cb166080bccfc128252ac9693620d73826370f2f8ab0b904f950dcb4cd6ebedb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 02:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb166080bccfc128252ac9693620d73826370f2f8ab0b904f950dcb4cd6ebedb.exe
Size

211KB
MD5

f9d7b1397099a1abd0aa246bea66d825
SHA1

d29efe421dd5a0a54a2f844c926dd1992f384c7f
SHA256

cb166080bccfc128252ac9693620d73826370f2f8ab0b904f950dcb4cd6ebedb
SHA512

cca9ef97c1d26aa661ca27d9a910dd990e7391f1ea1f9a595e30d83608539f4e8d00f3c6aca2decd8b10b6eb9941fe75961d7c783b9f814658101b5a39dfde50
SSDEEP

3072:vDEPeJlYW1ea8HKHSRUN3jjXs9Y+MiMVB/w68PEAjAfIrAvGPZz6sPJBIiFe/GcP:vSAl1IK1aY+MiMVBSeh

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3748	userinit.exe
452	spoolsw.exe
3872	swchost.exe
2560	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe
File opened for modification	\??\c:\windows\userinit.exe	cb166080bccfc128252ac9693620d73826370f2f8ab0b904f950dcb4cd6ebedb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3092	cb166080bccfc128252ac9693620d73826370f2f8ab0b904f950dcb4cd6ebedb.exe
3092	cb166080bccfc128252ac9693620d73826370f2f8ab0b904f950dcb4cd6ebedb.exe
3748	userinit.exe
3748	userinit.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3748	userinit.exe
3872	swchost.exe
3872	swchost.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3748	userinit.exe
3872	swchost.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3872	swchost.exe
3748	userinit.exe
3748	userinit.exe
3872	swchost.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3872	swchost.exe
3748	userinit.exe
3748	userinit.exe
3872	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3872	swchost.exe
3748	userinit.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3092	cb166080bccfc128252ac9693620d73826370f2f8ab0b904f950dcb4cd6ebedb.exe
3092	cb166080bccfc128252ac9693620d73826370f2f8ab0b904f950dcb4cd6ebedb.exe
3748	userinit.exe
3748	userinit.exe
452	spoolsw.exe
452	spoolsw.exe
3872	swchost.exe
3872	swchost.exe
2560	spoolsw.exe
2560	spoolsw.exe
3748	userinit.exe
3748	userinit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 3748	3092	cb166080bccfc128252ac9693620d73826370f2f8ab0b904f950dcb4cd6ebedb.exe	82
PID 3092 wrote to memory of 3748	3092	cb166080bccfc128252ac9693620d73826370f2f8ab0b904f950dcb4cd6ebedb.exe	82
PID 3092 wrote to memory of 3748	3092	cb166080bccfc128252ac9693620d73826370f2f8ab0b904f950dcb4cd6ebedb.exe	82
PID 3748 wrote to memory of 452	3748	userinit.exe	83
PID 3748 wrote to memory of 452	3748	userinit.exe	83
PID 3748 wrote to memory of 452	3748	userinit.exe	83
PID 452 wrote to memory of 3872	452	spoolsw.exe	84
PID 452 wrote to memory of 3872	452	spoolsw.exe	84
PID 452 wrote to memory of 3872	452	spoolsw.exe	84
PID 3872 wrote to memory of 2560	3872	swchost.exe	85
PID 3872 wrote to memory of 2560	3872	swchost.exe	85
PID 3872 wrote to memory of 2560	3872	swchost.exe	85

C:\Users\Admin\AppData\Local\Temp\cb166080bccfc128252ac9693620d73826370f2f8ab0b904f950dcb4cd6ebedb.exe
"C:\Users\Admin\AppData\Local\Temp\cb166080bccfc128252ac9693620d73826370f2f8ab0b904f950dcb4cd6ebedb.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3092
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3748
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:452
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3872
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
fe19939d5beb902e8a66409d495de117

SHA1
4f8b2f89e219a8b18583a1017afb675624ff705f

SHA256
48c6daef3547e946e00e61420169db11fa3eada0cbc871587617a9224e804b70

SHA512
af99920e276062632342b854cc1b99ac066be0f518f8eae24d53f0ea016ec29808bd5e145111a3d6a566448ff8863f2069b6186342d39403192591130c25f4f5

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
816a50b3a380113633819a5977592e9b

SHA1
491147d8e7ec9b3755c9783ded90253ef9c57990

SHA256
9724a92c904fdd7dd5e8e4d47cd0c3bb4158d29f6fad65ea4231ffc586ac8dc6

SHA512
b657157262da51b7a821d22a31d1dfda002e6e2ab2646dfef92a970f41d18d47f9d77c791691ac38733f1187b6e3d884714f8a289c1fcce4f444795b581aa1b8

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
e0f15bf14902224d5720a1aad91d12ef

SHA1
9a212712b32e52364bfea899c438167c6a1a887d

SHA256
fd28dbb77f389d1b67c0be30f48bed93a5cf1c305db1720c0f88b45a2a51d31b

SHA512
dc4ba8811e80767c634c39508b4f8cc9bc5ff2688b6f90d6979db96ec0768b7425b9ad6ea8ad73a952fa50a2f718abfede656132a072fb2eff2820ab8b1b55f5

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
aeb8465da75f85a8538d267eb3f75cfc

SHA1
d88fdc352a1045b9b3d1e1c588dff9f1387d4dd2

SHA256
93344f26c6794de6369b3435959281263c7e9d241bfa5ea67b6c965925341c9e

SHA512
382b6713e04da9294cdf83889854da69708a457622f714e8a5da1bac36efae3b354ffd699db0920ab725c79ca5f6e0ec4aa3650b39d9f1329efe1d4a03c02ea7

Download Submit