de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4

Analysis

max time kernel
120s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
Size

211KB
MD5

faf69e2c0040a8b0f62b8d1a7915b6c0
SHA1

9d54a8c0d6ccb3a008a970127015938e87fe1499
SHA256

de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4
SHA512

ea58dbcc31b8944339bf7bb1f0cda2c0a0d64475f446dc23b82a05072c27c10ed5990f47e34e807094d676254f394b034201bc77aea9ed0ddff4fb9ad417d72e
SSDEEP

3072:WD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOR:Wh8cBzHLRMpZ4d1ZR

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2152	userinit.exe
3716	spoolsw.exe
3928	swchost.exe
4136	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\userinit.exe	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3368	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
3368	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
2152	userinit.exe
2152	userinit.exe
2152	userinit.exe
2152	userinit.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe
3928	swchost.exe
3928	swchost.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe
2152	userinit.exe
2152	userinit.exe
3928	swchost.exe
3928	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2152	userinit.exe
3928	swchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3368	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
3368	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
2152	userinit.exe
2152	userinit.exe
3716	spoolsw.exe
3716	spoolsw.exe
3928	swchost.exe
3928	swchost.exe
4136	spoolsw.exe
4136	spoolsw.exe
2152	userinit.exe
2152	userinit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 2152	3368	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe	83
PID 3368 wrote to memory of 2152	3368	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe	83
PID 3368 wrote to memory of 2152	3368	de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe	83
PID 2152 wrote to memory of 3716	2152	userinit.exe	84
PID 2152 wrote to memory of 3716	2152	userinit.exe	84
PID 2152 wrote to memory of 3716	2152	userinit.exe	84
PID 3716 wrote to memory of 3928	3716	spoolsw.exe	85
PID 3716 wrote to memory of 3928	3716	spoolsw.exe	85
PID 3716 wrote to memory of 3928	3716	spoolsw.exe	85
PID 3928 wrote to memory of 4136	3928	swchost.exe	86
PID 3928 wrote to memory of 4136	3928	swchost.exe	86
PID 3928 wrote to memory of 4136	3928	swchost.exe	86

C:\Users\Admin\AppData\Local\Temp\de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe
"C:\Users\Admin\AppData\Local\Temp\de4bf050551c8b0e112125383f13f9751f6738a899d666be333aa926bddcc4e4N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3368
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2152
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3928
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
4a1a4821d4d5e6976b0143636c3b4555

SHA1
f97279aba256d11fdce60f549e9f47fa2c2aed28

SHA256
dc2de1a4639562f352c1e65591a725a3c1de8eb2e38e76622391d8f01d47647a

SHA512
89c10308c200412e8266bd3b3da7b53499aa86e089e553fba47b129ebc1e1f2666e764e3f5d238774d639515438522b4220c28507f03eb68392a935765c79183

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
52c9e527f0284df85b95b5118d99476f

SHA1
ee18ccf092d9e9ef1f1532bb5dd9ee383d0d8670

SHA256
e9a566324e75cb0e856aa52403e6c20c66c8d8dffa0e4b05114cce84bb58c52f

SHA512
84d7747292b29caf6f0349c27891e50e3b342f314df42e73b5441dff336c9561ae8cf17f023a813b2b52c2658208e7dac43a93a9b8244b858ec694bb857e8820

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
0b97758ecb780e6f7b993ab46ded930c

SHA1
912951b3a9453a31aa3352eda91d5d86c5b422df

SHA256
8c0852008e0b893e01768163fb66e44bae99dd095ad5a63c2958df9aa27466f9

SHA512
7e0f9061c165c6c8bb5e4784b75839d58bb0a936c9a065465740d9de07bf7799d7fb49b4925f5676f2b7720f75d482e178cfd95001fc6652497c5c44fcfc4435

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
3d4ae186806daf9b0e442be4ff168dda

SHA1
46074ca0d96f758a65605db691b0533c4b2356f3

SHA256
494718280cde88be92def6a187eabba8e670a8de67580459472f9be93fef6cd6

SHA512
37f0088324a338c059761df0ccb4a8cd8863fb13614067062501bd000022dcfab79c07087ad86e9b51f1f12bcee567b900f7956a135ac9867ee3b2d53e8b06c5

Download Submit
memory/2152-38-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3368-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3368-37-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3716-35-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3928-39-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4136-32-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download