0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040c

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
Size

69KB
MD5

e2cd247fdc2af196d3fa98a2090ec630
SHA1

b8ddb2798b79f95fb202f7fc191f7370e4c358d5
SHA256

0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040c
SHA512

4cf48a03501f970a9acfc7ca6e1622c7fee49916bae8bd6124c3777092911805caabcdf449ff4141fcf1ca4f5ec6a12824bf420906c9579cb0eef9e7f29805ba
SSDEEP

1536:EJrFDMRyriCY/qXfatMp4Q2V6fIMxIpLT:0F8dCY85TE6fIMSRT

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2604	explorer.exe
2148	spoolsv.exe
1220	svchost.exe
4820	spoolsv.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2188-0-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/files/0x0011000000023a1e-7.dat	upx
behavioral2/files/0x0010000000023a27-13.dat	upx
behavioral2/files/0x000d000000023a3f-23.dat	upx
behavioral2/memory/4820-33-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2188-39-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2148-38-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/files/0x0010000000023a2f-40.dat	upx
behavioral2/memory/2604-41-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1220-42-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2604-53-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
2188	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
1220	svchost.exe
2604	explorer.exe
2604	explorer.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe
2604	explorer.exe
1220	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2604	explorer.exe
1220	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2188	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
2188	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
2604	explorer.exe
2604	explorer.exe
2148	spoolsv.exe
2148	spoolsv.exe
1220	svchost.exe
1220	svchost.exe
4820	spoolsv.exe
4820	spoolsv.exe
2604	explorer.exe
2604	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2604	2188	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe	86
PID 2188 wrote to memory of 2604	2188	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe	86
PID 2188 wrote to memory of 2604	2188	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe	86
PID 2604 wrote to memory of 2148	2604	explorer.exe	87
PID 2604 wrote to memory of 2148	2604	explorer.exe	87
PID 2604 wrote to memory of 2148	2604	explorer.exe	87
PID 2148 wrote to memory of 1220	2148	spoolsv.exe	88
PID 2148 wrote to memory of 1220	2148	spoolsv.exe	88
PID 2148 wrote to memory of 1220	2148	spoolsv.exe	88
PID 1220 wrote to memory of 4820	1220	svchost.exe	89
PID 1220 wrote to memory of 4820	1220	svchost.exe	89
PID 1220 wrote to memory of 4820	1220	svchost.exe	89
PID 1220 wrote to memory of 208	1220	svchost.exe	91
PID 1220 wrote to memory of 208	1220	svchost.exe	91
PID 1220 wrote to memory of 208	1220	svchost.exe	91
PID 1220 wrote to memory of 4804	1220	svchost.exe	103
PID 1220 wrote to memory of 4804	1220	svchost.exe	103
PID 1220 wrote to memory of 4804	1220	svchost.exe	103
PID 1220 wrote to memory of 3176	1220	svchost.exe	115
PID 1220 wrote to memory of 3176	1220	svchost.exe	115
PID 1220 wrote to memory of 3176	1220	svchost.exe	115

C:\Users\Admin\AppData\Local\Temp\0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
"C:\Users\Admin\AppData\Local\Temp\0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2604
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4820
    - - C:\Windows\SysWOW64\at.exe
        
        at 21:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:208
    - - C:\Windows\SysWOW64\at.exe
        
        at 21:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
    - - C:\Windows\SysWOW64\at.exe
        
        at 21:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
69KB

MD5
781bccdd1568ae1709baa1a7e3f2a995

SHA1
69b716886c474d03a38680d522aaf525baabbf63

SHA256
6e3ae9722752cf2e09d6efb80d843197670757e906d9470092a8378fd1fe7f7e

SHA512
36c6820b3402e8d6b48c1e9fc21dc31af4878e262e76ccc48286d55ac94a68dfcdd0eba1bc1971968c76da5bc5a562e87c9956eb879c1798b8567791f661e020

Download Submit
C:\Windows\System\explorer.exe

Filesize
69KB

MD5
ec3f8abd805549fab3fe75f6e9129398

SHA1
6814c170e8779eab8423b79a59135ac9805265b0

SHA256
8d3678a8cd0a6211043b4979db21b565536900b913489674b4f9ebf900fa031f

SHA512
658d5a96de6122455ffa45e3ad6a28c0cae28e6df3011462c6f906f13270bbf4fc05876630f31da9b46a4e73579ded7d37a4be754da75d7c6f9bd0d87c4f8871

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
69KB

MD5
6cf8fa5316bf072e876a8b43a83b534f

SHA1
d9de0880d7095b86fb69020bca22fc4c32ec9a8a

SHA256
b1e5f9132941c8d3fa8513cdad1758f60fbcfd596b30335392f2520307d2794d

SHA512
acfca5b68b48b54ab8eb977d9a0f78725a6737d5e7b03084278b316c29ad54756e88edd4b7f97cbe8b3c834797d22d89e1a8a71782c219738434b6f6e8d9527d

Download Submit
C:\Windows\System\svchost.exe

Filesize
69KB

MD5
eb0aac3b3a8201909012465b1d3de991

SHA1
09a10489020a50ce9a8d04deb607c569ed7eb75d

SHA256
6ad2e59388b8e7c14b02add147045fd9c0d5f15ff11fc9bd6aa7ae6e7633d282

SHA512
5d2d0cd012557d9b2e80f7095b614d960e788843b134ce147394a51f093ff2bf84a600e83c8bcc5a55cae8e60a10d59f1f9f0fef9c8dd8caa3d870ccfcef8d83

Download Submit
memory/1220-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download