8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
Size

206KB
MD5

6866f46c7116c1edc78a09acb11e0e77
SHA1

e2d6836eb5a222a1087d463094140808758e2718
SHA256

8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820
SHA512

353533dcafe8196ee4fc751f5d4bc28fa23ea6318b809ec6aee74bbd462c9f1434b3b14ab00e608d9eb8be9772701b1b8e1525819c41f670e1a303b76e140e0d
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unv:5vEN2U+T6i5LirrllHy4HUcMQY6E

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4360	explorer.exe
1876	spoolsv.exe
4884	svchost.exe
3572	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
2012	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4884	svchost.exe
4884	svchost.exe
4884	svchost.exe
4884	svchost.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4884	svchost.exe
4360	explorer.exe
4884	svchost.exe
4360	explorer.exe
4884	svchost.exe
4884	svchost.exe
4360	explorer.exe
4884	svchost.exe
4360	explorer.exe
4360	explorer.exe
4884	svchost.exe
4884	svchost.exe
4884	svchost.exe
4360	explorer.exe
4360	explorer.exe
4884	svchost.exe
4884	svchost.exe
4360	explorer.exe
4360	explorer.exe
4884	svchost.exe
4884	svchost.exe
4360	explorer.exe
4360	explorer.exe
4884	svchost.exe
4884	svchost.exe
4360	explorer.exe
4360	explorer.exe
4884	svchost.exe
4884	svchost.exe
4360	explorer.exe
4360	explorer.exe
4884	svchost.exe
4884	svchost.exe
4360	explorer.exe
4360	explorer.exe
4884	svchost.exe
4884	svchost.exe
4360	explorer.exe
4360	explorer.exe
4884	svchost.exe
4884	svchost.exe
4360	explorer.exe
4360	explorer.exe
4884	svchost.exe
4884	svchost.exe
4360	explorer.exe
4360	explorer.exe
4884	svchost.exe
4884	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4360	explorer.exe
4884	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2012	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
2012	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
4360	explorer.exe
4360	explorer.exe
1876	spoolsv.exe
1876	spoolsv.exe
4884	svchost.exe
4884	svchost.exe
3572	spoolsv.exe
3572	spoolsv.exe
4360	explorer.exe
4360	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 4360	2012	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe	83
PID 2012 wrote to memory of 4360	2012	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe	83
PID 2012 wrote to memory of 4360	2012	8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe	83
PID 4360 wrote to memory of 1876	4360	explorer.exe	84
PID 4360 wrote to memory of 1876	4360	explorer.exe	84
PID 4360 wrote to memory of 1876	4360	explorer.exe	84
PID 1876 wrote to memory of 4884	1876	spoolsv.exe	85
PID 1876 wrote to memory of 4884	1876	spoolsv.exe	85
PID 1876 wrote to memory of 4884	1876	spoolsv.exe	85
PID 4884 wrote to memory of 3572	4884	svchost.exe	86
PID 4884 wrote to memory of 3572	4884	svchost.exe	86
PID 4884 wrote to memory of 3572	4884	svchost.exe	86
PID 4884 wrote to memory of 956	4884	svchost.exe	87
PID 4884 wrote to memory of 956	4884	svchost.exe	87
PID 4884 wrote to memory of 956	4884	svchost.exe	87
PID 4884 wrote to memory of 1860	4884	svchost.exe	105
PID 4884 wrote to memory of 1860	4884	svchost.exe	105
PID 4884 wrote to memory of 1860	4884	svchost.exe	105
PID 4884 wrote to memory of 4588	4884	svchost.exe	107
PID 4884 wrote to memory of 4588	4884	svchost.exe	107
PID 4884 wrote to memory of 4588	4884	svchost.exe	107

C:\Users\Admin\AppData\Local\Temp\8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe
"C:\Users\Admin\AppData\Local\Temp\8234f60cfbfae39174415f9d4abbfc21453f9f31e5548f13636ea9faa0b67820.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4360
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3572
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:956
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
782615dd7453f07d1aa757f5217b86c1

SHA1
2004944f5cbb47a1c4597113297b3a3eb7998358

SHA256
075cf4e22cb34a1430bf959d5ba50eb9ed058568b7db2981b8fd93375466d2e6

SHA512
a590acb3cb4df494d642350bb40f66e7e995ec2cd58ffda35a26becc734bba522712ed630524133e929f6ef4cab864620174580b2894c7106dff65d15247d5ea

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
7c585d6f29c08a67897d5b0047b72dc9

SHA1
8143ce42a6d34890ea6735cf44af2ec6d19a2e84

SHA256
38349f13459467c83e8105be1b20e03ca09264266b0f7e6a6f9013b23e9e08c9

SHA512
2e884bc13e0c3e19f26b7df9515e998a3dc70594ce1ba86b4db2af4e9590f812f769e32aed1f6bed24f80eea5a718fcb4c21ccb03d34152798c18d88bfa5e5f2

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
aa573fafc1cd8a1271c03e88720b49c2

SHA1
739d76225226737c18b59d97e58eeb5a7748c93c

SHA256
65077894f2554482fd2645299925da602417a45e787eac118473142ed4a3492d

SHA512
79b07d64f339868e38a044c752ec2d96c1dc25c2abb3452d340e14a30c9756449a9b334bfb72efdc4b3be8992c0d0541559643376d38e6afe2b27819fd9bfda1

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
b51a7e43f5412d008042e62d573adae8

SHA1
d6b8d0b2c3da7decd66b8f8aa8bfbb2b8ea66b70

SHA256
d11239021c1cc91638dbf0ea446cd441cef2891de7185ed2c8ac4894bd2ddfa1

SHA512
3f831dfdc791f9e36d9c6b97ede16c6b3c40a490b07f6149d0af99747710d4051a32ee6a351514254abcb556c2a883fac5b20a1bd01ba0904ccb8fde829d4953

Download Submit
memory/1876-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-34-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-38-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download