b66eda3e674d9c21ab1f45081e849466ef8a442a0ee8ae65f024a6927f2bfb9f

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77a28497d2d01d9d25e324f83d1aed90N.exe
Size

206KB
MD5

77a28497d2d01d9d25e324f83d1aed90
SHA1

709763fc884f605b1d46fe3ca310ddc250a30617
SHA256

b66eda3e674d9c21ab1f45081e849466ef8a442a0ee8ae65f024a6927f2bfb9f
SHA512

bb125e23e04da83517a51708219ea866e201b7d3133c4c3a56c81d9a1e4efd754f02962f610a979284a64c15b13e8f33b7ff4caa868166d01ad9a560fe04f5cc
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unQvg:zvEN2U+T6i5LirrllHy4HUcMQY6Vg

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2732	explorer.exe
2752	spoolsv.exe
2800	svchost.exe
2684	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1820	77a28497d2d01d9d25e324f83d1aed90N.exe
1820	77a28497d2d01d9d25e324f83d1aed90N.exe
2732	explorer.exe
2732	explorer.exe
2752	spoolsv.exe
2752	spoolsv.exe
2800	svchost.exe
2800	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	77a28497d2d01d9d25e324f83d1aed90N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77a28497d2d01d9d25e324f83d1aed90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1820	77a28497d2d01d9d25e324f83d1aed90N.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2800	svchost.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe
2732	explorer.exe
2800	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2732	explorer.exe
2800	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1820	77a28497d2d01d9d25e324f83d1aed90N.exe
1820	77a28497d2d01d9d25e324f83d1aed90N.exe
2732	explorer.exe
2732	explorer.exe
2752	spoolsv.exe
2752	spoolsv.exe
2800	svchost.exe
2800	svchost.exe
2684	spoolsv.exe
2684	spoolsv.exe
2732	explorer.exe
2732	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2732	1820	77a28497d2d01d9d25e324f83d1aed90N.exe	29
PID 1820 wrote to memory of 2732	1820	77a28497d2d01d9d25e324f83d1aed90N.exe	29
PID 1820 wrote to memory of 2732	1820	77a28497d2d01d9d25e324f83d1aed90N.exe	29
PID 1820 wrote to memory of 2732	1820	77a28497d2d01d9d25e324f83d1aed90N.exe	29
PID 2732 wrote to memory of 2752	2732	explorer.exe	30
PID 2732 wrote to memory of 2752	2732	explorer.exe	30
PID 2732 wrote to memory of 2752	2732	explorer.exe	30
PID 2732 wrote to memory of 2752	2732	explorer.exe	30
PID 2752 wrote to memory of 2800	2752	spoolsv.exe	31
PID 2752 wrote to memory of 2800	2752	spoolsv.exe	31
PID 2752 wrote to memory of 2800	2752	spoolsv.exe	31
PID 2752 wrote to memory of 2800	2752	spoolsv.exe	31
PID 2800 wrote to memory of 2684	2800	svchost.exe	32
PID 2800 wrote to memory of 2684	2800	svchost.exe	32
PID 2800 wrote to memory of 2684	2800	svchost.exe	32
PID 2800 wrote to memory of 2684	2800	svchost.exe	32
PID 2800 wrote to memory of 2924	2800	svchost.exe	33
PID 2800 wrote to memory of 2924	2800	svchost.exe	33
PID 2800 wrote to memory of 2924	2800	svchost.exe	33
PID 2800 wrote to memory of 2924	2800	svchost.exe	33
PID 2800 wrote to memory of 3068	2800	svchost.exe	35
PID 2800 wrote to memory of 3068	2800	svchost.exe	35
PID 2800 wrote to memory of 3068	2800	svchost.exe	35
PID 2800 wrote to memory of 3068	2800	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\77a28497d2d01d9d25e324f83d1aed90N.exe
"C:\Users\Admin\AppData\Local\Temp\77a28497d2d01d9d25e324f83d1aed90N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2732
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
    - - C:\Windows\SysWOW64\at.exe
        
        at 07:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
    - - C:\Windows\SysWOW64\at.exe
        
        at 07:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
04aa50d21ea7508468ee4db4d839d5f9

SHA1
c682f2cf9b2500c9f83bee28307debbfb5fc6815

SHA256
fe6eab90ec9d9b064d4cee1f96190b83ddd4862cf1d00401b1fdbaa54af60139

SHA512
284e9410e5fe21e945125e09feaf9cbfefa09947e8c9a3d6b280a56e9a4a96c22394942aaf3725b66351e705aab77a39c10de597d9f5b61b89b2fcdf584f7d9e

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
d383adcbf06e005bef96daa101fe95d4

SHA1
d609b9711788db176be71a96d339b83f56781a77

SHA256
7dfe8a786c78a7dc244925d52085e0b1e060f65dc535353952f7b31ec9cac440

SHA512
2a4974c3c44f1fbdabad949a8f597a0392d2a5feeebce14efc9a8dd8f5ec67621e59b6a6a29c0e9ce48d9524d9c98ef855cf6eb2eac1cae49f43cf0df1693277

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
74e84948aa028cb7fd7b547e7f13df36

SHA1
dbca2583801b09ee48696a5f3e0b4c7fdb18a56e

SHA256
64817fb7c4c2f9799733a2e88bc9163a45b608a6f46da6677c2ea1b1332d7e5e

SHA512
9ee17f13a1534b475bec5de9bdafa6e90ea9466e701d6296a2be481067f1ca82f42c9856a7ad2b144c26ffade156652bf573a66c460898f14fba97cb90d64245

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
96697b05a27f1a5e4e0c0be847bc7b62

SHA1
685c716d2b438706238a01e2e43500a8c9c9c035

SHA256
d05bb507af11cecf9f9a7f7033c147155059fab82eca8223ffb2867665833e1b

SHA512
839a2607ea1dbc3a2668b26d2c1c80611dd12777ca8f661f2da4b1013a8a9edd723674f4f08f6b72070578f228f39338ac52ce259e2e511261bf30080e0139c3

Download Submit