0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040c

Analysis

max time kernel
101s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
Size

69KB
MD5

e2cd247fdc2af196d3fa98a2090ec630
SHA1

b8ddb2798b79f95fb202f7fc191f7370e4c358d5
SHA256

0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040c
SHA512

4cf48a03501f970a9acfc7ca6e1622c7fee49916bae8bd6124c3777092911805caabcdf449ff4141fcf1ca4f5ec6a12824bf420906c9579cb0eef9e7f29805ba
SSDEEP

1536:EJrFDMRyriCY/qXfatMp4Q2V6fIMxIpLT:0F8dCY85TE6fIMSRT

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3028	explorer.exe
2712	spoolsv.exe
2824	svchost.exe
2692	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
3020	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
3020	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
3028	explorer.exe
3028	explorer.exe
2712	spoolsv.exe
2712	spoolsv.exe
2824	svchost.exe
2824	svchost.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3020-0-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/files/0x0026000000017234-6.dat	upx
behavioral1/files/0x000a0000000174d5-20.dat	upx
behavioral1/files/0x00070000000177df-33.dat	upx
behavioral1/memory/2824-40-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/3020-47-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2692-54-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2712-58-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/3020-60-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/files/0x00080000000185e6-61.dat	upx
behavioral1/memory/3028-62-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2824-63-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/3028-76-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
2824	svchost.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
3028	explorer.exe
2824	svchost.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
3028	explorer.exe
2824	svchost.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
3028	explorer.exe
2824	svchost.exe
2824	svchost.exe
3028	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3028	explorer.exe
2824	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3020	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
3020	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
3028	explorer.exe
3028	explorer.exe
2712	spoolsv.exe
2712	spoolsv.exe
2824	svchost.exe
2824	svchost.exe
2692	spoolsv.exe
2692	spoolsv.exe
3028	explorer.exe
3028	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 3028	3020	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe	30
PID 3020 wrote to memory of 3028	3020	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe	30
PID 3020 wrote to memory of 3028	3020	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe	30
PID 3020 wrote to memory of 3028	3020	0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe	30
PID 3028 wrote to memory of 2712	3028	explorer.exe	31
PID 3028 wrote to memory of 2712	3028	explorer.exe	31
PID 3028 wrote to memory of 2712	3028	explorer.exe	31
PID 3028 wrote to memory of 2712	3028	explorer.exe	31
PID 2712 wrote to memory of 2824	2712	spoolsv.exe	32
PID 2712 wrote to memory of 2824	2712	spoolsv.exe	32
PID 2712 wrote to memory of 2824	2712	spoolsv.exe	32
PID 2712 wrote to memory of 2824	2712	spoolsv.exe	32
PID 2824 wrote to memory of 2692	2824	svchost.exe	33
PID 2824 wrote to memory of 2692	2824	svchost.exe	33
PID 2824 wrote to memory of 2692	2824	svchost.exe	33
PID 2824 wrote to memory of 2692	2824	svchost.exe	33
PID 2824 wrote to memory of 2168	2824	svchost.exe	34
PID 2824 wrote to memory of 2168	2824	svchost.exe	34
PID 2824 wrote to memory of 2168	2824	svchost.exe	34
PID 2824 wrote to memory of 2168	2824	svchost.exe	34
PID 2824 wrote to memory of 2652	2824	svchost.exe	36
PID 2824 wrote to memory of 2652	2824	svchost.exe	36
PID 2824 wrote to memory of 2652	2824	svchost.exe	36
PID 2824 wrote to memory of 2652	2824	svchost.exe	36

C:\Users\Admin\AppData\Local\Temp\0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe
"C:\Users\Admin\AppData\Local\Temp\0a70692275be31f3b79f781c49503b3fe20d0e05716d2237987f59009dbf040cN.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3028
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2692
    - - C:\Windows\SysWOW64\at.exe
        
        at 16:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
    - - C:\Windows\SysWOW64\at.exe
        
        at 16:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
69KB

MD5
1dbea7b530faee47a504404532f76171

SHA1
97af2bcc5f01421ab7c9568c2a663ac19d7b46dd

SHA256
30292533f4e37fb30c6a806f159e839d3a60eef1c887eec795bb72824b0a3010

SHA512
c11581b365d6cafceabfc520ecb4e16c8e76d400767798f787dd6d9def304285414a0df9e044d178f93afd22f74fa4ed06e1eea74f8f12adceaa5ff5d1554984

Download Submit
\Windows\system\explorer.exe

Filesize
69KB

MD5
859d63324cde729105c9767618271ed3

SHA1
5e9da48799726d2a6113ff87e492b17c99265523

SHA256
915069e2b821d02b6c4cd3d40d2915cbb67dd09c7a9bd622aa169f365f327d81

SHA512
a74d7aeca99f579ca6fd5146fb6eb7a2072819cd68b979bf9a223e6c0fd70b08d8953fa489881406c56b926797281f6529cdbdae5d2f6e61d23e808b281b7e92

Download Submit
\Windows\system\spoolsv.exe

Filesize
69KB

MD5
0e24122706ab9e2a6be853f0a7929a25

SHA1
02835c558114855c960bd0330b66ab006d1d3c62

SHA256
821446703fa2a449c916d5f675425fd10ea8457e8706bdf8daa208edeefb06b3

SHA512
aa820ffc560d923d0dd4b6e89e34454ba8c22c0e4ba5dd4f3e7a8b7270a2b6ca00f79b893d367f0bd9d2e29d7d143f9bc1e416e18a8adf27d58ae208fca9e08e

Download Submit
\Windows\system\svchost.exe

Filesize
69KB

MD5
3874e1eacde76c1c13ba752c7a2336bf

SHA1
2f6bf857ef1ff9af11cf97bab47ffedb79678936

SHA256
8faa213f49f03c93601e3f8f71669ce0ce0d492343c7537dc30e970996320209

SHA512
13d42b014a411c12c407bc1f00ac56a42278b7a5924a45d43eaf049e17f7afc22d0dff53eeff4f360c7634ce0782a7264280cbabf91b98a982b0aef247df9820

Download Submit
memory/2692-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-49-0x0000000001D50000-0x0000000001D84000-memory.dmp

Filesize
208KB

Download
memory/2824-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-12-0x0000000002590000-0x00000000025C4000-memory.dmp

Filesize
208KB

Download
memory/3028-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download