a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
Size

211KB
MD5

e5dc0d2edb9217f61b178e4fb33c1e56
SHA1

b2c26b273efa8eef307e73b3ded8e28e1b4f388e
SHA256

a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c
SHA512

9f82a43d302cf35cfd1392bc8f3acdbae7b12d4506ecac1158324c77e5bdc334e1b151b8e3749990fa3f93aa8d4451066a21a552ac11e1ae6d6cffc91767faaf
SSDEEP

3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1FqnC:b1iNKQxENHLfMgw7y9Zr/

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4524	userinit.exe
2120	spoolsw.exe
2180	swchost.exe
4064	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\userinit.exe	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
4948	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
4524	userinit.exe
4524	userinit.exe
4524	userinit.exe
4524	userinit.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe
2180	swchost.exe
2180	swchost.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe
4524	userinit.exe
4524	userinit.exe
2180	swchost.exe
2180	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4524	userinit.exe
2180	swchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4948	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
4948	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
4524	userinit.exe
4524	userinit.exe
2120	spoolsw.exe
2120	spoolsw.exe
2180	swchost.exe
2180	swchost.exe
4064	spoolsw.exe
4064	spoolsw.exe
4524	userinit.exe
4524	userinit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4524	4948	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe	87
PID 4948 wrote to memory of 4524	4948	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe	87
PID 4948 wrote to memory of 4524	4948	a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe	87
PID 4524 wrote to memory of 2120	4524	userinit.exe	89
PID 4524 wrote to memory of 2120	4524	userinit.exe	89
PID 4524 wrote to memory of 2120	4524	userinit.exe	89
PID 2120 wrote to memory of 2180	2120	spoolsw.exe	90
PID 2120 wrote to memory of 2180	2120	spoolsw.exe	90
PID 2120 wrote to memory of 2180	2120	spoolsw.exe	90
PID 2180 wrote to memory of 4064	2180	swchost.exe	91
PID 2180 wrote to memory of 4064	2180	swchost.exe	91
PID 2180 wrote to memory of 4064	2180	swchost.exe	91

C:\Users\Admin\AppData\Local\Temp\a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
"C:\Users\Admin\AppData\Local\Temp\a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4524
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2180
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
8889e96c0b48b5bb0bb7700f71e7e1d6

SHA1
e73b9db0a96248ae3a9df612f403ed6583a8a462

SHA256
c105403f143d885f51824a90041f27d863066f8f332cc1b93a5786870af1bd83

SHA512
4906b9f75fb17633d29a650c9bb1d5dc0d8ae2682c11843af7fa1331543a1f343989941144c2d8ddb287c88c1db20229f53aeb02e6938efb0ab5dc2c3e31fedd

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
cc637169fa787e73c6749f5de76a8c5e

SHA1
13ce00f1ff9b22777150e74365463656c246a422

SHA256
cb3da288a7e5674a332a5635f6b35a97abb4534ed9187f061e69ca2b36702b0b

SHA512
0e9686b23a0b5236be9f72f80de5d87fd5bc2e2271e07b24a6379a413b971f4b26b549764a4c647a9f3ab4e952eef8ea9c0b2c4556895cfa9b84d5093b59c4ef

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
ab598f21ffd5378a226e3bdfb042ed6b

SHA1
759dee52399f47abeacf50c5beb6b84484fbc62e

SHA256
8fc0e7cafa560da95915d4b3760a6bf198a47df1bd3681122c1492fc626ccb75

SHA512
f066ac602ce845fcfe3c7e47b34c5d1b2b7ba5dd8d95b9e70abc13c39c56d85f33a7291947f0fbe29236a78e5ad1ef7f06cf6156905ef916ddb673af71539827

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
cd2df10cf30e39eaa424c91422bd0281

SHA1
7f8a3b67de23b90b86bc54ba32082a38dc336a93

SHA256
b772058dbf0d290666258ef7a85d5a2707e235f9c82c7604cbe6163dbcc0e519

SHA512
8a8a1964243749bdfbf6bc637b35343709e181140bcc3527981f146b6c00afe00aa3c3cdfe5932a23dbca075ab1d5790bc1f813c383195c61dd4a12c356e1877

Download Submit