944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exe
Size

67KB
MD5

f23b574fad39f213858dc68196f18cf4
SHA1

fc90f13de3f4219d2ba60c06f1accb67cac646af
SHA256

944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c
SHA512

0b0c84cd04cc65d34a4f0a6b713ba93bff86e14384e53fd4618484f273f1d8374953b03025f36d3da801d7bb3953f4ae75f61267833c0bdd1acbeb492cd871de
SSDEEP

1536:EgXsfgWQN1kYsRxWTg3PwSWe991Rdolpdz6JAkAG:1tWYfGATvPe9slp+ApG

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid	Process
3368	explorer.exe
1152	spoolsv.exe
5084	svchost.exe
1900	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exeexplorer.exe944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exespoolsv.exe

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exeat.exeat.exeat.exe944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exeexplorer.exesvchost.exe

pid	Process
3204	944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exe
3204	944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
5084	svchost.exe
5084	svchost.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
5084	svchost.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
5084	svchost.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
5084	svchost.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
5084	svchost.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
5084	svchost.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
5084	svchost.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
5084	svchost.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
5084	svchost.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
5084	svchost.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
5084	svchost.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
5084	svchost.exe
3368	explorer.exe
3368	explorer.exe
5084	svchost.exe
5084	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid	Process
3368	explorer.exe
5084	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	Process
3204	944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exe
3204	944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exe
3368	explorer.exe
3368	explorer.exe
1152	spoolsv.exe
1152	spoolsv.exe
5084	svchost.exe
5084	svchost.exe
1900	spoolsv.exe
1900	spoolsv.exe
3368	explorer.exe
3368	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exeexplorer.exespoolsv.exesvchost.exe

description	pid	Process	procid_target
PID 3204 wrote to memory of 3368	3204	944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exe	83
PID 3204 wrote to memory of 3368	3204	944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exe	83
PID 3204 wrote to memory of 3368	3204	944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exe	83
PID 3368 wrote to memory of 1152	3368	explorer.exe	84
PID 3368 wrote to memory of 1152	3368	explorer.exe	84
PID 3368 wrote to memory of 1152	3368	explorer.exe	84
PID 1152 wrote to memory of 5084	1152	spoolsv.exe	85
PID 1152 wrote to memory of 5084	1152	spoolsv.exe	85
PID 1152 wrote to memory of 5084	1152	spoolsv.exe	85
PID 5084 wrote to memory of 1900	5084	svchost.exe	86
PID 5084 wrote to memory of 1900	5084	svchost.exe	86
PID 5084 wrote to memory of 1900	5084	svchost.exe	86
PID 5084 wrote to memory of 2520	5084	svchost.exe	87
PID 5084 wrote to memory of 2520	5084	svchost.exe	87
PID 5084 wrote to memory of 2520	5084	svchost.exe	87
PID 5084 wrote to memory of 4444	5084	svchost.exe	105
PID 5084 wrote to memory of 4444	5084	svchost.exe	105
PID 5084 wrote to memory of 4444	5084	svchost.exe	105
PID 5084 wrote to memory of 2624	5084	svchost.exe	108
PID 5084 wrote to memory of 2624	5084	svchost.exe	108
PID 5084 wrote to memory of 2624	5084	svchost.exe	108

C:\Users\Admin\AppData\Local\Temp\944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exe
"C:\Users\Admin\AppData\Local\Temp\944ce2e2bcee30b2efce0b366bf39e18cc1855bd824e7976db65b1a7779cb54c.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3368
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1900
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
67KB

MD5
1faba913d419cf27050dfd8d6ae081bc

SHA1
d9472fbef010d8c4fc5b6931eab4bb7105b9932a

SHA256
6daee3c9b09d8036f5e1c1a69772e52c2c2a803f5b2f44003b4eace67fa4a377

SHA512
24022a5b7e42e8bfeab0ce759757c3c0f34231383a15cee80fa6d955a321dd7ef6a24ea9b11eec4755afe4a2513f9f626557702833bca6ecb2f9b87016e61d4b

Download Submit
C:\Windows\System\explorer.exe

Filesize
67KB

MD5
1c4d07e150b6a8f1f62e908e5d9d8372

SHA1
63ec01dfeb7751f2b3723341c248fd1560cdfaa7

SHA256
5fe7468bd677201b88daa972f2007416f54d4200af0fb4560cf5bb31397bace5

SHA512
6b21067d953a20ea9df116596f05b0b541f82b5848462fc682dfe68abc319c242f84a571a6ee86aba1527b5005aa54e09641f7820b7cc1c1755e59867f4d372d

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
67KB

MD5
92f46cf29ede5d4b95330e24fd098acf

SHA1
12e58825fdb18dab6eff52ae7ac624e38f7931c3

SHA256
71d1d503bea6336cf492df0182e4115927e29b7d304098f125e1d0161b68683c

SHA512
434f6c642e5be25242a5eff25d9cfecfbb0addacc737fef77d20b18039b767a5c2fd99066ac7f0658399d92a0f6c57db0fd0ae4b2ac6042e57099516b012a8d8

Download Submit
C:\Windows\System\svchost.exe

Filesize
67KB

MD5
f5f203dd2bfa0c97bd78109bd0655476

SHA1
9b913d04afaa3ebe4515bd9f850df18bf091690e

SHA256
0762aab78411b8437ef32969b37ee88f415b0d1e0863e3bb227c41358eef501a

SHA512
28d1adff62bef26aaf642f4d3f5bc49204170f0f4043fd5aa154205cadad240c79fc044ccfe5146bfd540cf501da798f301cfe397dbbbdfaac126066b1e5c983

Download Submit
memory/1152-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1152-28-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/1152-54-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/1152-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1152-24-0x00000000754C0000-0x000000007561D000-memory.dmp

Filesize
1.4MB

Download
memory/1900-43-0x00000000754C0000-0x000000007561D000-memory.dmp

Filesize
1.4MB

Download
memory/1900-47-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1900-50-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3204-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3204-1-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/3204-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3204-58-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/3204-57-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3204-2-0x00000000754C0000-0x000000007561D000-memory.dmp

Filesize
1.4MB

Download
memory/3368-14-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/3368-12-0x00000000754C0000-0x000000007561D000-memory.dmp

Filesize
1.4MB

Download
memory/3368-60-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/3368-61-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3368-73-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5084-40-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/5084-35-0x00000000754C0000-0x000000007561D000-memory.dmp

Filesize
1.4MB

Download
memory/5084-41-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5084-62-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download