b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185.exe
Size

206KB
MD5

3bf56052df462205e89848e43c3559c1
SHA1

4b978e84f56aa44f440c0d695feff37ec459d5db
SHA256

b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185
SHA512

16a80876666a9d131c55de2180b695bf0afa33a3eb44394ffd189e3e9ec774ed27aa9d9ff292bf8468a3c82f009ce680d3e6beef7c625e58e2c8e0215e96da12
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unNWMWMWMWMWMWMWMWMWMWMWZ:zvEN2U+T6i5LirrllHy4HUcMQY6j

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2612	explorer.exe
380	spoolsv.exe
4676	svchost.exe
2524	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
708	b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185.exe
708	b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe
4676	svchost.exe
4676	svchost.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe
2612	explorer.exe
2612	explorer.exe
4676	svchost.exe
4676	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2612	explorer.exe
4676	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
708	b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185.exe
708	b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185.exe
2612	explorer.exe
2612	explorer.exe
380	spoolsv.exe
380	spoolsv.exe
4676	svchost.exe
4676	svchost.exe
2524	spoolsv.exe
2524	spoolsv.exe
2612	explorer.exe
2612	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 2612	708	b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185.exe	83
PID 708 wrote to memory of 2612	708	b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185.exe	83
PID 708 wrote to memory of 2612	708	b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185.exe	83
PID 2612 wrote to memory of 380	2612	explorer.exe	84
PID 2612 wrote to memory of 380	2612	explorer.exe	84
PID 2612 wrote to memory of 380	2612	explorer.exe	84
PID 380 wrote to memory of 4676	380	spoolsv.exe	85
PID 380 wrote to memory of 4676	380	spoolsv.exe	85
PID 380 wrote to memory of 4676	380	spoolsv.exe	85
PID 4676 wrote to memory of 2524	4676	svchost.exe	86
PID 4676 wrote to memory of 2524	4676	svchost.exe	86
PID 4676 wrote to memory of 2524	4676	svchost.exe	86
PID 4676 wrote to memory of 4276	4676	svchost.exe	87
PID 4676 wrote to memory of 4276	4676	svchost.exe	87
PID 4676 wrote to memory of 4276	4676	svchost.exe	87
PID 4676 wrote to memory of 5016	4676	svchost.exe	104
PID 4676 wrote to memory of 5016	4676	svchost.exe	104
PID 4676 wrote to memory of 5016	4676	svchost.exe	104
PID 4676 wrote to memory of 2888	4676	svchost.exe	106
PID 4676 wrote to memory of 2888	4676	svchost.exe	106
PID 4676 wrote to memory of 2888	4676	svchost.exe	106

C:\Users\Admin\AppData\Local\Temp\b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185.exe
"C:\Users\Admin\AppData\Local\Temp\b06cce27881341de91512a649f4f2da4cdaa39564908471cf1b7da0bfd86a185.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:708
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2612
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:380
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2524
    - - C:\Windows\SysWOW64\at.exe
        
        at 09:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4276
    - - C:\Windows\SysWOW64\at.exe
        
        at 09:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
    - - C:\Windows\SysWOW64\at.exe
        
        at 09:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
91b2ba9142dc695533b70b6d45f108d8

SHA1
dc1fb13299eba89c8d4d0fd2b843d3b6de109593

SHA256
fbcb491f904e3c1cb52179e86b8410d24f59a44c40a536bb690bd63519237178

SHA512
68ff6857d71cd84bcb1f74b13329cb8585781d998f2109890b23fb1f3cb950b9def6b47f545cb7c0a8b62bc9b9c3907f8654ec26c86e6a481805b6c981e00200

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
1c423171b885ec20edf9d825b58d8bd7

SHA1
8267d6ed7faa54e845c6a4c0735ab84d29684411

SHA256
179fecea3429c418fd9698bbd706b9fec99e3495b427213ebe6a7bf887133c83

SHA512
877954325bff00b2149d99ba0d2c3c06e50ea67bfd553eef9918f3cb2d3d42155a8a3af5554c15e0c57d12f12ab959098bf0d241015d0370e7c1c21591de058e

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
207KB

MD5
47e5bfcf0d81447e122ef5c69a46fb3b

SHA1
d948f146cec87c9e5dcde75174d31a9f7f3c1cd1

SHA256
81ead248d83a7540017045c0a5374cf84b9bc86219a5c3f8855d6090765a64a7

SHA512
8a2c23fa7153a4206a054d5f646bd819402352f12f42e36bcf192ca3e3bfeb4e152334207b717d04034e2cb1316e7b2f580dec0528709eeeb1c76602ee5b1235

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
187435cbb33ef45b84e0873aa8148893

SHA1
c38ac3a269c98cfa5fc93ba7dde71fe310b19077

SHA256
29d3e8bd64b22d5c87369da39acafd627b4fae264d21a6f1c9f06d43cfe06f96

SHA512
11eda2b4485b567a0f2aa661990172fa7ae4fbfae7e272f304caf8f930cf3e631e304fdef38623eb24db0229fc1c6008af9e99db8b43de9c41c7529b708ea12b

Download Submit