b66eda3e674d9c21ab1f45081e849466ef8a442a0ee8ae65f024a6927f2bfb9f

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77a28497d2d01d9d25e324f83d1aed90N.exe
Size

206KB
MD5

77a28497d2d01d9d25e324f83d1aed90
SHA1

709763fc884f605b1d46fe3ca310ddc250a30617
SHA256

b66eda3e674d9c21ab1f45081e849466ef8a442a0ee8ae65f024a6927f2bfb9f
SHA512

bb125e23e04da83517a51708219ea866e201b7d3133c4c3a56c81d9a1e4efd754f02962f610a979284a64c15b13e8f33b7ff4caa868166d01ad9a560fe04f5cc
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unQvg:zvEN2U+T6i5LirrllHy4HUcMQY6Vg

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1080	explorer.exe
4940	spoolsv.exe
2008	svchost.exe
3732	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	77a28497d2d01d9d25e324f83d1aed90N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77a28497d2d01d9d25e324f83d1aed90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	77a28497d2d01d9d25e324f83d1aed90N.exe
2880	77a28497d2d01d9d25e324f83d1aed90N.exe
1080	explorer.exe
1080	explorer.exe
1080	explorer.exe
1080	explorer.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
2008	svchost.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe
1080	explorer.exe
1080	explorer.exe
2008	svchost.exe
2008	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1080	explorer.exe
2008	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2880	77a28497d2d01d9d25e324f83d1aed90N.exe
2880	77a28497d2d01d9d25e324f83d1aed90N.exe
1080	explorer.exe
1080	explorer.exe
4940	spoolsv.exe
4940	spoolsv.exe
2008	svchost.exe
2008	svchost.exe
3732	spoolsv.exe
3732	spoolsv.exe
1080	explorer.exe
1080	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 1080	2880	77a28497d2d01d9d25e324f83d1aed90N.exe	84
PID 2880 wrote to memory of 1080	2880	77a28497d2d01d9d25e324f83d1aed90N.exe	84
PID 2880 wrote to memory of 1080	2880	77a28497d2d01d9d25e324f83d1aed90N.exe	84
PID 1080 wrote to memory of 4940	1080	explorer.exe	85
PID 1080 wrote to memory of 4940	1080	explorer.exe	85
PID 1080 wrote to memory of 4940	1080	explorer.exe	85
PID 4940 wrote to memory of 2008	4940	spoolsv.exe	87
PID 4940 wrote to memory of 2008	4940	spoolsv.exe	87
PID 4940 wrote to memory of 2008	4940	spoolsv.exe	87
PID 2008 wrote to memory of 3732	2008	svchost.exe	88
PID 2008 wrote to memory of 3732	2008	svchost.exe	88
PID 2008 wrote to memory of 3732	2008	svchost.exe	88
PID 2008 wrote to memory of 3716	2008	svchost.exe	90
PID 2008 wrote to memory of 3716	2008	svchost.exe	90
PID 2008 wrote to memory of 3716	2008	svchost.exe	90
PID 2008 wrote to memory of 2184	2008	svchost.exe	95
PID 2008 wrote to memory of 2184	2008	svchost.exe	95
PID 2008 wrote to memory of 2184	2008	svchost.exe	95

C:\Users\Admin\AppData\Local\Temp\77a28497d2d01d9d25e324f83d1aed90N.exe
"C:\Users\Admin\AppData\Local\Temp\77a28497d2d01d9d25e324f83d1aed90N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1080
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3732
    - - C:\Windows\SysWOW64\at.exe
        
        at 07:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
    - - C:\Windows\SysWOW64\at.exe
        
        at 07:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
cfff4261d67e40ae74d83aaa0a96a8c6

SHA1
3f14d12528224fa7df17e74f68260b8c78aaa3b8

SHA256
ca6d7bb4a904700948a895586f4355e9556adcde99e67d1f43291790d58b7189

SHA512
cc11db24e662c6b43cffd9082df7c7893f0db1180bfd79f7c6bf76780933766efbdf5216ac43fda252070b23b9d6fd6b87ce1ea988bc6853286af3240fc7abc6

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
2d83eb7ea934f23b8bc7e5a3bc0f956a

SHA1
e0dbe0d77973239e8af08153cfcb3294a827bdbd

SHA256
c54e97df9b441d8bb28e08fc272c48123ce3829f6f9e8dac9d87d9066845444a

SHA512
672a3f65561d7c6f17cab06d74f83efdb5891112b284bd16330b29391b299328fde76566f05f2322fdc6e7691eef65cd8cf93baa41060a4158852353ac7d9ccd

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
ae4ce6b9181fb8010f5ac69416389442

SHA1
53f4f8d0e7690d4ef782974aeeeeffeee197de05

SHA256
f1426c58e80155b7bf8d71b1d76251cad774598b82588c11d50f39e679a6ef38

SHA512
bd80e3cb3836bda417a5da47f85602fb25ae7caaa3c55760899432c7bfcac8b80367c7c6588f4f3a6fb4f441a5120852526a5df8ee9994d8099b7d814a9992cb

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
797455082cb3cbc8b7fb4e0cad1db495

SHA1
fcfb94042b9304216f2b3c85c2fe1a18e75af64d

SHA256
3f0bd94c1a5edcf88d61f0ce7ef0da6930ab52638d8924889e64c80040e369b1

SHA512
3159b8c4d2cddc268cbbcc808f34616fa66bb1fbac778db255a490b845b7cf72c7dad1898f14b431ffce3f364283cbbdd329de1f87727d96111eb2e89e16cb09

Download Submit