000002611000-memory.dmp

memory/2696-23-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2696-19-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\spoolsv.exe

MD5 1091748622669af5aaf1d6a2dda2f934
SHA1 b7dca01a55ecbde7229bfcd4cbc336d4ab2e542d
SHA256 9aefb0ee6afc4aaa4743f0a9ce8b3bc6db3c2e294be45137c64273ece786ed62
SHA512 0e1631d86be6674c6af32ba5de46e2151608230a687c85cc50ff0b0ff0ee6310d5ff5868be978cd366842bbe86c4fa681316a5fbb7839d7ab36ff4155277dcac

memory/2804-35-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\svchost.exe

MD5 eaa12232e59e03609f8ab5ac67b0e162
SHA1 d1c11e6d0d7fad76cb5df7945afd72b2e502b9e9
SHA256 30af236c4d9bbe6dc64cc9f57a3eec7eaa11f17a07cfea9cc643149f2a827944
SHA512 03dc211e7791591ac3fcf66818d569c47e961ce122ead4b7444435bf7d50cd62f2f9500dbe58bb20d60012de952bee0a72ab08b06143f4ae1f07e941ada9fe2c

memory/2804-47-0x0000000002540000-0x0000000002571000-memory.dmp

memory/920-50-0x0000000000401000-0x000000000042E000-memory.dmp

memory/920-46-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2488-65-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2488-71-0x0000000000400000-0x0000000000431000-memory.dmp

memory/920-78-0x0000000000401000-0x000000000042E000-memory.dmp

memory/920-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2804-75-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 ac2008410eb3b12f1ad96fc0c6a84248
SHA1 fb2a56b2776ba9911cbc6d3a3e18b7dc09184fff
SHA256 37ae97573409a91bf3dc846fbfde547db98cdae22ba54c9561aa55c4354c9624
SHA512 df8bd04dc91ebb7102d0d5f925fa5f759bf57c6e5e737e728f09de76faadb7088c7c901a2e3db8a714853f191214cfcfdd1eb5b1c164b89140b6f472330a9447

memory/2508-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2508-55-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2696-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2804-39-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2696-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2508-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2696-90-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 05:01

Reported

2024-06-14 05:03

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4244 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe \??\c:\windows\system\explorer.exe
PID 4244 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe \??\c:\windows\system\explorer.exe
PID 4244 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe \??\c:\windows\system\explorer.exe
PID 1600 wrote to memory of 4212 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1600 wrote to memory of 4212 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1600 wrote to memory of 4212 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4212 wrote to memory of 1364 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4212 wrote to memory of 1364 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4212 wrote to memory of 1364 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1364 wrote to memory of 3800 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1364 wrote to memory of 3800 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1364 wrote to memory of 3800 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1364 wrote to memory of 2888 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1364 wrote to memory of 2888 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1364 wrote to memory of 2888 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1364 wrote to memory of 4912 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1364 wrote to memory of 4912 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1364 wrote to memory of 4912 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1364 wrote to memory of 4404 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1364 wrote to memory of 4404 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1364 wrote to memory of 4404 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe

"C:\Users\Admin\AppData\Local\Temp\de9e2b7e3ced43c89a64921493b3ae58f27f34f586022364d34dfc07f2420c66.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 05:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Files

memory/4244-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4244-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4244-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4244-2-0x00000000757F0000-0x000000007594D000-memory.dmp

memory/4244-5-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 d6aa79ac6471299ab40e90a2074a2655
SHA1 6b0e759719ef9d0209a6cb92b642a46ab4391c00
SHA256 4c4865383091d86906fbe291de76c6c222c8e74da3348cb138495813a9013c09
SHA512 17e6d460091502e37cc52675cc23d9ea35235dec813dc39d7a07d5291f6aecd1b03cbd6b4b85814b2ac20af619ada0e00778ae49db7d2f7608f348831632772f

memory/1600-16-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1600-14-0x00000000757F0000-0x000000007594D000-memory.dmp

memory/1600-13-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 75e6135afde03df38a10ae82a06ef572
SHA1 7c3c60c9eebee01f13d855e88b58dd7c2764a849
SHA256 c0a4a3b452410ba49350b5ab9bb0a0797b1333b3e49fab275b85b228fb1b6693
SHA512 c8f942e852f1fe51301f0b06b6f6997aad4d07bd44cf6493c4a99254c51d12579e2c7ac88aaf6a1b46a026deb78ecd622e5b9c93dac55b56319fa6cc9db22714

memory/4212-25-0x00000000757F0000-0x000000007594D000-memory.dmp

C:\Windows\System\svchost.exe

MD5 d3953365851d4ed574df59ebf35d7964
SHA1 3c5abb69594fee6456c3e0fcc7f81785cf1eca7a
SHA256 7106e5c4f4ce775df797997d4ec97541241ce291a89bdd6a55379d67679c0619
SHA512 7ae4c6e45548e1c019272854319941b774e248d8cb298ecbc29e0af877cf9caefae3a13b787e699e59c15091315617c34c6de1083a2669f4b9c903a0403a00ce

memory/1364-34-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1364-36-0x00000000757F0000-0x000000007594D000-memory.dmp

memory/1364-40-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3800-43-0x00000000757F0000-0x000000007594D000-memory.dmp

memory/3800-49-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4244-55-0x0000000000401000-0x000000000042E000-memory.dmp

memory/4212-57-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 c47ec858a589450d8c2468e174c7c140
SHA1 86fe0f5ba2792606762cbb96f49f55437c9f5736
SHA256 22ae54d5afefa08628b6ba3363c32ecfa820d8a3be2454a23ac35c9b1fb6880f
SHA512 064c69de0a4a6ff63fe71d14d7da2b18a70793b5e257ec41ed9c7ad2500b5180477d0102a86da879313760e62643a5f4a27085694eaa5dd409b51d7a0476adb5

memory/4244-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1600-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1364-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1600-69-0x0000000000400000-0x0000000000431000-memory.dmp