58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1b

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe
Size

503KB
MD5

ebe4fd3691956df84f935c1b2f895e30
SHA1

58c7cbf3ff51c18c7f9adb334e16f50bf1d0033f
SHA256

58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1b
SHA512

1031d7e9c6e8c30b08f27b172f195f087e139245ebf7b6d302d8484408b015de8af0bab3fd13958f0f425e75243a5996352cf30f6d4d8ddc128ad5cf1f3ff6da
SSDEEP

12288:3ENN+T5xYrllrU7QY6CRYiioQzhGTRKhWcFc9f:N5xolYQY6yYjJzhgKhWcFc9f

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1680	explorer.exe
2448	spoolsv.exe
2892	svchost.exe
2452	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1740	58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe
1740	58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe
1680	explorer.exe
1680	explorer.exe
2448	spoolsv.exe
2448	spoolsv.exe
2892	svchost.exe
2892	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
2892	svchost.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe
1680	explorer.exe
2892	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1680	explorer.exe
2892	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1740	58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe
1740	58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe
1680	explorer.exe
1680	explorer.exe
2448	spoolsv.exe
2448	spoolsv.exe
2892	svchost.exe
2892	svchost.exe
2452	spoolsv.exe
2452	spoolsv.exe
1680	explorer.exe
1680	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1680	1740	58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe	30
PID 1740 wrote to memory of 1680	1740	58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe	30
PID 1740 wrote to memory of 1680	1740	58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe	30
PID 1740 wrote to memory of 1680	1740	58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe	30
PID 1680 wrote to memory of 2448	1680	explorer.exe	31
PID 1680 wrote to memory of 2448	1680	explorer.exe	31
PID 1680 wrote to memory of 2448	1680	explorer.exe	31
PID 1680 wrote to memory of 2448	1680	explorer.exe	31
PID 2448 wrote to memory of 2892	2448	spoolsv.exe	32
PID 2448 wrote to memory of 2892	2448	spoolsv.exe	32
PID 2448 wrote to memory of 2892	2448	spoolsv.exe	32
PID 2448 wrote to memory of 2892	2448	spoolsv.exe	32
PID 2892 wrote to memory of 2452	2892	svchost.exe	33
PID 2892 wrote to memory of 2452	2892	svchost.exe	33
PID 2892 wrote to memory of 2452	2892	svchost.exe	33
PID 2892 wrote to memory of 2452	2892	svchost.exe	33
PID 2892 wrote to memory of 2744	2892	svchost.exe	34
PID 2892 wrote to memory of 2744	2892	svchost.exe	34
PID 2892 wrote to memory of 2744	2892	svchost.exe	34
PID 2892 wrote to memory of 2744	2892	svchost.exe	34
PID 2892 wrote to memory of 2696	2892	svchost.exe	37
PID 2892 wrote to memory of 2696	2892	svchost.exe	37
PID 2892 wrote to memory of 2696	2892	svchost.exe	37
PID 2892 wrote to memory of 2696	2892	svchost.exe	37

C:\Users\Admin\AppData\Local\Temp\58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe
"C:\Users\Admin\AppData\Local\Temp\58b02d0eb1e58564c274e82b3aedcad163dbfbbdd25c8ddd8155d15053773e1bN.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1680
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2452
    - - C:\Windows\SysWOW64\at.exe
        
        at 06:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
    - - C:\Windows\SysWOW64\at.exe
        
        at 06:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
503KB

MD5
687e53b5a0fc5f8cc15ecaeab2542790

SHA1
086aa3fc2d06db272221e52cd9c808f47182ad72

SHA256
c4ee20a9067741f7652b9a955e3992c584a8612769f6f339a373a6b30852452c

SHA512
acf22bfb60c747f7e5c1102c19308fb7b0afec17dbd3d42d104427db8df9105812b0d48cf7fe59978ea9dda9f8ec0820edb4fc7f4da4da5f86080f3c2909e3d5

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
503KB

MD5
be19669b90bc3c26f6329a3a77da3bd5

SHA1
fdb33f93700de4811c45706db141198819c035e2

SHA256
9999196e3ba637fae4b11784636824702c931cd97a3c821445bcbb5aabf6419b

SHA512
0489e3a4b03a7ec33b6ebecbb4f2af63570c45cad8cf5775f0a840fbee29f0cf3e834ae88c2b451a99a18e2577ce08b6cf2963f2d290264155b5c177538a2324

Download Submit
\Windows\system\explorer.exe

Filesize
503KB

MD5
9fb003edc9cf1831746e7daf2781d601

SHA1
4e46a56a8dbb66b2d85d3bddd0c2f04581d41e32

SHA256
8032720ed84362aaab67d5abfb1648dba59a59df0830d89f27b695e40d8d5955

SHA512
f62536509fb4b9a310e9dc8a6b1398fee6bacc2c5fb474982ee1cd1da812467969e5a07f64deccb09c93f77fc5fb105ae80f5ed8e8b0777a3604dbaa1580fe01

Download Submit
\Windows\system\svchost.exe

Filesize
503KB

MD5
e745794cac0f5aab37fe431da4a55851

SHA1
6d99966d93a3dd60a7e895a99f477e8a91aab752

SHA256
de7fe22e44c99624567cf2d49c64ef44aa22120507e604ba64d8c5e354d9f363

SHA512
9a805d13083dc18425290eaff8bf27fd27f88da08a46c844a52f54862451c8236509e6f6142c069a2e5a88d8ec2b6237795a640f873a69c38b021bb3d68c3b4f

Download Submit
memory/1680-59-0x0000000002FF0000-0x0000000003061000-memory.dmp

Filesize
452KB

Download
memory/1680-14-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1680-58-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1680-60-0x0000000002FF0000-0x0000000003061000-memory.dmp

Filesize
452KB

Download
memory/1740-12-0x0000000002760000-0x00000000027D1000-memory.dmp

Filesize
452KB

Download
memory/1740-56-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1740-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2448-40-0x0000000003390000-0x0000000003401000-memory.dmp

Filesize
452KB

Download
memory/2448-55-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2452-52-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2892-61-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2892-62-0x0000000002BC0000-0x0000000002C31000-memory.dmp

Filesize
452KB

Download