2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f

General

Target

2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exe
Size

206KB
MD5

28458738ba1c9a40fc2a2d52ed94ea6d
SHA1

2cee0297a1575c9b149fb94d9082abe084266983
SHA256

2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f
SHA512

a903141ab0d994c02a3e822c95a12eef01bfcdbacf21c8e43e766145f5d14366c622f924ab6d8fb8597caccb5d3b5db35daf873f1c1d4483cd2efd91f57f686e
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6un1:zvEN2U+T6i5LirrllHy4HUcMQY6i

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2816 explorer.exe
5056 spoolsv.exe
2676 svchost.exe
2552 spoolsv.exe

pid	process
2816	explorer.exe
5056	spoolsv.exe
2676	svchost.exe
2552	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeat.exeat.exeat.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exeexplorer.exesvchost.exe

pid	process
4892	2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exe
4892	2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe
2676	svchost.exe
2676	svchost.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe
2816	explorer.exe
2816	explorer.exe
2676	svchost.exe
2676	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2816 explorer.exe
2676 svchost.exe

pid	process
2816	explorer.exe
2676	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
4892	2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exe
4892	2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exe
2816	explorer.exe
2816	explorer.exe
5056	spoolsv.exe
5056	spoolsv.exe
2676	svchost.exe
2676	svchost.exe
2552	spoolsv.exe
2552	spoolsv.exe
2816	explorer.exe
2816	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 4892 wrote to memory of 2816	4892	2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exe	explorer.exe
PID 4892 wrote to memory of 2816	4892	2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exe	explorer.exe
PID 4892 wrote to memory of 2816	4892	2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exe	explorer.exe
PID 2816 wrote to memory of 5056	2816	explorer.exe	spoolsv.exe
PID 2816 wrote to memory of 5056	2816	explorer.exe	spoolsv.exe
PID 2816 wrote to memory of 5056	2816	explorer.exe	spoolsv.exe
PID 5056 wrote to memory of 2676	5056	spoolsv.exe	svchost.exe
PID 5056 wrote to memory of 2676	5056	spoolsv.exe	svchost.exe
PID 5056 wrote to memory of 2676	5056	spoolsv.exe	svchost.exe
PID 2676 wrote to memory of 2552	2676	svchost.exe	spoolsv.exe
PID 2676 wrote to memory of 2552	2676	svchost.exe	spoolsv.exe
PID 2676 wrote to memory of 2552	2676	svchost.exe	spoolsv.exe
PID 2676 wrote to memory of 5096	2676	svchost.exe	at.exe
PID 2676 wrote to memory of 5096	2676	svchost.exe	at.exe
PID 2676 wrote to memory of 5096	2676	svchost.exe	at.exe
PID 2676 wrote to memory of 4112	2676	svchost.exe	at.exe
PID 2676 wrote to memory of 4112	2676	svchost.exe	at.exe
PID 2676 wrote to memory of 4112	2676	svchost.exe	at.exe
PID 2676 wrote to memory of 2572	2676	svchost.exe	at.exe
PID 2676 wrote to memory of 2572	2676	svchost.exe	at.exe
PID 2676 wrote to memory of 2572	2676	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exe
"C:\Users\Admin\AppData\Local\Temp\2a1274a40d58767f3caabf866c034d00fa8c764c5aac8a11b15b8712f51fa32f.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2816
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2552
    - - C:\Windows\SysWOW64\at.exe
        
        at 21:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
    - - C:\Windows\SysWOW64\at.exe
        
        at 21:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
    - - C:\Windows\SysWOW64\at.exe
        
        at 21:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
207KB

MD5
0c024de2ba8088e0cd11516d90ca0795

SHA1
bca17fec782b13f6372ed4f39f2aa1591b1a1bf3

SHA256
f7ba73641e9703e45389b791f3cb655ee3f72aba895880a8f85325df4312ac1f

SHA512
411175c029fb51fac708836c44ef7cb038e6d1d2c81732f72d5210572c8503a28aadf1f9d2cf5a02bda6189526a596e1acff9d36c4116a093a87484e1cbb0561

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
0d17ecdf3302096010a112c89ca402fb

SHA1
e50004aee86925cd8db968a3866422c4b3c44c3d

SHA256
73954b3b4dacc4c564e330674c2f7a7d9e6e1ce24391df9a49cf41a6eaef1e1b

SHA512
72adcaa884d6b5ac8008b100e5012bc639fe23f7d87bab5f12784ab5744a886a097edc79558bf297e63f864e36f5c1125148182f26263e2de6d99e1ed8dd6e16

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
051d3ee48a337de2559eee498c7f4dd0

SHA1
d0be8a6dee97fa94b0a908f5fdd9c990a836aa6b

SHA256
4fe799ce5dd3c51978517b0ade1743228eba181cb274556e70a9b110d0a52f12

SHA512
3f13f3781a3a6b8e723df7e3c3f2a304128bc6e84abfec20c492b01bb1d84b3dfbcaf5a65a0dbf9a836221c30c84c42e163fd0869a47a59042491c785b39d937

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
2a5eeb00b54b69bab3571467e52c1960

SHA1
c2034cb53f3614c158ae073c396298f3168cc873

SHA256
63dfc18c0eb855e9d8ed66c9e7294bdd3fbee35cd33219d2d33c101f654d57c0

SHA512
e056bc0c92dc934b047dac61df76838ca590bfe3e8e8a461f15c89fa1c65f9a97f2f383af96e228b6a0980d01cca789012e089f69109c7b7e6d221c504158394

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads