b15f06fa931041555e97169ea70f8550f9f228326bc8ee9b2ee36b000922bada

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7af6e87aae1bc84f65a5452f9c5f6270N.exe
Size

206KB
MD5

7af6e87aae1bc84f65a5452f9c5f6270
SHA1

b86d0813931e37be32baddcf1e8e059bf3264694
SHA256

b15f06fa931041555e97169ea70f8550f9f228326bc8ee9b2ee36b000922bada
SHA512

74f916ded191d9c6a3f72fa31eca39727007d134f3ea25a279fe89de206f72d0209e0bacaa62423b49975b80c1beb4236b1d99fc140713755d94fbb116763e76
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unS:5vEN2U+T6i5LirrllHy4HUcMQY6t

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2592	explorer.exe
2820	spoolsv.exe
2776	svchost.exe
2884	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2564	7af6e87aae1bc84f65a5452f9c5f6270N.exe
2564	7af6e87aae1bc84f65a5452f9c5f6270N.exe
2592	explorer.exe
2592	explorer.exe
2820	spoolsv.exe
2820	spoolsv.exe
2776	svchost.exe
2776	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	7af6e87aae1bc84f65a5452f9c5f6270N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7af6e87aae1bc84f65a5452f9c5f6270N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2564	7af6e87aae1bc84f65a5452f9c5f6270N.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2776	svchost.exe
2592	explorer.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2776	svchost.exe
2592	explorer.exe
2592	explorer.exe
2776	svchost.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2776	svchost.exe
2592	explorer.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2776	svchost.exe
2592	explorer.exe
2592	explorer.exe
2776	svchost.exe
2592	explorer.exe
2776	svchost.exe
2776	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2592	explorer.exe
2776	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2564	7af6e87aae1bc84f65a5452f9c5f6270N.exe
2564	7af6e87aae1bc84f65a5452f9c5f6270N.exe
2592	explorer.exe
2592	explorer.exe
2820	spoolsv.exe
2820	spoolsv.exe
2776	svchost.exe
2776	svchost.exe
2884	spoolsv.exe
2884	spoolsv.exe
2592	explorer.exe
2592	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2592	2564	7af6e87aae1bc84f65a5452f9c5f6270N.exe	29
PID 2564 wrote to memory of 2592	2564	7af6e87aae1bc84f65a5452f9c5f6270N.exe	29
PID 2564 wrote to memory of 2592	2564	7af6e87aae1bc84f65a5452f9c5f6270N.exe	29
PID 2564 wrote to memory of 2592	2564	7af6e87aae1bc84f65a5452f9c5f6270N.exe	29
PID 2592 wrote to memory of 2820	2592	explorer.exe	30
PID 2592 wrote to memory of 2820	2592	explorer.exe	30
PID 2592 wrote to memory of 2820	2592	explorer.exe	30
PID 2592 wrote to memory of 2820	2592	explorer.exe	30
PID 2820 wrote to memory of 2776	2820	spoolsv.exe	31
PID 2820 wrote to memory of 2776	2820	spoolsv.exe	31
PID 2820 wrote to memory of 2776	2820	spoolsv.exe	31
PID 2820 wrote to memory of 2776	2820	spoolsv.exe	31
PID 2776 wrote to memory of 2884	2776	svchost.exe	32
PID 2776 wrote to memory of 2884	2776	svchost.exe	32
PID 2776 wrote to memory of 2884	2776	svchost.exe	32
PID 2776 wrote to memory of 2884	2776	svchost.exe	32
PID 2776 wrote to memory of 2112	2776	svchost.exe	33
PID 2776 wrote to memory of 2112	2776	svchost.exe	33
PID 2776 wrote to memory of 2112	2776	svchost.exe	33
PID 2776 wrote to memory of 2112	2776	svchost.exe	33
PID 2776 wrote to memory of 1984	2776	svchost.exe	35
PID 2776 wrote to memory of 1984	2776	svchost.exe	35
PID 2776 wrote to memory of 1984	2776	svchost.exe	35
PID 2776 wrote to memory of 1984	2776	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\7af6e87aae1bc84f65a5452f9c5f6270N.exe
"C:\Users\Admin\AppData\Local\Temp\7af6e87aae1bc84f65a5452f9c5f6270N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2592
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2884
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
2baed57dfe6ce1e9af4c4d16f14e77b9

SHA1
54c637e6a3de137dcb1443221a4e1b0669ce0973

SHA256
4103e953fc9237cdd7a603cb9ef6abebbfbd04c43c1d86f60799ce3f37e86d0f

SHA512
bef43567c5d7b13445ffaf2a96d58aec549fd88a22faf51e41f719d091adacf1aa8edc7e69de62b589ec0f155441796ac4057526fc62ed768eda6d4c3b4cb200

Download Submit
C:\Windows\system\svchost.exe

Filesize
206KB

MD5
4f8c85e897de63af76341592e766bbb1

SHA1
188547855752906030cf0a8e70c564049469e4eb

SHA256
859e475046f537778a68dc3b82c2fe7d33ca8a5d52982f2c656f25a139503205

SHA512
90bbcfa8eb129fdccf0b5cae6ef3124ac87de1acb2651b86bf9e7b576f76fc3bd732093183e6589eb1deabc11ec29b943c76143caa73f8349fd2860703ce7976

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
f816b8e4d62597d09665f5e488488f7f

SHA1
6fa3f801db3ae1c12c9ce497073ba20ea03ddf0a

SHA256
b1537f3eedfb0fb2385e558df8583fa652a87fbd4be820115c0acc3d9716bbe6

SHA512
f5aee3ea3db6931c5e2d888a7f95cb47b57b3f59f388ab4539f994a787c901ca6e3aa017b43135ab1465cea2815500616c3a4475ee5fc9fef56f3c852f931be4

Download Submit
\Windows\system\spoolsv.exe

Filesize
207KB

MD5
f422ba8e2679637837e66d1cb59a95ac

SHA1
34b6d08d5da5ddffbab12cf26c8fa0ab22525e23

SHA256
c97219cef3af7a1dbd5c71daa5aaea676dbdbbb3786b5e3cde387ab0d31fe450

SHA512
9ded71c1e1445c1e2d762828319be0fbf1aaa0acef91334c13e0561df57fa84e850f80230b06f06baae895e77bdf0bd2151da8426ac6a02b605a9923e8ea4dbd

Download Submit
memory/2564-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-13-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/2564-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-50-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download