73da186eb6b3a8c169b2374b2f8e94ebc6bd7f2db028901a243fd7d98ff8fe94

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 08:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20b4076ddbd667afc5b26a35c11c2410N.exe
Size

206KB
MD5

20b4076ddbd667afc5b26a35c11c2410
SHA1

b83fc864be5953c02330ba1e689e1d5db998e7f9
SHA256

73da186eb6b3a8c169b2374b2f8e94ebc6bd7f2db028901a243fd7d98ff8fe94
SHA512

673b89fdcfa8a97a9d188e00b6e1d71619cf18a9695a9a6e9124c9209d49483ce4d44607971d0f4527a7e2706c14c40209f8213aac697a151052eaf9859250e0
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6un7:zvEN2U+T6i5LirrllHy4HUcMQY6K

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
4936	explorer.exe
3184	spoolsv.exe
2196	svchost.exe
2520	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	20b4076ddbd667afc5b26a35c11c2410N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20b4076ddbd667afc5b26a35c11c2410N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	20b4076ddbd667afc5b26a35c11c2410N.exe
1700	20b4076ddbd667afc5b26a35c11c2410N.exe
4936	explorer.exe
4936	explorer.exe
4936	explorer.exe
4936	explorer.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe
2196	svchost.exe
2196	svchost.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe
4936	explorer.exe
4936	explorer.exe
2196	svchost.exe
2196	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4936	explorer.exe
2196	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1700	20b4076ddbd667afc5b26a35c11c2410N.exe
1700	20b4076ddbd667afc5b26a35c11c2410N.exe
4936	explorer.exe
4936	explorer.exe
3184	spoolsv.exe
3184	spoolsv.exe
2196	svchost.exe
2196	svchost.exe
2520	spoolsv.exe
2520	spoolsv.exe
4936	explorer.exe
4936	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 4936	1700	20b4076ddbd667afc5b26a35c11c2410N.exe	91
PID 1700 wrote to memory of 4936	1700	20b4076ddbd667afc5b26a35c11c2410N.exe	91
PID 1700 wrote to memory of 4936	1700	20b4076ddbd667afc5b26a35c11c2410N.exe	91
PID 4936 wrote to memory of 3184	4936	explorer.exe	92
PID 4936 wrote to memory of 3184	4936	explorer.exe	92
PID 4936 wrote to memory of 3184	4936	explorer.exe	92
PID 3184 wrote to memory of 2196	3184	spoolsv.exe	94
PID 3184 wrote to memory of 2196	3184	spoolsv.exe	94
PID 3184 wrote to memory of 2196	3184	spoolsv.exe	94
PID 2196 wrote to memory of 2520	2196	svchost.exe	95
PID 2196 wrote to memory of 2520	2196	svchost.exe	95
PID 2196 wrote to memory of 2520	2196	svchost.exe	95
PID 2196 wrote to memory of 4100	2196	svchost.exe	96
PID 2196 wrote to memory of 4100	2196	svchost.exe	96
PID 2196 wrote to memory of 4100	2196	svchost.exe	96
PID 2196 wrote to memory of 3200	2196	svchost.exe	109
PID 2196 wrote to memory of 3200	2196	svchost.exe	109
PID 2196 wrote to memory of 3200	2196	svchost.exe	109

C:\Users\Admin\AppData\Local\Temp\20b4076ddbd667afc5b26a35c11c2410N.exe
"C:\Users\Admin\AppData\Local\Temp\20b4076ddbd667afc5b26a35c11c2410N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4936
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2520
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4348,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
1⤵
PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
9857d5c765a618722e6bc78723a90e8c

SHA1
f298bd9a62c3f08a76746e3e5bfb3d42b783595e

SHA256
421f24dc29e4cbd406f5777d037d12f0bd672a77062d4d448f3c36d7e5a9ad54

SHA512
7b54187f099b29d692db14d1c06acc73bc1b38e82bcae8b8168b4f79870efbfd1a324479ffaba105dc7a1ee75e9be846090909f044d0de8487d315003aaa48f8

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
a2504361a18bb5fc28d167b825cee39e

SHA1
f9b4a17caf75c973dd365d563870fa232b22933b

SHA256
93fcd95b022319022828cbd8504cbfe7084d91fc1e29c8e6f69b8483ac771b45

SHA512
085a336b5833ff48abe61b03818729db72a066e26493484c59069bc877f69a181704f7f2e3548f2724de353eaf129bd1591063ed2cfbdad9f57dc42fc167eda1

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
5264422e09777703ceaf2ffb40b5bd3b

SHA1
e824cbded22ec4f6879f5a22a0d58a198ca5cd7a

SHA256
b0da5d898e14da5e5f32f968606a26df83eb4937fe15644f84a03e42da6a2145

SHA512
665d5c0523b18a72021e319b80065588025ed570c2c38d5f54f116e0d3a08fe16a431878c95117b6244aaa9230699660640de44b7df2a3cd8201805f87481b8a

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
dcfadd660377747d4c6610e09e4227f5

SHA1
6fc008efd9e1b46c9bb98e741fa553915adb1e70

SHA256
b6e9aad43609528d76d2c7a100e3156878c8adbc23dff79d991768293dde950d

SHA512
f32a89adc49241d47ca326cdd4a8bb45123c24cd83b7016d87331bdee0c86394ce83fbf06d8297ed10bf2fc9bcb15783489123797eb5fc5d4d69d7b15e86771b

Download Submit