de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
Size

211KB
MD5

faf69e2c0040a8b0f62b8d1a7915b6c0
SHA1

9d54a8c0d6ccb3a008a970127015938e87fe1499
SHA256

de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4
SHA512

ea58dbcc31b8944339bf7bb1f0cda2c0a0d64475f446dc23b82a05072c27c10ed5990f47e34e807094d676254f394b034201bc77aea9ed0ddff4fb9ad417d72e
SSDEEP

3072:WD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOR:Wh8cBzHLRMpZ4d1ZR

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2932	userinit.exe
884	spoolsw.exe
2564	swchost.exe
3056	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe
File opened for modification	\??\c:\windows\userinit.exe	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
2932	userinit.exe
2932	userinit.exe
2564	swchost.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2932	userinit.exe
2564	swchost.exe
2932	userinit.exe
2564	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2564	swchost.exe
2932	userinit.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2068	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
2068	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
2932	userinit.exe
2932	userinit.exe
884	spoolsw.exe
884	spoolsw.exe
2564	swchost.exe
2564	swchost.exe
3056	spoolsw.exe
3056	spoolsw.exe
2932	userinit.exe
2932	userinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2932	2068	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe	31
PID 2068 wrote to memory of 2932	2068	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe	31
PID 2068 wrote to memory of 2932	2068	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe	31
PID 2068 wrote to memory of 2932	2068	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe	31
PID 2932 wrote to memory of 884	2932	userinit.exe	32
PID 2932 wrote to memory of 884	2932	userinit.exe	32
PID 2932 wrote to memory of 884	2932	userinit.exe	32
PID 2932 wrote to memory of 884	2932	userinit.exe	32
PID 884 wrote to memory of 2564	884	spoolsw.exe	33
PID 884 wrote to memory of 2564	884	spoolsw.exe	33
PID 884 wrote to memory of 2564	884	spoolsw.exe	33
PID 884 wrote to memory of 2564	884	spoolsw.exe	33
PID 2564 wrote to memory of 3056	2564	swchost.exe	34
PID 2564 wrote to memory of 3056	2564	swchost.exe	34
PID 2564 wrote to memory of 3056	2564	swchost.exe	34
PID 2564 wrote to memory of 3056	2564	swchost.exe	34

C:\Users\Admin\AppData\Local\Temp\de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
"C:\Users\Admin\AppData\Local\Temp\de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2932
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:884
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2564
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
e5a8b31af4b39c534d0033b4fb1e69b9

SHA1
4cf5b58f1fbee6050abef2f58f914ae5fd577600

SHA256
7e5231716046cec7f70acdd701a495269da81b747031bf96aa48223a58e7bf2f

SHA512
49637aa29df5b70ece53a79414ea4b3cfe0fffa5955b336c52d3d6ab45beb7748abf55dc5319523446515a94159321b16558f82ef1f949ef11c55c5efdeffa59

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
f12363ec78fded467019e4fa73b574dd

SHA1
1323ace93930b8a9d29c0aab53ead5083472a7c5

SHA256
5c2d7735460e4789ac0539199f8ffbb75c4d043dace29ef194870ca4bce7bc66

SHA512
b424497dcb3fdeb00a69665a837ca5406f2a5ddc84c47caa3572883316b0b62ee60eea7392d0e572be61ed0864d51b55fbd61f4646ed5424fd1be71821606f3c

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
ed05fe00e5ea11b63bd543ccdb6aa480

SHA1
fcf837932b72d01322105dfb9f6889624c8abc28

SHA256
6eca542522b82ca7e82e9b06a6d80a619f5cf8149b02e9e4e9a023beb209328e

SHA512
6319bd62264cb260f6ca8133e40bc0ba93a3062da779bc2a70d55f844dd3f5b3e8c4720cb714a6861b457521cfe44c7564e7de697be45a190953cde02ebac922

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
7c0b08b36eaa5e80f93d5d89e85aee16

SHA1
e21fa02556cf562a6a1c39f1f0f6198e5c42abf8

SHA256
f06821d1014d0dc8533cb5ac0634dd4f842936c9b74213fc8cd7ef3a49e51307

SHA512
63474dbb931d43d64e3706c04bc146e5fe8526fa6ec1cf82569aceb0961aba3ce27f8cf16d1561c9b1fca4b4fc2afbe0461f14e56a34bac65dfcabd77d880ae7

Download Submit
memory/884-46-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2068-10-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/2068-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2068-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2564-40-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/2564-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2564-52-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/2932-22-0x00000000025C0000-0x00000000025F0000-memory.dmp

Filesize
192KB

Download
memory/2932-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3056-44-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download