5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/08/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe
Size

206KB
MD5

a305277341951bd694f90b7663fcc150
SHA1

fdda95f6b8ac829d49b25042ea884ed527388af4
SHA256

5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627
SHA512

379131604af217f4ca58dc763c0a501ffa68bfcd8d9465734a73d28a1f5ac086d71cc57000594107f56c5969dbdc108875ba51c7ebf56b6f581fe021f43fc61b
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unN:zvEN2U+T6i5LirrllHy4HUcMQY6A

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2884	explorer.exe
2416	spoolsv.exe
3052	svchost.exe
2744	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1852	5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe
1852	5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe
2884	explorer.exe
2884	explorer.exe
2416	spoolsv.exe
2416	spoolsv.exe
3052	svchost.exe
3052	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1852	5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
3052	svchost.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe
2884	explorer.exe
3052	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2884	explorer.exe
3052	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1852	5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe
1852	5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe
2884	explorer.exe
2884	explorer.exe
2416	spoolsv.exe
2416	spoolsv.exe
3052	svchost.exe
3052	svchost.exe
2744	spoolsv.exe
2744	spoolsv.exe
2884	explorer.exe
2884	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2884	1852	5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe	28
PID 1852 wrote to memory of 2884	1852	5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe	28
PID 1852 wrote to memory of 2884	1852	5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe	28
PID 1852 wrote to memory of 2884	1852	5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe	28
PID 2884 wrote to memory of 2416	2884	explorer.exe	29
PID 2884 wrote to memory of 2416	2884	explorer.exe	29
PID 2884 wrote to memory of 2416	2884	explorer.exe	29
PID 2884 wrote to memory of 2416	2884	explorer.exe	29
PID 2416 wrote to memory of 3052	2416	spoolsv.exe	30
PID 2416 wrote to memory of 3052	2416	spoolsv.exe	30
PID 2416 wrote to memory of 3052	2416	spoolsv.exe	30
PID 2416 wrote to memory of 3052	2416	spoolsv.exe	30
PID 3052 wrote to memory of 2744	3052	svchost.exe	31
PID 3052 wrote to memory of 2744	3052	svchost.exe	31
PID 3052 wrote to memory of 2744	3052	svchost.exe	31
PID 3052 wrote to memory of 2744	3052	svchost.exe	31
PID 3052 wrote to memory of 2664	3052	svchost.exe	32
PID 3052 wrote to memory of 2664	3052	svchost.exe	32
PID 3052 wrote to memory of 2664	3052	svchost.exe	32
PID 3052 wrote to memory of 2664	3052	svchost.exe	32
PID 3052 wrote to memory of 1964	3052	svchost.exe	36
PID 3052 wrote to memory of 1964	3052	svchost.exe	36
PID 3052 wrote to memory of 1964	3052	svchost.exe	36
PID 3052 wrote to memory of 1964	3052	svchost.exe	36
PID 3052 wrote to memory of 2776	3052	svchost.exe	38
PID 3052 wrote to memory of 2776	3052	svchost.exe	38
PID 3052 wrote to memory of 2776	3052	svchost.exe	38
PID 3052 wrote to memory of 2776	3052	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe
"C:\Users\Admin\AppData\Local\Temp\5db5387e4c24ae87ea0fd4a905d8eecde1a898f6aadd4cdb6b52cbb756088627.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2884
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2744
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
    - - C:\Windows\SysWOW64\at.exe
        
        at 23:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
9d0db4ca9ef5e1dac5bad8b8199905df

SHA1
cb121fe2024b0ea63966f585eb05ef368b33be18

SHA256
52cf1ef4caeb212ac17623528d020e3b95a886e9728e57cafae481d44a8bd000

SHA512
d876a4fc4fc68226b89cc7d8f98fbe559c6b269b9a25f1c06578432837b034a49690a413777d20634b39e730c4a5f89b22ce73016c8053dd68bd8036403d3dc9

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
f396affd008e60fdf6db820d80cdce9b

SHA1
3a5a8d0b5070c00b0fc81c54769177cea2163479

SHA256
4fd93acc8df10c6a9862b733be880a9a4d98b54c31376dfa829ba1a05059b859

SHA512
fc049caec178e6916e2f46169047f6c9c051c88cf89ca1985da5e0186935437ecdd6c7011b70e73ebfa870ea93a69a55cf8210e260946efff80857221ed09ba2

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
d6ef2f335d7a00aa4e494bb3eb78f420

SHA1
a8c0a3b9f6826c2bb0529e356ae9af84d63cdab0

SHA256
b930649bcba1eeace271e2483075c3243998394545e9ab51a7cd3e8c536c28f3

SHA512
738e3b98c82f6053810cbe1f095bbc52851245505101d036adeceaf7423911e6ac38646df00e69e470de60667eb4f1e01ce5fbdf8307cb9153898a710a7ccec6

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
23bd911df5158a753e5fb61a19b79cbe

SHA1
7d892d78b2dc0731530bd6d21b081e3973bfe643

SHA256
84a959eb7a5e910f9a8d00dc0dca22d4a1e54d0eab644d60e3dd4a3d9155b6b8

SHA512
e21a7df2bb7f4bad7e593f15a46c91461aa92e5d0b4befe2a886c222325ded90a0a9d30b3ce36101af9cbb7e8a752bf4d7614eece186ce5c1daceb7bff7cad56

Download Submit