f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 15:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
Size

481KB
MD5

db71037290b469775402cdab66412680
SHA1

b98cc48f9dd47d66a6b3c04af6037d6ec5e99678
SHA256

f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549
SHA512

0ed26e3f3ce703549e15a87c74a1df199c20864ee3ebfba235a548a4bd9034409603bf89a0545d6adaa928f97f7ad1974dd719930c9a6a626b329d7574211f45
SSDEEP

12288:8ENN+T5xYrllrU7QY6RymN80DULxfAxRd:45xolYQY6RyyDWxIxb

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2204	explorer.exe
3028	spoolsv.exe
2716	svchost.exe
2628	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1808	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
1808	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
2204	explorer.exe
2204	explorer.exe
3028	spoolsv.exe
3028	spoolsv.exe
2716	svchost.exe
2716	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2716	svchost.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe
2204	explorer.exe
2716	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2204	explorer.exe
2716	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1808	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
1808	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
2204	explorer.exe
2204	explorer.exe
3028	spoolsv.exe
3028	spoolsv.exe
2716	svchost.exe
2716	svchost.exe
2628	spoolsv.exe
2628	spoolsv.exe
2204	explorer.exe
2204	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2204	1808	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe	28
PID 1808 wrote to memory of 2204	1808	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe	28
PID 1808 wrote to memory of 2204	1808	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe	28
PID 1808 wrote to memory of 2204	1808	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe	28
PID 2204 wrote to memory of 3028	2204	explorer.exe	29
PID 2204 wrote to memory of 3028	2204	explorer.exe	29
PID 2204 wrote to memory of 3028	2204	explorer.exe	29
PID 2204 wrote to memory of 3028	2204	explorer.exe	29
PID 3028 wrote to memory of 2716	3028	spoolsv.exe	30
PID 3028 wrote to memory of 2716	3028	spoolsv.exe	30
PID 3028 wrote to memory of 2716	3028	spoolsv.exe	30
PID 3028 wrote to memory of 2716	3028	spoolsv.exe	30
PID 2716 wrote to memory of 2628	2716	svchost.exe	31
PID 2716 wrote to memory of 2628	2716	svchost.exe	31
PID 2716 wrote to memory of 2628	2716	svchost.exe	31
PID 2716 wrote to memory of 2628	2716	svchost.exe	31
PID 2716 wrote to memory of 1504	2716	svchost.exe	32
PID 2716 wrote to memory of 1504	2716	svchost.exe	32
PID 2716 wrote to memory of 1504	2716	svchost.exe	32
PID 2716 wrote to memory of 1504	2716	svchost.exe	32
PID 2716 wrote to memory of 1436	2716	svchost.exe	36
PID 2716 wrote to memory of 1436	2716	svchost.exe	36
PID 2716 wrote to memory of 1436	2716	svchost.exe	36
PID 2716 wrote to memory of 1436	2716	svchost.exe	36
PID 2716 wrote to memory of 2828	2716	svchost.exe	38
PID 2716 wrote to memory of 2828	2716	svchost.exe	38
PID 2716 wrote to memory of 2828	2716	svchost.exe	38
PID 2716 wrote to memory of 2828	2716	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
"C:\Users\Admin\AppData\Local\Temp\f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2628
    - - C:\Windows\SysWOW64\at.exe
        
        at 15:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
    - - C:\Windows\SysWOW64\at.exe
        
        at 15:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
    - - C:\Windows\SysWOW64\at.exe
        
        at 15:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
481KB

MD5
a846d84baf895ba511e5d23d3740f2e9

SHA1
7f7e429687f618ce28c5a497af7be95563f18477

SHA256
9bad144f8175ac36e421e0961448e0936ce4459ca1c7ade48acede98b77a02e8

SHA512
df4722cd18b811862e63c4b90ce5d96977858158b7b55a6863a2d1332fefbe723570989deb74e4bfd3da52d1d75974c13ca13315718c329cce6cb5d80c67043c

Download Submit
\Windows\system\explorer.exe

Filesize
481KB

MD5
980664bb1f7db49d67b90861d26ad5d3

SHA1
57add39e0bb5dff16f17bbd2e5e13519dc1ba5c6

SHA256
cfa3f80c8781c71853e3f78b829656b54306e0deef6668ca5aad72cdfebcfce3

SHA512
b51d1f6b60ce80029c8cb468eb2709404bfed0156386fed4aa7335ab37f6d8161a694d3926e0dd0cef56a365c05c950552ba835dd1a1a5d170ef499059500580

Download Submit
\Windows\system\spoolsv.exe

Filesize
481KB

MD5
15e567c65e99e4f7783ad396c26093fc

SHA1
6d19828666e103f1e9ab7f4337c3fe0d390e6a8a

SHA256
18af8243834ae3d884f9bda68d9df5caf21c3595dc1e82e9421d2240be3359e6

SHA512
4b27b0330c786a901a3e7630072b3158306195ba7a4d9824d664e25ca3ad7183fd004e13088f171c2f0df02c458bcfdb8e50b92c0bbec37dbcc360f013f8fc16

Download Submit
\Windows\system\svchost.exe

Filesize
481KB

MD5
6acb1c17497ee1c16edd6657cb5bf53d

SHA1
dd28fe98c99d1d07c1022a3ff546c17aca0b9973

SHA256
d1566e8ff91d382dbe099d7c289ddacfd6664157749e2873f7e15175591bf047

SHA512
a1ab8d1862e796771e6747118927b4380cdf11551bbdee9187466233d8a79c237eab53777af93f371d530db6501a7b764f7f5fb18d84868addd179f866fbaf5c

Download Submit