35885025fc4fc449136bbc933843d1cca8c476b40d90b9b1e82e376bd33e45c8

Analysis

max time kernel
150s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 03:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35885025fc4fc449136bbc933843d1cca8c476b40d90b9b1e82e376bd33e45c8.exe
Size

206KB
MD5

7ae19af7c28af870c0351096640602a0
SHA1

4fdba8fbc644f7b9a45166e91e9242299e1a6daf
SHA256

35885025fc4fc449136bbc933843d1cca8c476b40d90b9b1e82e376bd33e45c8
SHA512

96d445443c7e74ff86fc0b6055c959dd6ae9364623672d77069d9e0c77b5402de281219a0d7baf598dfeb46e2b8263621fce8c188b432cbe56f08f1222f2684c
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unh:zvEN2U+T6i5LirrllHy4HUcMQY6M

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
3528	explorer.exe
968	spoolsv.exe
4160	svchost.exe
3956	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	35885025fc4fc449136bbc933843d1cca8c476b40d90b9b1e82e376bd33e45c8.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	35885025fc4fc449136bbc933843d1cca8c476b40d90b9b1e82e376bd33e45c8.exe
3064	35885025fc4fc449136bbc933843d1cca8c476b40d90b9b1e82e376bd33e45c8.exe
3528	explorer.exe
3528	explorer.exe
3528	explorer.exe
3528	explorer.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe
4160	svchost.exe
4160	svchost.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe
3528	explorer.exe
3528	explorer.exe
4160	svchost.exe
4160	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3528	explorer.exe
4160	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3064	35885025fc4fc449136bbc933843d1cca8c476b40d90b9b1e82e376bd33e45c8.exe
3064	35885025fc4fc449136bbc933843d1cca8c476b40d90b9b1e82e376bd33e45c8.exe
3528	explorer.exe
3528	explorer.exe
968	spoolsv.exe
968	spoolsv.exe
4160	svchost.exe
4160	svchost.exe
3956	spoolsv.exe
3956	spoolsv.exe
3528	explorer.exe
3528	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 3528	3064	35885025fc4fc449136bbc933843d1cca8c476b40d90b9b1e82e376bd33e45c8.exe	82
PID 3064 wrote to memory of 3528	3064	35885025fc4fc449136bbc933843d1cca8c476b40d90b9b1e82e376bd33e45c8.exe	82
PID 3064 wrote to memory of 3528	3064	35885025fc4fc449136bbc933843d1cca8c476b40d90b9b1e82e376bd33e45c8.exe	82
PID 3528 wrote to memory of 968	3528	explorer.exe	83
PID 3528 wrote to memory of 968	3528	explorer.exe	83
PID 3528 wrote to memory of 968	3528	explorer.exe	83
PID 968 wrote to memory of 4160	968	spoolsv.exe	84
PID 968 wrote to memory of 4160	968	spoolsv.exe	84
PID 968 wrote to memory of 4160	968	spoolsv.exe	84
PID 4160 wrote to memory of 3956	4160	svchost.exe	85
PID 4160 wrote to memory of 3956	4160	svchost.exe	85
PID 4160 wrote to memory of 3956	4160	svchost.exe	85
PID 4160 wrote to memory of 1240	4160	svchost.exe	86
PID 4160 wrote to memory of 1240	4160	svchost.exe	86
PID 4160 wrote to memory of 1240	4160	svchost.exe	86
PID 4160 wrote to memory of 916	4160	svchost.exe	100
PID 4160 wrote to memory of 916	4160	svchost.exe	100
PID 4160 wrote to memory of 916	4160	svchost.exe	100
PID 4160 wrote to memory of 2972	4160	svchost.exe	104
PID 4160 wrote to memory of 2972	4160	svchost.exe	104
PID 4160 wrote to memory of 2972	4160	svchost.exe	104

C:\Users\Admin\AppData\Local\Temp\35885025fc4fc449136bbc933843d1cca8c476b40d90b9b1e82e376bd33e45c8.exe
"C:\Users\Admin\AppData\Local\Temp\35885025fc4fc449136bbc933843d1cca8c476b40d90b9b1e82e376bd33e45c8.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3528
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:968
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3956
    - - C:\Windows\SysWOW64\at.exe
        
        at 03:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1240
    - - C:\Windows\SysWOW64\at.exe
        
        at 03:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:916
    - - C:\Windows\SysWOW64\at.exe
        
        at 03:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
353a3b05e65dee7bcd2e1c6ccd031b0b

SHA1
f48c85795cbc4be59bcd1c8397f44617dce5f75a

SHA256
cef41801e91de08002099e27014e952eb8bcd32f457856fcf9382c7ffc1dca0e

SHA512
8a75a451cd68159b75b39700d3cedd99f2f3bd8fd236af90594db4f0f9b97ae76d5cea53077e1e7ccd5ca0cc02592e0c8828b2cca1d00c04e53c6a3d6ab1d114

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
76b74ee075b28007a8d6eb97a97f8d8b

SHA1
dfa27372b6b89fef8fe92b9700a1deb3c4f08f26

SHA256
eccb2e074adb25cb992ab53e2d98920cfed3a8ffe59b9c27e5f1e6f08abbd9dc

SHA512
09137f9d8515ce43ef09418b59b6413b879bcc0b79c92ac2ff176df49c612e462c4235b090f2a0085e56ac3ed4c1fae98b2f12b21fe370e1a31a1913e9a9d2d4

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
5fc57fe81f6b93c93d88606e06a11681

SHA1
9fef6cb6294aab7bc98487089ead67d51a1fb8f9

SHA256
91a6016bf8c10efa6a94fc408b1dbf6afb10fd6bb96058c413a3a8bb3bccd09d

SHA512
ad52be4e0a5f05581e560c19b0efb1c74ae4eced8ce9e2a56c552c87d9dc444f9730ce8dfd664965e9566110df4cdb3eca449597e43c3f13f8faa9b54c24f326

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
15c9328b7aff6ab0bfb7eca540ed3838

SHA1
66c6fe47b7cfede7a2e5d13b9adb10988d39521c

SHA256
af8d7acda13c475c4a7f1771f0b41bcf549ff198d97d61f4f0abc496642c1a8c

SHA512
383e4b82aae60a44ad2bb01ddab83ea66fdc2f59608ffe0c3649966b01f53671f918db2d89fdd32dfd2496352dcfefa2521c91e2f12692162a4ccac546c392c9

Download Submit