351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exe
Size

67KB
MD5

4851fb73dd894ee82629bc373f8697b3
SHA1

93599608bfe3fdf39b98d854a307b927ef59b5ff
SHA256

351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36
SHA512

c672f1b2f84ad26a7ba27b59b741e15e476588cc09ac711b4b5c280c567150a1c8de3854903d29da80000918d5831598d1a7fcab565748bfa611b0eb7886ee2e
SSDEEP

1536:EgXsfgWQN1kYsRxWTg3PwSWe991Rdolpdz6JAkA4lllllllllllllllllllllllp:1tWYfGATvPe9slp+ApK

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid	Process
1896	explorer.exe
4440	spoolsv.exe
2968	svchost.exe
2280	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

Processes:

spoolsv.exeexplorer.exesvchost.exe351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exe

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeat.exeat.exeat.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exeexplorer.exesvchost.exe

pid	Process
3052	351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exe
3052	351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
1896	explorer.exe
1896	explorer.exe
2968	svchost.exe
2968	svchost.exe
1896	explorer.exe
1896	explorer.exe
2968	svchost.exe
2968	svchost.exe
1896	explorer.exe
1896	explorer.exe
2968	svchost.exe
2968	svchost.exe
1896	explorer.exe
1896	explorer.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
1896	explorer.exe
1896	explorer.exe
2968	svchost.exe
1896	explorer.exe
2968	svchost.exe
1896	explorer.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
1896	explorer.exe
1896	explorer.exe
2968	svchost.exe
1896	explorer.exe
1896	explorer.exe
2968	svchost.exe
2968	svchost.exe
1896	explorer.exe
1896	explorer.exe
2968	svchost.exe
2968	svchost.exe
1896	explorer.exe
1896	explorer.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
1896	explorer.exe
1896	explorer.exe
1896	explorer.exe
2968	svchost.exe
1896	explorer.exe
2968	svchost.exe
2968	svchost.exe
1896	explorer.exe
1896	explorer.exe
2968	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid	Process
1896	explorer.exe
2968	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	Process
3052	351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exe
3052	351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exe
1896	explorer.exe
1896	explorer.exe
4440	spoolsv.exe
4440	spoolsv.exe
2968	svchost.exe
2968	svchost.exe
2280	spoolsv.exe
2280	spoolsv.exe
1896	explorer.exe
1896	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exeexplorer.exespoolsv.exesvchost.exe

description	pid	Process	procid_target
PID 3052 wrote to memory of 1896	3052	351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exe	83
PID 3052 wrote to memory of 1896	3052	351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exe	83
PID 3052 wrote to memory of 1896	3052	351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exe	83
PID 1896 wrote to memory of 4440	1896	explorer.exe	84
PID 1896 wrote to memory of 4440	1896	explorer.exe	84
PID 1896 wrote to memory of 4440	1896	explorer.exe	84
PID 4440 wrote to memory of 2968	4440	spoolsv.exe	85
PID 4440 wrote to memory of 2968	4440	spoolsv.exe	85
PID 4440 wrote to memory of 2968	4440	spoolsv.exe	85
PID 2968 wrote to memory of 2280	2968	svchost.exe	86
PID 2968 wrote to memory of 2280	2968	svchost.exe	86
PID 2968 wrote to memory of 2280	2968	svchost.exe	86
PID 2968 wrote to memory of 2892	2968	svchost.exe	87
PID 2968 wrote to memory of 2892	2968	svchost.exe	87
PID 2968 wrote to memory of 2892	2968	svchost.exe	87
PID 2968 wrote to memory of 1036	2968	svchost.exe	105
PID 2968 wrote to memory of 1036	2968	svchost.exe	105
PID 2968 wrote to memory of 1036	2968	svchost.exe	105
PID 2968 wrote to memory of 4180	2968	svchost.exe	107
PID 2968 wrote to memory of 4180	2968	svchost.exe	107
PID 2968 wrote to memory of 4180	2968	svchost.exe	107

C:\Users\Admin\AppData\Local\Temp\351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exe
"C:\Users\Admin\AppData\Local\Temp\351565b5605e02bbc53b6b299c1e3eae5eb6340f9d6582674600cc561a16eb36.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1896
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2280
    - - C:\Windows\SysWOW64\at.exe
        
        at 21:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
    - - C:\Windows\SysWOW64\at.exe
        
        at 21:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
    - - C:\Windows\SysWOW64\at.exe
        
        at 21:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
67KB

MD5
fe725ca9cb014b89667c95d0b0a3928b

SHA1
fc5b313618a5b1ce63d9e8041c3b4043234a1702

SHA256
39930ec4b373def7b02fec36729cf2d7498dd1e158b237c99d0ca19ffbc9a3e5

SHA512
0a2560b5c8376da1744ec66290e6444ca3bf97a1566c6b46efdc4b74ee7a1aea9730395ae0a2e76c0593ddd1fc64858950d52e6f0f6903b52a3ba321c11f0fea

Download Submit
C:\Windows\System\explorer.exe

Filesize
67KB

MD5
cf6a061ba837895468ecfd74f6dad25b

SHA1
6a0764677ae8f148ed5558a8995aab964387dd7f

SHA256
5c70f586efba87704909071281022f232943b755c0994a3b7752aecbb194aaf9

SHA512
4295d762f5eaa7368562717d124bd3e63be8ec66dd494957f1d82137c6c9fa915ec65578816e35ec8daa1b79a9d66aeacedd9b4bbd14c82f58e475b94c407b23

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
67KB

MD5
678d4b7d0c3cb46c855ea9c04b85248d

SHA1
83991d98846366e03f5641751ff254626ddaa9ea

SHA256
0b0c99af6b94e8314f49f4dd152e6f31efa90c2410f85290a8ffeb5205be8256

SHA512
154d2a3229ceb575b96c5bbe0d5ae7d9bd2525618e2ff72c1695e534a25d425e5f6cbff6f65cbd034121cb82677f7da3989113a48ea0abb5260c3a375ecf0754

Download Submit
C:\Windows\System\svchost.exe

Filesize
67KB

MD5
996eb5b06cffc52a270088e1763d13d0

SHA1
b673f704c2146f8b05f867fd070b4162e11248d1

SHA256
ea0b6387afacd9c63486039033dfab5eb33d93f96c14e8b465a011d9a6cda94f

SHA512
b10c26fd20ef77768c5f461ef9e9ad579fbde6cddc1e75ec965e9ca32bcb2e929e40a215eb5f03d83257f6692f4814a738b3f85b902f85bdf9806395c4a67408

Download Submit
memory/1896-75-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1896-61-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1896-13-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1896-16-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1896-14-0x0000000075670000-0x00000000757CD000-memory.dmp

Filesize
1.4MB

Download
memory/2280-46-0x0000000075670000-0x00000000757CD000-memory.dmp

Filesize
1.4MB

Download
memory/2280-52-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2968-37-0x0000000075670000-0x00000000757CD000-memory.dmp

Filesize
1.4MB

Download
memory/2968-62-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2968-42-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3052-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3052-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3052-41-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/3052-45-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3052-2-0x0000000075670000-0x00000000757CD000-memory.dmp

Filesize
1.4MB

Download
memory/3052-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3052-60-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3052-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3052-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/4440-26-0x0000000075670000-0x00000000757CD000-memory.dmp

Filesize
1.4MB

Download
memory/4440-25-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4440-56-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4440-30-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download