bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3N.exe
Size

206KB
MD5

b64e67781bfecfbaa723385fd95fbae0
SHA1

961f3b693a11bf2df43da0998f9cdb06a712a11b
SHA256

bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3
SHA512

a8433780712e723c5486d5a9ee9f001998ac397ada0776f8d786f4a4ee0f3c77c2d4b3bb282a4ab19793dfb0ddb7b259a0d38d219dfff2fe1d98ea734fcbfb25
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unkw:zvEN2U+T6i5LirrllHy4HUcMQY6k

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3412	explorer.exe
3588	spoolsv.exe
3456	svchost.exe
3104	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3N.exe
2236	bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3N.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe
3456	svchost.exe
3456	svchost.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe
3412	explorer.exe
3412	explorer.exe
3456	svchost.exe
3456	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3456	svchost.exe
3412	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2236	bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3N.exe
2236	bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3N.exe
3412	explorer.exe
3412	explorer.exe
3588	spoolsv.exe
3588	spoolsv.exe
3456	svchost.exe
3456	svchost.exe
3104	spoolsv.exe
3104	spoolsv.exe
3412	explorer.exe
3412	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 3412	2236	bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3N.exe	83
PID 2236 wrote to memory of 3412	2236	bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3N.exe	83
PID 2236 wrote to memory of 3412	2236	bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3N.exe	83
PID 3412 wrote to memory of 3588	3412	explorer.exe	84
PID 3412 wrote to memory of 3588	3412	explorer.exe	84
PID 3412 wrote to memory of 3588	3412	explorer.exe	84
PID 3588 wrote to memory of 3456	3588	spoolsv.exe	85
PID 3588 wrote to memory of 3456	3588	spoolsv.exe	85
PID 3588 wrote to memory of 3456	3588	spoolsv.exe	85
PID 3456 wrote to memory of 3104	3456	svchost.exe	86
PID 3456 wrote to memory of 3104	3456	svchost.exe	86
PID 3456 wrote to memory of 3104	3456	svchost.exe	86
PID 3456 wrote to memory of 4892	3456	svchost.exe	87
PID 3456 wrote to memory of 4892	3456	svchost.exe	87
PID 3456 wrote to memory of 4892	3456	svchost.exe	87
PID 3456 wrote to memory of 408	3456	svchost.exe	106
PID 3456 wrote to memory of 408	3456	svchost.exe	106
PID 3456 wrote to memory of 408	3456	svchost.exe	106

C:\Users\Admin\AppData\Local\Temp\bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3N.exe
"C:\Users\Admin\AppData\Local\Temp\bd1a6b1ef69a1f618af1f4e06b28b218ad726ef400eca8d535040227a99d82f3N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3412
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3104
    - - C:\Windows\SysWOW64\at.exe
        
        at 15:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
    - - C:\Windows\SysWOW64\at.exe
        
        at 15:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
207KB

MD5
3c2c4663f24214edd7b2b3cfea6981d7

SHA1
0c465d3882f9135da10a1e15533e0e5d51111091

SHA256
e803410b861df165f9e21b658e9eeb4b77adc2434606037621e94ff61d6eb85c

SHA512
3054ad5c53e923eae3330d3dc767ae8e14fd747e6ec371f371b2d761719384d8509006e055d3c0514f171be2064eba897eabca4a0f03f119bd2fb2b561c1396e

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
6c3c8a9a2f89fc79e710d0a6840f2e81

SHA1
3654d0b8d14b60402cc356aeadb5142e5079324c

SHA256
6fe9dbf4a610ce9f68d3231e227ed5fec11534bb015009c9c417a44315c29211

SHA512
9a4c8b0f0f23f36119a7e46c61ecbd370856629adef588ddfa5fa1e32888ddce90c842fe0f994f40b8cab6c067b9514fd0834aff1a02355396c64e22e18fa30e

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
157edfd71733978b4ae93ab47c3bc0f5

SHA1
f5cb6813583646bf6d1a60a50ad3aecdeec89c31

SHA256
8e0a9b93c89a9a7eaf83117743a4eb461bf9b36d1c26b97169e3ffda1d49a54a

SHA512
57394eb2cadf9cbde6e269266d878b7d2bfa0f459eaf81082c8d01706eaaf6eec673d8e03817fcfbb36f169a7ab68ae3b2839e5d9574e4a49af30855728ee841

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
b13ec3670d4496e1414bac4b50700c29

SHA1
902e1d2d2a0219f8b64e156b86a80c9a3330da82

SHA256
c4fc3dbb6960b56883b27889638a4c6906d95a5626eb1304d8e9de50db265e80

SHA512
64c51e17c040303d18b26f59c2a162e01681f8387463ebf0c26bebc21e6408d7f089a50de384b12930411c0299a7d31299306cd6cdf19fa76a3972f8ba70921c

Download Submit