8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe
Size

260KB
MD5

da2fedaf4c78a65dcbaa13d3d26d9ae0
SHA1

a54a8aa2d68ea960e339521969a7904efb42f9dc
SHA256

8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3
SHA512

ba7765366686fd5e5747b316886599580282147751198ff864030b84ddc676cb9dd992e8571a98cb0d5f9de41eb02d86cce70c1bb8fc3a3bb858cff50bdc6e03
SSDEEP

3072:AygCullUQN7gsBh1L1gygCullUQN7gsBh1L1/:ARleK771qRleK771R

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3020	explorer.exe
3008	spoolsv.exe
1040	svchost.exe
2592	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2708	8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe
2708	8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe
3020	explorer.exe
3020	explorer.exe
3008	spoolsv.exe
3008	spoolsv.exe
1040	svchost.exe
1040	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\System\tjud.exe	explorer.exe
File opened for modification	C:\Windows\System\tjcm.cmn	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2708	8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe
3020	explorer.exe
3020	explorer.exe
3020	explorer.exe
1040	svchost.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe
3020	explorer.exe
1040	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3020	explorer.exe
1040	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2708	8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe
2708	8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe
3020	explorer.exe
3020	explorer.exe
3008	spoolsv.exe
3008	spoolsv.exe
1040	svchost.exe
1040	svchost.exe
2592	spoolsv.exe
2592	spoolsv.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 3020	2708	8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe	30
PID 2708 wrote to memory of 3020	2708	8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe	30
PID 2708 wrote to memory of 3020	2708	8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe	30
PID 2708 wrote to memory of 3020	2708	8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe	30
PID 3020 wrote to memory of 3008	3020	explorer.exe	31
PID 3020 wrote to memory of 3008	3020	explorer.exe	31
PID 3020 wrote to memory of 3008	3020	explorer.exe	31
PID 3020 wrote to memory of 3008	3020	explorer.exe	31
PID 3008 wrote to memory of 1040	3008	spoolsv.exe	32
PID 3008 wrote to memory of 1040	3008	spoolsv.exe	32
PID 3008 wrote to memory of 1040	3008	spoolsv.exe	32
PID 3008 wrote to memory of 1040	3008	spoolsv.exe	32
PID 1040 wrote to memory of 2592	1040	svchost.exe	33
PID 1040 wrote to memory of 2592	1040	svchost.exe	33
PID 1040 wrote to memory of 2592	1040	svchost.exe	33
PID 1040 wrote to memory of 2592	1040	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe
"C:\Users\Admin\AppData\Local\Temp\8969491a3d38a0526faaaf04447a6cbbb893f194348f47ecbec7c38a524d6af3N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
260KB

MD5
4e4cb45347c2b2cd037a213dfeb4ef87

SHA1
f1f536e820af161d0847832c6825690c19d20a66

SHA256
c09f15f0a3a4b45e945dcbbd88286cb131a9b261a69f60f492c0938d005d75f6

SHA512
bc4df19ac626e2dc436927d314e96cd7e2aef8f0daacbe01afd2addbc41d66757af5ee3a3d395053ab1a01dbe342c5a35716d792861981f53a2f9f4d9f3277d4

Download Submit
\Windows\system\explorer.exe

Filesize
260KB

MD5
7f98328ece8f2474b7bc09e860310fe4

SHA1
a7c728dc7b257708d3208e03709cf02f6e952918

SHA256
5e10ffefe86fa14f1c8ef202ff021b5ba403e5eeb2ed66fb69edfafd1fb2e553

SHA512
34914fb73ca4484631266661ca4ee1b986457873dea1af075afe3b28556c1086e26caa0f9e02e984960776cfde3cc06aac3c3d96c2a1a1f5c5a4ef0858887cbd

Download Submit
\Windows\system\spoolsv.exe

Filesize
260KB

MD5
83beb4a6484d2983777274dedd4a1510

SHA1
9ff4bdaf682705ce578a1dd569f3f298a8004d33

SHA256
10d9878d5e6c46ba368d683fd480391c62e205fbc963d6b5910922751c160445

SHA512
2c5948d9107c58e2584a41441309dc81c4ac28027479bb516e13896e0b3f21a120886d2522b3a7139fb4a0c88cbd2b89a826e2afe2c067eac15c2160595922b7

Download Submit
\Windows\system\svchost.exe

Filesize
260KB

MD5
2d07a22d7c89aea0ada6e5e4a4bbbf92

SHA1
150c8e918b84869e461d0514712b8ccd10e81e08

SHA256
6c55e2a9584a0e0fa312b8d0c901dcfce23f39b2a38f81e627328f1705eca988

SHA512
91b9e43e8e0644ba397af06bd31dd42db67a07226d0864b43c416e92955502ea16cb83c56e31f5a0c472a0952814ef7879657ab0e61f17b667a2965b072c5a01

Download Submit