b15f06fa931041555e97169ea70f8550f9f228326bc8ee9b2ee36b000922bada

Analysis

max time kernel
120s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7af6e87aae1bc84f65a5452f9c5f6270N.exe
Size

206KB
MD5

7af6e87aae1bc84f65a5452f9c5f6270
SHA1

b86d0813931e37be32baddcf1e8e059bf3264694
SHA256

b15f06fa931041555e97169ea70f8550f9f228326bc8ee9b2ee36b000922bada
SHA512

74f916ded191d9c6a3f72fa31eca39727007d134f3ea25a279fe89de206f72d0209e0bacaa62423b49975b80c1beb4236b1d99fc140713755d94fbb116763e76
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unS:5vEN2U+T6i5LirrllHy4HUcMQY6t

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
4612	explorer.exe
2688	spoolsv.exe
3452	svchost.exe
3752	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	7af6e87aae1bc84f65a5452f9c5f6270N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7af6e87aae1bc84f65a5452f9c5f6270N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1836	7af6e87aae1bc84f65a5452f9c5f6270N.exe
1836	7af6e87aae1bc84f65a5452f9c5f6270N.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
3452	svchost.exe
3452	svchost.exe
3452	svchost.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
3452	svchost.exe
4612	explorer.exe
4612	explorer.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
3452	svchost.exe
4612	explorer.exe
4612	explorer.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
4612	explorer.exe
4612	explorer.exe
4612	explorer.exe
3452	svchost.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
3452	svchost.exe
4612	explorer.exe
4612	explorer.exe
3452	svchost.exe
4612	explorer.exe
4612	explorer.exe
3452	svchost.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe
4612	explorer.exe
3452	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4612	explorer.exe
3452	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1836	7af6e87aae1bc84f65a5452f9c5f6270N.exe
1836	7af6e87aae1bc84f65a5452f9c5f6270N.exe
4612	explorer.exe
4612	explorer.exe
2688	spoolsv.exe
2688	spoolsv.exe
3452	svchost.exe
3452	svchost.exe
3752	spoolsv.exe
3752	spoolsv.exe
4612	explorer.exe
4612	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 4612	1836	7af6e87aae1bc84f65a5452f9c5f6270N.exe	84
PID 1836 wrote to memory of 4612	1836	7af6e87aae1bc84f65a5452f9c5f6270N.exe	84
PID 1836 wrote to memory of 4612	1836	7af6e87aae1bc84f65a5452f9c5f6270N.exe	84
PID 4612 wrote to memory of 2688	4612	explorer.exe	85
PID 4612 wrote to memory of 2688	4612	explorer.exe	85
PID 4612 wrote to memory of 2688	4612	explorer.exe	85
PID 2688 wrote to memory of 3452	2688	spoolsv.exe	86
PID 2688 wrote to memory of 3452	2688	spoolsv.exe	86
PID 2688 wrote to memory of 3452	2688	spoolsv.exe	86
PID 3452 wrote to memory of 3752	3452	svchost.exe	87
PID 3452 wrote to memory of 3752	3452	svchost.exe	87
PID 3452 wrote to memory of 3752	3452	svchost.exe	87
PID 3452 wrote to memory of 1320	3452	svchost.exe	88
PID 3452 wrote to memory of 1320	3452	svchost.exe	88
PID 3452 wrote to memory of 1320	3452	svchost.exe	88
PID 3452 wrote to memory of 4984	3452	svchost.exe	104
PID 3452 wrote to memory of 4984	3452	svchost.exe	104
PID 3452 wrote to memory of 4984	3452	svchost.exe	104

C:\Users\Admin\AppData\Local\Temp\7af6e87aae1bc84f65a5452f9c5f6270N.exe
"C:\Users\Admin\AppData\Local\Temp\7af6e87aae1bc84f65a5452f9c5f6270N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4612
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3752
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
d146409f819baeb8410fe16db937c2af

SHA1
a1b6aa8f223d74bcb382b684f549b5f4c11e3028

SHA256
cf9940bdf1cbe79f9fc0ab17082948248da0f7c6b31f0942fb40564997252acf

SHA512
b84a85ea30201ddec761185f3804e58a198a6f51e4e54aba11638d9b2e8767b86de0e377294b054157d9b9722913cfa1a5e1f9c84c44d1d9da1cf1f248eea040

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
147bc225604cdde87f901568f5ace5ee

SHA1
002d4d78eecfdb99eb9cae71214d1d847f5b913e

SHA256
e904c0930278dd3efcdbf5b40ab3ded934d50fe07be1aa75967a5cf788ed0f3b

SHA512
c2255b73cb1424249ebaa73c437be8932ff4350e816bfe9850e1a36e20f5f25ce14ae3f34800b04a30fe0f25427237857b0ff45ab00723071415a1f9e1765d05

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
446ea341965a712bf5a5b5fdce2cc6fa

SHA1
815ff8203c34a892cf6969e0795c69905def53b9

SHA256
25b3c1e94baa023abfdbdccdf7dc2b701f81fd9e8d8dfd6bc0d55771234ce909

SHA512
c89f4402ed4190ddfdfad3758e66d3ac14b0b923d1db13b59b5bcd2d17b5895f9d65a8ad3309843051743d43c76d33393127796b5e44a63de7c2d993e7bdc1a7

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
0678084ea905cffc83749066b97f45b7

SHA1
e7868ada27c4f05ceafa49649008cddbbcf41647

SHA256
3a297c45ce807c1ee1bd0cfc04faba76e54034bbf33f42c724e1452fe9fd69ac

SHA512
3976ba33ce2f36353f0b948b329b4e78b37ba58a54f9ac45906c5052e2c4861852453c9afafaf22b01a861661776d2410d68baa4729a1aa46bd67a601db79593

Download Submit
memory/1836-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3752-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4612-38-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download