ad40c4e15565e5e3962fd54c8f7cc1eba646c25188db1a876cc6747e8589f254

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad40c4e15565e5e3962fd54c8f7cc1eba646c25188db1a876cc6747e8589f254.exe
Size

206KB
MD5

e2ba77cc58e9e927493399a11f23ccd5
SHA1

5c87978b66971a42c10f425146b6ce965be49a07
SHA256

ad40c4e15565e5e3962fd54c8f7cc1eba646c25188db1a876cc6747e8589f254
SHA512

df3b2e4b0d24ec73fd91e5d3c1f19ccff6eeee1a5097f9b597cd9b5af23be8c31cb7a07dce7bb3ec79094dc7e24250431fcbbe3ee61896e6d67865af915f9d16
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unjS:5vEN2U+T6i5LirrllHy4HUcMQY6T

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
4608	explorer.exe
1004	spoolsv.exe
2904	svchost.exe
220	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	ad40c4e15565e5e3962fd54c8f7cc1eba646c25188db1a876cc6747e8589f254.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	ad40c4e15565e5e3962fd54c8f7cc1eba646c25188db1a876cc6747e8589f254.exe
2540	ad40c4e15565e5e3962fd54c8f7cc1eba646c25188db1a876cc6747e8589f254.exe
4608	explorer.exe
4608	explorer.exe
4608	explorer.exe
4608	explorer.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe
4608	explorer.exe
4608	explorer.exe
2904	svchost.exe
2904	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4608	explorer.exe
2904	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2540	ad40c4e15565e5e3962fd54c8f7cc1eba646c25188db1a876cc6747e8589f254.exe
2540	ad40c4e15565e5e3962fd54c8f7cc1eba646c25188db1a876cc6747e8589f254.exe
4608	explorer.exe
4608	explorer.exe
1004	spoolsv.exe
1004	spoolsv.exe
2904	svchost.exe
2904	svchost.exe
220	spoolsv.exe
220	spoolsv.exe
4608	explorer.exe
4608	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 4608	2540	ad40c4e15565e5e3962fd54c8f7cc1eba646c25188db1a876cc6747e8589f254.exe	81
PID 2540 wrote to memory of 4608	2540	ad40c4e15565e5e3962fd54c8f7cc1eba646c25188db1a876cc6747e8589f254.exe	81
PID 2540 wrote to memory of 4608	2540	ad40c4e15565e5e3962fd54c8f7cc1eba646c25188db1a876cc6747e8589f254.exe	81
PID 4608 wrote to memory of 1004	4608	explorer.exe	82
PID 4608 wrote to memory of 1004	4608	explorer.exe	82
PID 4608 wrote to memory of 1004	4608	explorer.exe	82
PID 1004 wrote to memory of 2904	1004	spoolsv.exe	83
PID 1004 wrote to memory of 2904	1004	spoolsv.exe	83
PID 1004 wrote to memory of 2904	1004	spoolsv.exe	83
PID 2904 wrote to memory of 220	2904	svchost.exe	84
PID 2904 wrote to memory of 220	2904	svchost.exe	84
PID 2904 wrote to memory of 220	2904	svchost.exe	84
PID 2904 wrote to memory of 4920	2904	svchost.exe	85
PID 2904 wrote to memory of 4920	2904	svchost.exe	85
PID 2904 wrote to memory of 4920	2904	svchost.exe	85
PID 2904 wrote to memory of 2960	2904	svchost.exe	94
PID 2904 wrote to memory of 2960	2904	svchost.exe	94
PID 2904 wrote to memory of 2960	2904	svchost.exe	94
PID 2904 wrote to memory of 3900	2904	svchost.exe	96
PID 2904 wrote to memory of 3900	2904	svchost.exe	96
PID 2904 wrote to memory of 3900	2904	svchost.exe	96

C:\Users\Admin\AppData\Local\Temp\ad40c4e15565e5e3962fd54c8f7cc1eba646c25188db1a876cc6747e8589f254.exe
"C:\Users\Admin\AppData\Local\Temp\ad40c4e15565e5e3962fd54c8f7cc1eba646c25188db1a876cc6747e8589f254.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4608
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:220
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4920
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
9c4692260f708e9992ce0366db6ba049

SHA1
ada30a388aa55a370672934acb0dac751329147a

SHA256
e7632ef561de178ea8f3fab0279b39f64a2ea4b390129889546ba0a257a42049

SHA512
d86caed5fa99ea76d50f494e2289d8d6c657b21a58750c56d6036b779328a08fb74f6c104c92c9308f405c568f70c4c298099aa2bc8ebac1904d2b34e0bddcd3

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
6f716c55f3789d0aecf3b061311fd231

SHA1
423482001dc1abf6e5575a365a5f4a6f758624cd

SHA256
76f1ed5f453399ac9be7e4a04ad4b0b02d936e9bdabff4385e16649703eff274

SHA512
0f3ee378e480b9e39952d6254d05bdd9882482403af7f2c8bc5db213357387d031999f0c8d57e1356b53c67302d6d9ea7bde0f8b952e0bbed5707a45ba49422c

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
47d60de159325b6a8b7fa258f06069d9

SHA1
248384137389dcf9678ef5b24c1ee789b9118bf1

SHA256
f8a46845c29eadebb47595d197fc52a85058bbe709263435897c1090614d2502

SHA512
01a2311f5b313a8b45d28f991738cd3c78740fd51d600d884973a176bc81d9ac0f6e10862a9e918bfc769be19f40b09879114d2bbe12bd76119d689657940861

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
b6abba32e2bd5e118f487da3e317d918

SHA1
435276daac17978e77a1b484d9f2465bcfbb4a7b

SHA256
1daa445105d2f8777cd3445811d154e10fa2c9e5e13024fcf7ac159763a5d264

SHA512
e0cc46a0c5b69c3726ff04a1d5afccd24103067f4ce4ad5ecd43a21a25239475bdd9426db07faccc714cf5156ad95f2395ff892a9a735b5745efa8f1ce0e07ce

Download Submit
memory/220-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download