d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe
Size

211KB
MD5

7b1a668eb5c6d16ed9c06e6d7b5fcb40
SHA1

861076702455b7207cd93d36f7911fad16a56f89
SHA256

d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811
SHA512

62441c1433b1b4977987f3498144a5634900333f0a599698e7323f5010169c8e9c38fcda9fd16940f40abc42baac59cf75bd331343dfdd5dc1b07aa5c4400ee5
SSDEEP

3072:WD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOf:Wh8cBzHLRMpZ4d1Zf

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2192	userinit.exe
1484	spoolsw.exe
2732	swchost.exe
2868	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\userinit.exe	d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2336	d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2732	swchost.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe
2192	userinit.exe
2732	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2192	userinit.exe
2732	swchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2336	d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe
2336	d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe
2192	userinit.exe
2192	userinit.exe
1484	spoolsw.exe
1484	spoolsw.exe
2732	swchost.exe
2732	swchost.exe
2868	spoolsw.exe
2868	spoolsw.exe
2192	userinit.exe
2192	userinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2192	2336	d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe	31
PID 2336 wrote to memory of 2192	2336	d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe	31
PID 2336 wrote to memory of 2192	2336	d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe	31
PID 2336 wrote to memory of 2192	2336	d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe	31
PID 2192 wrote to memory of 1484	2192	userinit.exe	32
PID 2192 wrote to memory of 1484	2192	userinit.exe	32
PID 2192 wrote to memory of 1484	2192	userinit.exe	32
PID 2192 wrote to memory of 1484	2192	userinit.exe	32
PID 1484 wrote to memory of 2732	1484	spoolsw.exe	33
PID 1484 wrote to memory of 2732	1484	spoolsw.exe	33
PID 1484 wrote to memory of 2732	1484	spoolsw.exe	33
PID 1484 wrote to memory of 2732	1484	spoolsw.exe	33
PID 2732 wrote to memory of 2868	2732	swchost.exe	34
PID 2732 wrote to memory of 2868	2732	swchost.exe	34
PID 2732 wrote to memory of 2868	2732	swchost.exe	34
PID 2732 wrote to memory of 2868	2732	swchost.exe	34

C:\Users\Admin\AppData\Local\Temp\d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe
"C:\Users\Admin\AppData\Local\Temp\d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2192
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2732
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
c9c4827dc7c8544a0e3a81b41bf02dbe

SHA1
ab7143b81c2c3dce64a25612e54301673f863994

SHA256
a7a6e0b335cf18ad0ee8e2129f4c7e6d1f096e662146baa254106512d24d1e3d

SHA512
a878ecb1ddec8cb4191d0b0d36ea834fb178f39d8f471b5ce2a574f059a39e438d43c9a8b2bef338fcce62ba21a26739cff0e54bdc01ccff5aaa3238f3c47cfd

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
b0b675a8de08d76b5b550d5225050b61

SHA1
8f87b3ac2e3ec6e9c7a32e1290b81c0de3803ba0

SHA256
4d09ef6a23ca4413241534684239f96c6f9c1865aaddcca18dd14e7836d8f6d5

SHA512
f3aead0f0eea7b76a9c145efe4d0321d30928b596991b74c4cfa045cff6173463887dbe09328cc756d11603852beda0b2351584211ecf4ac8bec6e4887ee1591

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
64ca66395f5861d0fec54628b5c3d0bf

SHA1
966f3cd3fac34f82f0d1b1e6e656f39ace436401

SHA256
e25104400fd19ab4386b124f30232ddb64f4ce5df2c6f073f3f9b5d38fd57042

SHA512
72b8d742b635fa2ebea69b84f92bdbf8fe9ec27e758d7cade8f5508fa3a005201bc78497aa46ac3fbe6db50da41bdc690363470196b833f2ca225e880e526f19

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
c226be46d9945a5e4449fcef69a85c2b

SHA1
bb234e0ae527fcfdb32bd82a1fa6b700117ec481

SHA256
84b3ddecfe525e141999d4441a3b5ea48953ef5de591825941e46e729c8cb054

SHA512
bfcf7861a9d7803e4c4f90e3d65adbf637e15605c0d4bdd0f2d3cb848e8258f7a05603a9ace5adb2f4899c806d33731d56716a249ae02c42d620a77a9f085673

Download Submit
memory/1484-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1484-35-0x0000000002440000-0x0000000002470000-memory.dmp

Filesize
192KB

Download
memory/2192-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2192-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2192-24-0x0000000002460000-0x0000000002490000-memory.dmp

Filesize
192KB

Download
memory/2336-12-0x0000000002500000-0x0000000002530000-memory.dmp

Filesize
192KB

Download
memory/2336-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2336-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2732-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2732-53-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2868-46-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download