Malware Analysis Report

2025-01-06 12:10

Sample ID 240614-fv4brazflj
Target e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8
SHA256 e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8

Threat Level: Known bad

The file e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 05:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 05:12

Reported

2024-06-14 05:15

Platform

win7-20240611-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe \??\c:\windows\system\explorer.exe
PID 1180 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe \??\c:\windows\system\explorer.exe
PID 1180 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe \??\c:\windows\system\explorer.exe
PID 1180 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe \??\c:\windows\system\explorer.exe
PID 1944 wrote to memory of 2764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1944 wrote to memory of 2764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1944 wrote to memory of 2764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1944 wrote to memory of 2764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2764 wrote to memory of 2072 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2764 wrote to memory of 2072 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2764 wrote to memory of 2072 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2764 wrote to memory of 2072 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2072 wrote to memory of 2536 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2072 wrote to memory of 2536 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2072 wrote to memory of 2536 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2072 wrote to memory of 2536 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2072 wrote to memory of 1980 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2072 wrote to memory of 1980 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2072 wrote to memory of 1980 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2072 wrote to memory of 1980 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2072 wrote to memory of 1520 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2072 wrote to memory of 1520 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2072 wrote to memory of 1520 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2072 wrote to memory of 1520 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2072 wrote to memory of 1296 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2072 wrote to memory of 1296 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2072 wrote to memory of 1296 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2072 wrote to memory of 1296 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe

"C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 05:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1180-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1180-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1180-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1180-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1180-4-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 39c09e1b4054629ade1f8ba089a80ff4
SHA1 095fd1dfa807d93adc20c9b18c3f45b251ea10db
SHA256 e04c973616935e1faad0a5bf39b664b01bf0cec1caf1b3ec32d29935aaf3fed6
SHA512 f96c7eae62f2db5404252501df91e5ec8ed245838b6b64817bb4a40b99325c6f94b7945f6c7330fce3e5834abbed02bf898090f4d01ec9aab4d60ec32880a228

memory/1180-17-0x0000000003110000-0x0000000003141000-memory.dmp

memory/1944-18-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1944-22-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1944-29-0x0000000002650000-0x0000000002681000-memory.dmp

\Windows\system\spoolsv.exe

MD5 d51d896d23934341373e8a006fc4cd88
SHA1 061f510a937e70aa010d512c6713fc9daf150884
SHA256 14a9a6e6ee8775ce8ad81b7580febd4af8e834cc03928e33e8f5d107c63392fe
SHA512 3833cf34528461b4fe81df9304ddad2b9ba5cf0b8a841cc06ef0cfc94c97b4425c1d826c796a7bb5be195696790eb6b29b6a90bf45e44f61485185be4b859496

memory/2764-39-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2764-35-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\svchost.exe

MD5 514a1fa33ccb6467a27d2af9425f6c4d
SHA1 85f7e34a3300021f95ba92904e069f03829e7a67
SHA256 d9efd3203a7af0f89536d2625f75486851f5c35b3c149dd9c14b8b0f058f40fa
SHA512 aacf8b9546c2220e27f9345e329620fa02c2c7b875223e9d0cc5ccbbd8188845ff471f255edbd679cd30b8694d59ec0fab9cef749ada14ffa7093fd026fb3d9b

memory/1180-58-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2072-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2764-56-0x00000000025C0000-0x00000000025F1000-memory.dmp

memory/2072-52-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1180-51-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2536-64-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2536-70-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2764-74-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1180-77-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1180-76-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 be91e41eb919b0ef6d275764423602ef
SHA1 702217142fe21aa7da585e11db0a0cbeb7fd6e41
SHA256 c2e6ddff89e3bcda6e525b22893914d9f64959a81e17d036f5cb430970739980
SHA512 6a842d8b1bd2e3704259889c14a30f3325cbbec2c7ef59b923529781e463e772edf5989f566134184caa181eef79f8d4612b26d9429adedadd12bebc5d142fab

memory/1944-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1944-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2072-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1944-91-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 05:12

Reported

2024-06-14 05:15

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe \??\c:\windows\system\explorer.exe
PID 4028 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe \??\c:\windows\system\explorer.exe
PID 4028 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe \??\c:\windows\system\explorer.exe
PID 4400 wrote to memory of 1928 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4400 wrote to memory of 1928 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4400 wrote to memory of 1928 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1928 wrote to memory of 3924 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1928 wrote to memory of 3924 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1928 wrote to memory of 3924 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3924 wrote to memory of 5060 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3924 wrote to memory of 5060 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3924 wrote to memory of 5060 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3924 wrote to memory of 4992 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 4992 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 4992 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 3628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 3628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 3628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 4428 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 4428 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3924 wrote to memory of 4428 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe

"C:\Users\Admin\AppData\Local\Temp\e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 05:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Files

memory/4028-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4028-1-0x00000000001D0000-0x00000000001D4000-memory.dmp

memory/4028-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4028-2-0x0000000075790000-0x00000000758ED000-memory.dmp

memory/4028-5-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 b063f4906f019c7179f9c31a79a78792
SHA1 6d5c67e568b8cec023190d944d572b0a56310772
SHA256 3bf17da7e412c31dc28fb37d974f9b59f5ac9d4df3590b1e244c51f45275587f
SHA512 6b7060b5a4bcef0bfc3718d75092ab14bba9be8de82dc4cfba7c5bd469f8be1f5b9595870ed504783ef345780ed03e8487f7c0c9ec2d6c2b1f2a00ab4472325a

memory/4400-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4400-16-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4400-13-0x0000000075790000-0x00000000758ED000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 c7a369e9109ec88dd58402e2fad8f3b1
SHA1 71bf3cf7898d4a701d7044ae4e7e0ab93be6078b
SHA256 e1848bd79115a9350b4c97cfe1e9277a324c1524a3647c91d545d8ac8fa2797c
SHA512 0170b06412d86c9d0890baf64541bcd72fb1bc3c306555fa89f4b81f1193f7a8d9da177feb52191603cb27db8cd2984df204b420b4ba891018b7a5414b5ae05e

memory/1928-26-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1928-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1928-27-0x0000000075790000-0x00000000758ED000-memory.dmp

memory/1928-31-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 137e69fa90ee3b9eda8ac002d9cd73d0
SHA1 9532c5f1d3282d4fb066dddd76b03650233bf8e1
SHA256 2325b47e5f579ac3138cf0d51c0b7cc7291651f0e7d6f063f463ecbf1e3e3467
SHA512 0d1a978b130d1b2e6e96fe770b62c392ee549799a8db70aa8da362d18ab0c4608f0a5e0186f32cbc4aebda1f3d9c26dbb47b8309b08f049828c513ef3c2278d3

memory/3924-38-0x0000000075790000-0x00000000758ED000-memory.dmp

memory/3924-43-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5060-45-0x0000000075790000-0x00000000758ED000-memory.dmp

memory/5060-51-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1928-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4028-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4028-58-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 8675441fe48540f0876fb8100c0571ce
SHA1 5354e38fc89976591113b793a3fee530bddbb28d
SHA256 09f5432976e6e426254e82ce6f13b375747dc40e66b3af88613cf3f01f24c3ba
SHA512 66fd12cee2d206f16a306abd347453f2faf4789a91eb668a62b8712c196ad8465c8f351823bc895620da9cca16fde753e0163d3a8233be3d71b763c42ead204e

memory/4400-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3924-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4400-71-0x0000000000400000-0x0000000000431000-memory.dmp