20da107131fe29bfe7f610ff65d463c5f09c1f868982892f21b1bf800cf843b0

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

916df5e9c463468ed689c6ed96c7c0f0N.exe
Size

71KB
MD5

916df5e9c463468ed689c6ed96c7c0f0
SHA1

971a0aad4d6393196d4534e879fa60e6b46e847c
SHA256

20da107131fe29bfe7f610ff65d463c5f09c1f868982892f21b1bf800cf843b0
SHA512

6b2757760a4aa5fe3adeb6aa8b94e3c737bbd7a1526860c998c3dd477a2917c4a80934202963dcf444562b708039a658985d8cb22a8a19977cc78e4a27cdbb13
SSDEEP

768:EXKeT2Si83nLt8tkGX8uxOHgRrW5YLKG9Y/HrSNm0kmG7xMsVAnc3yy85SBiLFMb:EFrmh0HgB3LKrL9AcnQFMc9zwR6i+BW

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
4492	explorer.exe
4880	spoolsv.exe
3048	svchost.exe
1692	spoolsv.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5016-0-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/files/0x0008000000023588-7.dat	upx
behavioral2/files/0x000800000002358a-13.dat	upx
behavioral2/files/0x000800000002358c-23.dat	upx
behavioral2/memory/1692-29-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1692-33-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/files/0x000900000002358b-37.dat	upx
behavioral2/memory/4880-38-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/5016-40-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/4492-41-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/3048-42-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/4492-51-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	916df5e9c463468ed689c6ed96c7c0f0N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	916df5e9c463468ed689c6ed96c7c0f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5016	916df5e9c463468ed689c6ed96c7c0f0N.exe
5016	916df5e9c463468ed689c6ed96c7c0f0N.exe
4492	explorer.exe
4492	explorer.exe
4492	explorer.exe
4492	explorer.exe
4492	explorer.exe
4492	explorer.exe
3048	svchost.exe
3048	svchost.exe
3048	svchost.exe
3048	svchost.exe
4492	explorer.exe
4492	explorer.exe
3048	svchost.exe
3048	svchost.exe
4492	explorer.exe
4492	explorer.exe
3048	svchost.exe
3048	svchost.exe
4492	explorer.exe
4492	explorer.exe
3048	svchost.exe
3048	svchost.exe
4492	explorer.exe
4492	explorer.exe
3048	svchost.exe
3048	svchost.exe
4492	explorer.exe
4492	explorer.exe
3048	svchost.exe
3048	svchost.exe
4492	explorer.exe
3048	svchost.exe
4492	explorer.exe
3048	svchost.exe
4492	explorer.exe
4492	explorer.exe
3048	svchost.exe
3048	svchost.exe
4492	explorer.exe
4492	explorer.exe
3048	svchost.exe
3048	svchost.exe
4492	explorer.exe
4492	explorer.exe
3048	svchost.exe
3048	svchost.exe
4492	explorer.exe
4492	explorer.exe
3048	svchost.exe
3048	svchost.exe
4492	explorer.exe
4492	explorer.exe
3048	svchost.exe
3048	svchost.exe
4492	explorer.exe
4492	explorer.exe
3048	svchost.exe
3048	svchost.exe
4492	explorer.exe
4492	explorer.exe
3048	svchost.exe
3048	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4492	explorer.exe
3048	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5016	916df5e9c463468ed689c6ed96c7c0f0N.exe
5016	916df5e9c463468ed689c6ed96c7c0f0N.exe
4492	explorer.exe
4492	explorer.exe
4880	spoolsv.exe
4880	spoolsv.exe
3048	svchost.exe
3048	svchost.exe
1692	spoolsv.exe
1692	spoolsv.exe
4492	explorer.exe
4492	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4492	5016	916df5e9c463468ed689c6ed96c7c0f0N.exe	92
PID 5016 wrote to memory of 4492	5016	916df5e9c463468ed689c6ed96c7c0f0N.exe	92
PID 5016 wrote to memory of 4492	5016	916df5e9c463468ed689c6ed96c7c0f0N.exe	92
PID 4492 wrote to memory of 4880	4492	explorer.exe	94
PID 4492 wrote to memory of 4880	4492	explorer.exe	94
PID 4492 wrote to memory of 4880	4492	explorer.exe	94
PID 4880 wrote to memory of 3048	4880	spoolsv.exe	95
PID 4880 wrote to memory of 3048	4880	spoolsv.exe	95
PID 4880 wrote to memory of 3048	4880	spoolsv.exe	95
PID 3048 wrote to memory of 1692	3048	svchost.exe	96
PID 3048 wrote to memory of 1692	3048	svchost.exe	96
PID 3048 wrote to memory of 1692	3048	svchost.exe	96
PID 3048 wrote to memory of 3568	3048	svchost.exe	98
PID 3048 wrote to memory of 3568	3048	svchost.exe	98
PID 3048 wrote to memory of 3568	3048	svchost.exe	98
PID 3048 wrote to memory of 1764	3048	svchost.exe	117
PID 3048 wrote to memory of 1764	3048	svchost.exe	117
PID 3048 wrote to memory of 1764	3048	svchost.exe	117

C:\Users\Admin\AppData\Local\Temp\916df5e9c463468ed689c6ed96c7c0f0N.exe
"C:\Users\Admin\AppData\Local\Temp\916df5e9c463468ed689c6ed96c7c0f0N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4492
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1692
    - - C:\Windows\SysWOW64\at.exe
        
        at 12:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
    - - C:\Windows\SysWOW64\at.exe
        
        at 12:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4628,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=3692 /prefetch:8
1⤵
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
71KB

MD5
93cf10ddc7d5437e72dbfc161231d195

SHA1
b31a997a7dcc40811c660e615bd230049e9355f4

SHA256
2d0b4a09ed501d51815424351ea24b116379aef1124d9b0e526d73bb40a89175

SHA512
fff42845ff4e9535611518c0e0a718b941336fbd8696064fff4b4c79fbe5b5e91c15d212599ce751f1d5d72d682fd90a589703279c9a574b1244eab8c4027737

Download Submit
C:\Windows\System\explorer.exe

Filesize
71KB

MD5
31374ea75f2a22c188699cdcb69bd906

SHA1
27e8e576c7b18671cd9e8b156822c4a31c31be3e

SHA256
ad5fb6d4bf4b3df3e0420de0bb2d4418b358aebfc4a6469675cb92e6cff6ad88

SHA512
3ba575ad3c9e9ea1776adc728270382ca99ee64e4b38cf623e258a8012eada1f34ac7f7f4c98eeddb49a4cc9d0865fe9dedc5ae9a15dd1726818516355c8f94b

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
71KB

MD5
b366bbec519709546913db51fab06d14

SHA1
7436e7ab6c0dcd3e96cf1493d051346eaa66a85e

SHA256
ee032be16c353a365009cac358bbcdf7a8ad57c0b6693d04c2a5734fd0ee8633

SHA512
0640f000426b6b1f7bbe76e35332cb3faf429126c3e4731d7e4cfd0579812e080bef2b6ef056bc6a371ca9ddc01665cddeccf241eb3b90b639c5505d3a36f8f2

Download Submit
C:\Windows\System\svchost.exe

Filesize
71KB

MD5
19a6be7dfd91dde8ca8c13587153b7a0

SHA1
bddb896b4d9eba4e1ce9228932982a3dfde402cc

SHA256
ec8805a64cbe6cbac0e24aedfbeae36c85c8e7cb5dd5bdb39fb5e804aab87b66

SHA512
d482fd4f7f5f50ab6eb845d8a839ce950935ccb26d15572ce7eada2b156e7bb0eebb77f31cac62e14e745245a5e835cf9dfa694fd0c8f6f77a6e78b51532a3fa

Download Submit
memory/1692-29-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1692-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-42-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-51-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4880-38-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5016-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5016-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download