f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 15:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
Size

481KB
MD5

db71037290b469775402cdab66412680
SHA1

b98cc48f9dd47d66a6b3c04af6037d6ec5e99678
SHA256

f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549
SHA512

0ed26e3f3ce703549e15a87c74a1df199c20864ee3ebfba235a548a4bd9034409603bf89a0545d6adaa928f97f7ad1974dd719930c9a6a626b329d7574211f45
SSDEEP

12288:8ENN+T5xYrllrU7QY6RymN80DULxfAxRd:45xolYQY6RyyDWxIxb

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3364	explorer.exe
3436	spoolsv.exe
2788	svchost.exe
4288	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3716	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
3716	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
3364	explorer.exe
3364	explorer.exe
3364	explorer.exe
3364	explorer.exe
3364	explorer.exe
3364	explorer.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
3364	explorer.exe
3364	explorer.exe
2788	svchost.exe
2788	svchost.exe
3364	explorer.exe
3364	explorer.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
3364	explorer.exe
3364	explorer.exe
2788	svchost.exe
3364	explorer.exe
3364	explorer.exe
2788	svchost.exe
2788	svchost.exe
3364	explorer.exe
2788	svchost.exe
3364	explorer.exe
2788	svchost.exe
3364	explorer.exe
2788	svchost.exe
2788	svchost.exe
3364	explorer.exe
3364	explorer.exe
2788	svchost.exe
3364	explorer.exe
2788	svchost.exe
3364	explorer.exe
2788	svchost.exe
3364	explorer.exe
2788	svchost.exe
2788	svchost.exe
3364	explorer.exe
2788	svchost.exe
3364	explorer.exe
3364	explorer.exe
2788	svchost.exe
3364	explorer.exe
2788	svchost.exe
3364	explorer.exe
2788	svchost.exe
3364	explorer.exe
2788	svchost.exe
2788	svchost.exe
3364	explorer.exe
2788	svchost.exe
3364	explorer.exe
2788	svchost.exe
3364	explorer.exe
3364	explorer.exe
2788	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2788	svchost.exe
3364	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3716	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
3716	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
3364	explorer.exe
3364	explorer.exe
3436	spoolsv.exe
3436	spoolsv.exe
2788	svchost.exe
2788	svchost.exe
4288	spoolsv.exe
4288	spoolsv.exe
3364	explorer.exe
3364	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 3364	3716	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe	85
PID 3716 wrote to memory of 3364	3716	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe	85
PID 3716 wrote to memory of 3364	3716	f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe	85
PID 3364 wrote to memory of 3436	3364	explorer.exe	86
PID 3364 wrote to memory of 3436	3364	explorer.exe	86
PID 3364 wrote to memory of 3436	3364	explorer.exe	86
PID 3436 wrote to memory of 2788	3436	spoolsv.exe	88
PID 3436 wrote to memory of 2788	3436	spoolsv.exe	88
PID 3436 wrote to memory of 2788	3436	spoolsv.exe	88
PID 2788 wrote to memory of 4288	2788	svchost.exe	89
PID 2788 wrote to memory of 4288	2788	svchost.exe	89
PID 2788 wrote to memory of 4288	2788	svchost.exe	89
PID 2788 wrote to memory of 5016	2788	svchost.exe	90
PID 2788 wrote to memory of 5016	2788	svchost.exe	90
PID 2788 wrote to memory of 5016	2788	svchost.exe	90
PID 2788 wrote to memory of 2036	2788	svchost.exe	96
PID 2788 wrote to memory of 2036	2788	svchost.exe	96
PID 2788 wrote to memory of 2036	2788	svchost.exe	96
PID 2788 wrote to memory of 1272	2788	svchost.exe	99
PID 2788 wrote to memory of 1272	2788	svchost.exe	99
PID 2788 wrote to memory of 1272	2788	svchost.exe	99

C:\Users\Admin\AppData\Local\Temp\f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe
"C:\Users\Admin\AppData\Local\Temp\f4405fa918850cfa4e850aa24e0db1540fc4434a37eb54a4a9adbfae3af2a549N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3716
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3364
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4288
    - - C:\Windows\SysWOW64\at.exe
        
        at 15:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
    - - C:\Windows\SysWOW64\at.exe
        
        at 15:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
    - - C:\Windows\SysWOW64\at.exe
        
        at 15:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
481KB

MD5
32bd1216d8dc24240db9fc1be19f7e1f

SHA1
c4c0a659acf38afbd471f0c614213b9f301769b3

SHA256
b19227c4055ffc95517feedc21f2e234dd783094cbbeeb21b669f6f180e7fc52

SHA512
38bf9bfcd09ad070e1cf9bb32f88858a98391adce0a6df12723d5ce5c055a3b8d9dfaf3c53c9d0be0f9d7812374e5ce332a289dcf9262ee5800e11531067b3ba

Download Submit
C:\Windows\System\explorer.exe

Filesize
481KB

MD5
dfea2c3af2b2bd63e912d33317c891fc

SHA1
af08579b8f07237441542f94c389ec2f8fcd3237

SHA256
6031de78693aed2cdaf04437bee8d21e940e372173ad2a59f1df3d73779119ce

SHA512
05bda33d680f4503af8261de2e703615de0e9fba6960e8d54fb9e377e403a5ec322824a913eb84485db70b503aad55271726ca80df0537a923107984f213f6a6

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
481KB

MD5
2384a64969fa496225bbb8849985bf6f

SHA1
3ea3f58d5894b98d88ece9c2deaabebd471dd6ee

SHA256
4c5b21211a48e212e07131ee8895b5211348dba477ba6d1687ed38ab35454913

SHA512
63ee36c7a39a34a401b3699c7dfdb3686cd560a93836c4aabebe951235c66f7ee6ed65d54399c946a8d0d8cf3cc55636f8c0aa88c4074b781502d5efade8d554

Download Submit
C:\Windows\System\svchost.exe

Filesize
481KB

MD5
68469f892755a92e6bb18adeadc3c355

SHA1
7b5b0ed1f2732c5e62f56044ec4f3ee072297059

SHA256
5bd7ed2836130b5193b154ef4770939dfd7811b0687493be9aa2c9b276209b68

SHA512
21dddeee916a2664f285fe9df39a8c242f70ce4a3efa5c7f8ee6f4cfbbfa0ad303912163795a6e06f51bec0c97a06b596885ac4a77c4ff606afb6ad2193b5ffd

Download Submit