95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exe
Size

206KB
MD5

2728f8cbda969fc55ac899fc4d030300
SHA1

9faf3be0dd7dd6b387862606af3022ae9efee8f9
SHA256

95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29
SHA512

54a0293933efeee2651a3f3b0395b9e3eea25870b6cd43be9655d1d3f496a91e6a2803b29326cb7ab22653b92c85fab2fbc9250790181e0544aec6164e25fc0a
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unJ:zvEN2U+T6i5LirrllHy4HUcMQY6i

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid	Process
3892	explorer.exe
1116	spoolsv.exe
2276	svchost.exe
1528	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

spoolsv.exeat.exeat.exe95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exeexplorer.exesvchost.exe

pid	Process
1600	95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exe
1600	95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
2276	svchost.exe
2276	svchost.exe
2276	svchost.exe
2276	svchost.exe
3892	explorer.exe
3892	explorer.exe
2276	svchost.exe
2276	svchost.exe
3892	explorer.exe
3892	explorer.exe
2276	svchost.exe
2276	svchost.exe
3892	explorer.exe
3892	explorer.exe
2276	svchost.exe
2276	svchost.exe
3892	explorer.exe
3892	explorer.exe
2276	svchost.exe
2276	svchost.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
2276	svchost.exe
3892	explorer.exe
2276	svchost.exe
2276	svchost.exe
3892	explorer.exe
3892	explorer.exe
2276	svchost.exe
2276	svchost.exe
3892	explorer.exe
3892	explorer.exe
2276	svchost.exe
2276	svchost.exe
3892	explorer.exe
2276	svchost.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
2276	svchost.exe
2276	svchost.exe
3892	explorer.exe
2276	svchost.exe
3892	explorer.exe
2276	svchost.exe
2276	svchost.exe
3892	explorer.exe
3892	explorer.exe
2276	svchost.exe
3892	explorer.exe
2276	svchost.exe
3892	explorer.exe
2276	svchost.exe
3892	explorer.exe
2276	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid	Process
3892	explorer.exe
2276	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	Process
1600	95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exe
1600	95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exe
3892	explorer.exe
3892	explorer.exe
1116	spoolsv.exe
1116	spoolsv.exe
2276	svchost.exe
2276	svchost.exe
1528	spoolsv.exe
1528	spoolsv.exe
3892	explorer.exe
3892	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exeexplorer.exespoolsv.exesvchost.exe

description	pid	Process	procid_target
PID 1600 wrote to memory of 3892	1600	95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exe	83
PID 1600 wrote to memory of 3892	1600	95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exe	83
PID 1600 wrote to memory of 3892	1600	95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exe	83
PID 3892 wrote to memory of 1116	3892	explorer.exe	84
PID 3892 wrote to memory of 1116	3892	explorer.exe	84
PID 3892 wrote to memory of 1116	3892	explorer.exe	84
PID 1116 wrote to memory of 2276	1116	spoolsv.exe	85
PID 1116 wrote to memory of 2276	1116	spoolsv.exe	85
PID 1116 wrote to memory of 2276	1116	spoolsv.exe	85
PID 2276 wrote to memory of 1528	2276	svchost.exe	86
PID 2276 wrote to memory of 1528	2276	svchost.exe	86
PID 2276 wrote to memory of 1528	2276	svchost.exe	86
PID 2276 wrote to memory of 3708	2276	svchost.exe	87
PID 2276 wrote to memory of 3708	2276	svchost.exe	87
PID 2276 wrote to memory of 3708	2276	svchost.exe	87
PID 2276 wrote to memory of 1332	2276	svchost.exe	105
PID 2276 wrote to memory of 1332	2276	svchost.exe	105
PID 2276 wrote to memory of 1332	2276	svchost.exe	105

C:\Users\Admin\AppData\Local\Temp\95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exe
"C:\Users\Admin\AppData\Local\Temp\95770f512f29e3f16c0bcd44cdddd7efe515c23bdbfb638d3c57ed5cb1ae3b29N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3892
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1528
    - - C:\Windows\SysWOW64\at.exe
        
        at 13:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
    - - C:\Windows\SysWOW64\at.exe
        
        at 13:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
36b4234d9cb60b4eaefb2de35046a21b

SHA1
d8f68a8ec122ea33cbbf3cb755d0f3bcd4c850d4

SHA256
4e7ab8c8c94a90c3b6e25c8ddd2a8935cefee96b6fbc4bedea45369cd02f8c7c

SHA512
f880e2c669ea73f13b6499d891c1a96b587947d22736e13f2cd1ec170c252e754043a92f63b57abe5f329581618533a8b0cf799d97605f71d5156989bffe68db

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
2df1051bd17f28f05d00ee22915672e3

SHA1
883d8b33c4c28985d79ca451d22a718550873d07

SHA256
a5f0153e9a0d011454647cbf1def4584ab3036db3b738766294c8a37b482ad37

SHA512
e34f3908c7d411018fc583a786e7c87a43693e4c0b79753377ec1d044fd75dfcea7f12eba7afda8f389251b9c0b5352c09b5730a03b38d934bd3471c507c1d50

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
4418fd1a3b383d4420896dfd88d405cb

SHA1
6819c37d0c74bc30e838a51155ad7e65a30e3688

SHA256
216c0d6f41d5c8cfc40b96b3db7023e649620e98514733d108341c0facdf861d

SHA512
ac397c508bcf2028c840dd62ac1085b49967c9172df9ec8163bbb3b3bf103d391888690b818e136362f62100c8be272e370382c0d9f643329c88ba54a129ef88

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
206KB

MD5
2839e2362225ad1447d9edc981dfbb7e

SHA1
126acb411f86cf454714f3d6d124da94446a52ab

SHA256
438ecac1c68a20a4fe6112fb0f94dccb3c5d1a6cf527effc9841e56b26cbd32c

SHA512
1821a84cf69e42f2bc1cd998f27598cd81dcb64d41353bfa3a44164e8d7fa3bf522955f3be194a9cadd5b8b0fa9de2f8e9d071707288e4b3573d066d3e9c2c19

Download Submit