a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
Size

211KB
MD5

e5dc0d2edb9217f61b178e4fb33c1e56
SHA1

b2c26b273efa8eef307e73b3ded8e28e1b4f388e
SHA256

a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c
SHA512

9f82a43d302cf35cfd1392bc8f3acdbae7b12d4506ecac1158324c77e5bdc334e1b151b8e3749990fa3f93aa8d4451066a21a552ac11e1ae6d6cffc91767faaf
SSDEEP

3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1FqnC:b1iNKQxENHLfMgw7y9Zr/

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2852	userinit.exe
2700	spoolsw.exe
2704	swchost.exe
2572	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\userinit.exe	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
2852	userinit.exe
2852	userinit.exe
2852	userinit.exe
2704	swchost.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe
2852	userinit.exe
2704	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2852	userinit.exe
2704	swchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2972	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
2972	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
2852	userinit.exe
2852	userinit.exe
2700	spoolsw.exe
2700	spoolsw.exe
2704	swchost.exe
2704	swchost.exe
2572	spoolsw.exe
2572	spoolsw.exe
2852	userinit.exe
2852	userinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2852	2972	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe	32
PID 2972 wrote to memory of 2852	2972	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe	32
PID 2972 wrote to memory of 2852	2972	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe	32
PID 2972 wrote to memory of 2852	2972	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe	32
PID 2852 wrote to memory of 2700	2852	userinit.exe	33
PID 2852 wrote to memory of 2700	2852	userinit.exe	33
PID 2852 wrote to memory of 2700	2852	userinit.exe	33
PID 2852 wrote to memory of 2700	2852	userinit.exe	33
PID 2700 wrote to memory of 2704	2700	spoolsw.exe	34
PID 2700 wrote to memory of 2704	2700	spoolsw.exe	34
PID 2700 wrote to memory of 2704	2700	spoolsw.exe	34
PID 2700 wrote to memory of 2704	2700	spoolsw.exe	34
PID 2704 wrote to memory of 2572	2704	swchost.exe	35
PID 2704 wrote to memory of 2572	2704	swchost.exe	35
PID 2704 wrote to memory of 2572	2704	swchost.exe	35
PID 2704 wrote to memory of 2572	2704	swchost.exe	35

C:\Users\Admin\AppData\Local\Temp\a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
"C:\Users\Admin\AppData\Local\Temp\a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2852
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2704
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
2db5b6a2b2881252594557c1f2cecc3a

SHA1
784cc457c7a93b673a66b7b198aaebc51a32f8dd

SHA256
b5ee0b2f2450d5f093874e1d5f0b06d1ed4e5c219e93833bd8b7ab35bb3d61fd

SHA512
94dbc37f2064ed9694053289f688ab6552acf69bc761d5ea95651a6f5ab96b7c5391b9fc4b9df61fec354cafda6efc047d25321dce669a4c04136439d740baa4

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
af11400a83e2a8650e2ff5be7434a287

SHA1
2c4969a988e8914ed95a841618d5e8cf0b4f4ded

SHA256
5a83488ddbb422de24fbb62d2f73f5d1ae971f51a582e31bd0e383b89393a39b

SHA512
6eccbb0f4bf5c05f5a07d8856ff3ba827f402957c22ebbc3e3ec1ae7f462dffec7b20fa149da5415f56c2e8750b805128f83b3027ae0583c41319b0df63a738a

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
a85ad836447a3f8b768b0537844c047f

SHA1
c853c0df50ceea98a6f4860278e137c8507a4dde

SHA256
4753e672a4037152cf9e79d9d092ce4086a3889e24adcda9f6b2fdcf16dc9264

SHA512
f3ff93395e19443c5857144da52fc247d88ed09cb8c4f00c9982eb40b3e6bbfd39a321fa734dd1efcd4b32968b858c0c3d779dd4e7cad34af3994aaffa5b63b0

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
6437dcc0d2ed48e543f83446fd5a3fa1

SHA1
1e040da8dd2c6af0f56b9578d972707b6f38d2a7

SHA256
9d649bc2d40044425d545c19ddf952d52baf000711ea6c33223bf05d97a6814c

SHA512
11dba6b51b10e93b71f869bad5247a0188eac5905899db0b34c533c8769235d3d06dfd02d5418b2eab227cb2f6207d3174e7839f45e031d11e76e3299f1013ec

Download Submit