8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
Size

206KB
MD5

6866f46c7116c1edc78a09acb11e0e77
SHA1

e2d6836eb5a222a1087d463094140808758e2718
SHA256

8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820
SHA512

353533dcafe8196ee4fc751f5d4bc28fa23ea6318b809ec6aee74bbd462c9f1434b3b14ab00e608d9eb8be9772701b1b8e1525819c41f670e1a303b76e140e0d
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unv:5vEN2U+T6i5LirrllHy4HUcMQY6E

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1524	explorer.exe
3068	spoolsv.exe
1056	svchost.exe
2724	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2340	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
2340	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
1524	explorer.exe
1524	explorer.exe
3068	spoolsv.exe
3068	spoolsv.exe
1056	svchost.exe
1056	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
1524	explorer.exe
1524	explorer.exe
1524	explorer.exe
1056	svchost.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe
1524	explorer.exe
1056	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1524	explorer.exe
1056	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2340	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
2340	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
1524	explorer.exe
1524	explorer.exe
3068	spoolsv.exe
3068	spoolsv.exe
1056	svchost.exe
1056	svchost.exe
2724	spoolsv.exe
2724	spoolsv.exe
1524	explorer.exe
1524	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 1524	2340	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe	30
PID 2340 wrote to memory of 1524	2340	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe	30
PID 2340 wrote to memory of 1524	2340	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe	30
PID 2340 wrote to memory of 1524	2340	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe	30
PID 1524 wrote to memory of 3068	1524	explorer.exe	31
PID 1524 wrote to memory of 3068	1524	explorer.exe	31
PID 1524 wrote to memory of 3068	1524	explorer.exe	31
PID 1524 wrote to memory of 3068	1524	explorer.exe	31
PID 3068 wrote to memory of 1056	3068	spoolsv.exe	32
PID 3068 wrote to memory of 1056	3068	spoolsv.exe	32
PID 3068 wrote to memory of 1056	3068	spoolsv.exe	32
PID 3068 wrote to memory of 1056	3068	spoolsv.exe	32
PID 1056 wrote to memory of 2724	1056	svchost.exe	33
PID 1056 wrote to memory of 2724	1056	svchost.exe	33
PID 1056 wrote to memory of 2724	1056	svchost.exe	33
PID 1056 wrote to memory of 2724	1056	svchost.exe	33
PID 1056 wrote to memory of 2688	1056	svchost.exe	34
PID 1056 wrote to memory of 2688	1056	svchost.exe	34
PID 1056 wrote to memory of 2688	1056	svchost.exe	34
PID 1056 wrote to memory of 2688	1056	svchost.exe	34
PID 1056 wrote to memory of 1552	1056	svchost.exe	37
PID 1056 wrote to memory of 1552	1056	svchost.exe	37
PID 1056 wrote to memory of 1552	1056	svchost.exe	37
PID 1056 wrote to memory of 1552	1056	svchost.exe	37
PID 1056 wrote to memory of 2264	1056	svchost.exe	39
PID 1056 wrote to memory of 2264	1056	svchost.exe	39
PID 1056 wrote to memory of 2264	1056	svchost.exe	39
PID 1056 wrote to memory of 2264	1056	svchost.exe	39

C:\Users\Admin\AppData\Local\Temp\8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
"C:\Users\Admin\AppData\Local\Temp\8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1524
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2724
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
147c501f5b4219b5ad2f3124accf4172

SHA1
aaf7209e2b70142c99e2d0c2f1ecc5f5794f6b97

SHA256
2dc449d5d4b948bf7171be29a2f4235abc1ab2906513756d82c7535c9ff9439d

SHA512
c05ff87af2deb0429389a7980d47bd2012123c6a464a727ec34bd527cf08894a58df06651394d7304dfd01c1af2e7d2585f2ed06ef85675bf9537cc633b6094a

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
94b3564e5d3daf125e681e78613b6083

SHA1
9a687a08498fcec84c9c0726fd8302459445f2f0

SHA256
26409ed72c3daa7703135e407c038c3995ca18d6adee925ac822c75cabb759d1

SHA512
57fae85a8dc78cb5b4430dcdea97f2d7ca39588b553741504c5390cd9aa998aa343b0eb6ab5e41daba4bf843ee5589585ebc310046fa2bf311a8172def05baec

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
c409c1de5de162aa49371729d530cbc1

SHA1
b908880b8230c5b2866ce0ce20e65c4f15e53091

SHA256
4d481b8a3611c449c918622272ce72502d9eeffb4db7cdcf98233becaf85006f

SHA512
299155caff149ff652009a096bbb23c25e7d9ddc819edf53ef374dcc35a7bcfae329ecc569269653fc5013957e68e82b90f474587a16def8f2d617115d38c15c

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
a2a63cff554be283cf002ad11bbd010d

SHA1
72d7cf392f7b9bd0383a24bd60057f994530826c

SHA256
53599635183e9ee592a83bcd9f15fcbd6ddfc14a73276dbed64c83d7846b58bd

SHA512
e80c80466c019e76d45cae9fb28f2f922b0b141fd6e8408cdd5f2b27cfada2212b513b67408cd8022c87327169c720110705980e016c8958a8cc4a3741bc95f7

Download Submit
memory/1056-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1056-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-59-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-26-0x0000000001DE0000-0x0000000001E20000-memory.dmp

Filesize
256KB

Download
memory/2340-12-0x0000000001E50000-0x0000000001E90000-memory.dmp

Filesize
256KB

Download
memory/2340-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2724-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-40-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/3068-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download