396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 20:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006.exe
Size

206KB
MD5

0a4f5b0d9b6a7517772ee7814937a51c
SHA1

bc67dad5b0f137abc94d7acbb3567bb5a3af4f73
SHA256

396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006
SHA512

585b15c83d398b04b0160aeddbf9e76414f16dd85de726d6ac617e7a0a83ae53420ed7b1e1a5cd3bf8626d01e8505aa8594e788f42850a9a1f9c86a75965bb3d
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unu:5vEN2U+T6i5LirrllHy4HUcMQY6p

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4424	explorer.exe
1208	spoolsv.exe
4588	svchost.exe
4744	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006.exe
2880	396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006.exe
4424	explorer.exe
4424	explorer.exe
4424	explorer.exe
4424	explorer.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe
4588	svchost.exe
4588	svchost.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe
4424	explorer.exe
4424	explorer.exe
4588	svchost.exe
4588	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4424	explorer.exe
4588	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2880	396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006.exe
2880	396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006.exe
4424	explorer.exe
4424	explorer.exe
1208	spoolsv.exe
1208	spoolsv.exe
4588	svchost.exe
4588	svchost.exe
4744	spoolsv.exe
4744	spoolsv.exe
4424	explorer.exe
4424	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 4424	2880	396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006.exe	85
PID 2880 wrote to memory of 4424	2880	396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006.exe	85
PID 2880 wrote to memory of 4424	2880	396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006.exe	85
PID 4424 wrote to memory of 1208	4424	explorer.exe	86
PID 4424 wrote to memory of 1208	4424	explorer.exe	86
PID 4424 wrote to memory of 1208	4424	explorer.exe	86
PID 1208 wrote to memory of 4588	1208	spoolsv.exe	87
PID 1208 wrote to memory of 4588	1208	spoolsv.exe	87
PID 1208 wrote to memory of 4588	1208	spoolsv.exe	87
PID 4588 wrote to memory of 4744	4588	svchost.exe	89
PID 4588 wrote to memory of 4744	4588	svchost.exe	89
PID 4588 wrote to memory of 4744	4588	svchost.exe	89
PID 4588 wrote to memory of 3640	4588	svchost.exe	90
PID 4588 wrote to memory of 3640	4588	svchost.exe	90
PID 4588 wrote to memory of 3640	4588	svchost.exe	90
PID 4588 wrote to memory of 4612	4588	svchost.exe	101
PID 4588 wrote to memory of 4612	4588	svchost.exe	101
PID 4588 wrote to memory of 4612	4588	svchost.exe	101
PID 4588 wrote to memory of 2332	4588	svchost.exe	103
PID 4588 wrote to memory of 2332	4588	svchost.exe	103
PID 4588 wrote to memory of 2332	4588	svchost.exe	103

C:\Users\Admin\AppData\Local\Temp\396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006.exe
"C:\Users\Admin\AppData\Local\Temp\396d291c1bb63139881672d6c17312d902232cd4b3e1a4d1fe0be35a582ed006.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4424
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4744
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
be59f6442d16f50c60803c296f40afff

SHA1
284e82c253c9b76c6a115600d2bb2128fd22f21d

SHA256
f8acbd352d742a4ddf97bd7a3370fa1fe71160d8548cc19fb7661965cbb1b6e2

SHA512
f75627168640e52696389c1689626d17034edc906022d49ab7b45e5a98f39aecefe21f63b4eaf377d86a6d043fa3e2f2132f46e130b97ad168e6284d7a7a0174

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
6aa6005c78dbbf189d7f0c0171a2f2a4

SHA1
d841270d6d38d0487eb56e1093fa776e5e7ebd48

SHA256
bfc6e2c1ab17df64bb23777481e090e212df4d3dcbabf058841c139eba36a96b

SHA512
6518aaced75db2aaf14e7f4f6e5ea15cb2d79ff48925b59ec8dd34e86969c70208a27ec1a933feb67d91e6cceb8768ad7317fc577d758f00871d8ae89f197c90

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
cb1e30d6f1a27eac15dc0d9b8e2683c3

SHA1
d7bff87c5f72f34f1743ba409117442d35bcd4bb

SHA256
6e4d230fa669b8417a76b65c6f7fe8ad39501d50386bd3b3c2437ff8a2104ea8

SHA512
524f147b97645664db3763e634cf5465f5250f9cdcb18069f320f85a7380f979d5cb013076ac1b5a0eea7e274b78b1e3e458e953f0380580d3cfe30f8e38cad3

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
ae04d37702f6309bc9727ce60ce89381

SHA1
bb5100f8bec6e966adf40f51fb3d019edc76d1f2

SHA256
57aac0f901c5122326f43752dcd3eb563652e0c90069c1c7183fd803d91d1b83

SHA512
d5c91ab02fa60071a71292740084ddf07f846535c339ca9f38d468cf9e5fedddcd34030864c2945b31af79e37e2a48d0dd64e16660032fe32886738669f360a2

Download Submit
memory/1208-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-38-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download