b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
Size

1.4MB
MD5

f2af0cf68dfd2a651cc66ad92ea4524a
SHA1

95ccb921e2f012b426ee89b1901b28ef661d93eb
SHA256

b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74
SHA512

4cade9d6e64030d5bfb1dffe451efbba70c8c1a7d77b945fdd364870773504c634efc3a662b1ae2b2ceb1c39939a47efbb545ba65a1c634330df181119fac198
SSDEEP

24576:T9cdOqX1uuMliQzd4mNy9Sh5hJgpiwVQLJaOSZ4LehoZza9gNWmAO5ehlM+:T9UX1uBx4mYo83vOSeyeaKrE

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4024	explorer.exe
4624	spoolsv.exe
1684	svchost.exe
1080	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs

pid	Process
2972	b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
4024	explorer.exe
4624	spoolsv.exe
1684	svchost.exe
1080	spoolsv.exe
1080	spoolsv.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
2972	b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
4024	explorer.exe
4024	explorer.exe
4024	explorer.exe
4024	explorer.exe
4024	explorer.exe
4024	explorer.exe
4024	explorer.exe
4024	explorer.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
4024	explorer.exe
4024	explorer.exe
1684	svchost.exe
1684	svchost.exe
4024	explorer.exe
4024	explorer.exe
1684	svchost.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
4024	explorer.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
4024	explorer.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
4024	explorer.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
4024	explorer.exe
4024	explorer.exe
4024	explorer.exe
4024	explorer.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4024	explorer.exe
1684	svchost.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2972	b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
2972	b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
2972	b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
4024	explorer.exe
4024	explorer.exe
4024	explorer.exe
4624	spoolsv.exe
4624	spoolsv.exe
4624	spoolsv.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1080	spoolsv.exe
1080	spoolsv.exe
1080	spoolsv.exe
4024	explorer.exe
4024	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 4024	2972	b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe	84
PID 2972 wrote to memory of 4024	2972	b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe	84
PID 2972 wrote to memory of 4024	2972	b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe	84
PID 4024 wrote to memory of 4624	4024	explorer.exe	85
PID 4024 wrote to memory of 4624	4024	explorer.exe	85
PID 4024 wrote to memory of 4624	4024	explorer.exe	85
PID 4624 wrote to memory of 1684	4624	spoolsv.exe	88
PID 4624 wrote to memory of 1684	4624	spoolsv.exe	88
PID 4624 wrote to memory of 1684	4624	spoolsv.exe	88
PID 1684 wrote to memory of 1080	1684	svchost.exe	89
PID 1684 wrote to memory of 1080	1684	svchost.exe	89
PID 1684 wrote to memory of 1080	1684	svchost.exe	89
PID 1684 wrote to memory of 1872	1684	svchost.exe	91
PID 1684 wrote to memory of 1872	1684	svchost.exe	91
PID 1684 wrote to memory of 1872	1684	svchost.exe	91
PID 1684 wrote to memory of 2304	1684	svchost.exe	109
PID 1684 wrote to memory of 2304	1684	svchost.exe	109
PID 1684 wrote to memory of 2304	1684	svchost.exe	109
PID 1684 wrote to memory of 3504	1684	svchost.exe	112
PID 1684 wrote to memory of 3504	1684	svchost.exe	112
PID 1684 wrote to memory of 3504	1684	svchost.exe	112

C:\Users\Admin\AppData\Local\Temp\b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
"C:\Users\Admin\AppData\Local\Temp\b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4024
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
    - - C:\Windows\SysWOW64\at.exe
        
        at 02:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
    - - C:\Windows\SysWOW64\at.exe
        
        at 02:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
    - - C:\Windows\SysWOW64\at.exe
        
        at 02:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
1.4MB

MD5
f238b82aa092bb0f353c23234515092b

SHA1
0294931f380669353c7af3b6385a82be9e4cb321

SHA256
80229ba49bddc9392880d925d6428c5eaf5c4fd3d296d9674d96c7651b95ac59

SHA512
b686bad6751f13b53d4ab70b63891a087b5d76d80d4eed9298e7dc13beb8d290ece83023d9a1a65479d592318ec3fb4924bd1e572379b293c63f04ca3af61a4f

Download Submit
C:\Windows\System\explorer.exe

Filesize
1.4MB

MD5
77e003785e8e4745af380880aa10fcd5

SHA1
1edc9d29f296b58fbed042ac59f67d65a1b643e3

SHA256
02e5ee986a18d224d3cefa93573c67154d4ab91570adfc721b4efed57d505b4b

SHA512
2843b6a1d825a5d3f4c5b496f213421b62cd67069600772b7812409c2f299e6f37db8ee036352ac210a611f8e8a55dfe72ebfc8b98a8d94854a775a61b1c2acb

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.4MB

MD5
fb86ca49d2003753b28e30ff7635e79f

SHA1
714b7380a6cddca58d26c763795a1638faef3ebc

SHA256
8b579f66d2214a0f2072456793885f7a2177f9330326b3469bd5d852a7d5fde4

SHA512
0fb7181648c112b8e230b74592a85c2bedfb268e1f69e057e71aa8f2f0c9e7feac514be7ebb5035c21547525a16df612aeffda2c939ee7db76a94d3643a41997

Download Submit
C:\Windows\System\svchost.exe

Filesize
1.4MB

MD5
aa8aa97a1f076c4fe8f11fd39809c0e5

SHA1
bdaf4939b1cd42c3e1e9342059b4bb1113111d49

SHA256
478aebc3b17c6a2ab1aafcf8d252b686c361fea3680a22913456b50c74c04b5c

SHA512
6ce3d1e7903c2652914a7aab95db1e045890298672d8d0256a3b0caa07c07d7a989e9fec34d61a217c7e3f5c37633734338846e8fa34c3d999adb99cce47e7f3

Download Submit
memory/1080-40-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/1080-33-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/1684-69-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/1684-59-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/1684-30-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/1684-53-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/1684-47-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2972-44-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2972-2-0x0000000077723000-0x0000000077724000-memory.dmp

Filesize
4KB

Download
memory/2972-0-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2972-1-0x0000000077722000-0x0000000077723000-memory.dmp

Filesize
4KB

Download
memory/4024-46-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/4024-11-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/4024-54-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/4024-56-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/4024-60-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/4024-64-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/4024-68-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/4024-70-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/4624-43-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download