9ae45c6f623e455d0b55df900404a14b5c863c0237bd9090a16ef29234a93e2a

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

103d2f146e25bf5328bcb36707f3d285.exe
Size

2.6MB
MD5

103d2f146e25bf5328bcb36707f3d285
SHA1

eb01c07d7091ee6fa1a5f8a551344108a9d238c2
SHA256

9ae45c6f623e455d0b55df900404a14b5c863c0237bd9090a16ef29234a93e2a
SHA512

e1aafcd82a0d797156408955e0357247d93da39b90a50fee1cf670e105f682dd21131f235debce3e2de7c85525c71db0ab984653d791669bd2cd6105dc562a6f
SSDEEP

49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/C:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/C

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2072	explorer.exe
2500	spoolsv.exe
2804	svchost.exe
2760	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
1732	103d2f146e25bf5328bcb36707f3d285.exe
2072	explorer.exe
2500	spoolsv.exe
2804	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs

pid	Process
1732	103d2f146e25bf5328bcb36707f3d285.exe
2072	explorer.exe
2500	spoolsv.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
2804	svchost.exe
2072	explorer.exe
2760	spoolsv.exe
2804	svchost.exe
2072	explorer.exe
2804	svchost.exe
2072	explorer.exe
2804	svchost.exe
2072	explorer.exe
2804	svchost.exe
2072	explorer.exe
2804	svchost.exe
2072	explorer.exe
2804	svchost.exe
2072	explorer.exe
2804	svchost.exe
2072	explorer.exe
2804	svchost.exe
2072	explorer.exe
2804	svchost.exe
2072	explorer.exe
2804	svchost.exe
2072	explorer.exe
2804	svchost.exe
2072	explorer.exe
2804	svchost.exe
2072	explorer.exe
2804	svchost.exe
2072	explorer.exe
2804	svchost.exe
2072	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	103d2f146e25bf5328bcb36707f3d285.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
444	schtasks.exe
2472	schtasks.exe
2040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2072	explorer.exe
2072	explorer.exe
2804	svchost.exe
2804	svchost.exe
2072	explorer.exe
2072	explorer.exe
2804	svchost.exe
2804	svchost.exe
2072	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2804	svchost.exe
2072	explorer.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
1732	103d2f146e25bf5328bcb36707f3d285.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2500	spoolsv.exe
2500	spoolsv.exe
2500	spoolsv.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2760	spoolsv.exe
2760	spoolsv.exe
2760	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2072	1732	103d2f146e25bf5328bcb36707f3d285.exe	28
PID 1732 wrote to memory of 2072	1732	103d2f146e25bf5328bcb36707f3d285.exe	28
PID 1732 wrote to memory of 2072	1732	103d2f146e25bf5328bcb36707f3d285.exe	28
PID 1732 wrote to memory of 2072	1732	103d2f146e25bf5328bcb36707f3d285.exe	28
PID 2072 wrote to memory of 2500	2072	explorer.exe	29
PID 2072 wrote to memory of 2500	2072	explorer.exe	29
PID 2072 wrote to memory of 2500	2072	explorer.exe	29
PID 2072 wrote to memory of 2500	2072	explorer.exe	29
PID 2500 wrote to memory of 2804	2500	spoolsv.exe	30
PID 2500 wrote to memory of 2804	2500	spoolsv.exe	30
PID 2500 wrote to memory of 2804	2500	spoolsv.exe	30
PID 2500 wrote to memory of 2804	2500	spoolsv.exe	30
PID 2804 wrote to memory of 2760	2804	svchost.exe	31
PID 2804 wrote to memory of 2760	2804	svchost.exe	31
PID 2804 wrote to memory of 2760	2804	svchost.exe	31
PID 2804 wrote to memory of 2760	2804	svchost.exe	31
PID 2072 wrote to memory of 2580	2072	explorer.exe	32
PID 2072 wrote to memory of 2580	2072	explorer.exe	32
PID 2072 wrote to memory of 2580	2072	explorer.exe	32
PID 2072 wrote to memory of 2580	2072	explorer.exe	32
PID 2804 wrote to memory of 2472	2804	svchost.exe	33
PID 2804 wrote to memory of 2472	2804	svchost.exe	33
PID 2804 wrote to memory of 2472	2804	svchost.exe	33
PID 2804 wrote to memory of 2472	2804	svchost.exe	33
PID 2804 wrote to memory of 2040	2804	svchost.exe	38
PID 2804 wrote to memory of 2040	2804	svchost.exe	38
PID 2804 wrote to memory of 2040	2804	svchost.exe	38
PID 2804 wrote to memory of 2040	2804	svchost.exe	38
PID 2804 wrote to memory of 444	2804	svchost.exe	40
PID 2804 wrote to memory of 444	2804	svchost.exe	40
PID 2804 wrote to memory of 444	2804	svchost.exe	40
PID 2804 wrote to memory of 444	2804	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\103d2f146e25bf5328bcb36707f3d285.exe
"C:\Users\Admin\AppData\Local\Temp\103d2f146e25bf5328bcb36707f3d285.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2072
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2804
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2760
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:49 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2472
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:50 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2040
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:51 /f
        5⤵
        Creates scheduled task(s)
        
        PID:444
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
28576a03b73bab152281f92574f137c3

SHA1
b629f72c876358176f23c6d05829db6ea110f249

SHA256
e3dc494b873d0434d44f4a8434371008f07f9675f357eb23b90176e4f2d1e704

SHA512
e0800276fd3eeecb31842f67db39804a847be1ec167394a6f498491acbaebddcb3fdc13a8d5543f97fdf8053d94eca4fcf58de66e0056fb8f0669658bc1a47f5

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
1.6MB

MD5
0effae322793d50101eef65a348e8ff9

SHA1
a6b486b81c0d058348cfae87329a8874bb64a2c7

SHA256
fc023283fe5fbe7dd3a0c296ed92b32499cbe348d7fd2a4249a6bde462f00dc9

SHA512
a523b81357be325cceb78e74cd49ae41d81913dc6776a9d4ba514a67b9ef4eb18edc31be2b9df8472549f65b18d475ee8b403dd2545ea483e9fd80c5942eb4e1

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
2.3MB

MD5
d23502a62d8d18ecb12d47746a79a897

SHA1
5b4a87d8b34cac764e75e47afb6d4446e317e8f3

SHA256
145998a6ec2115d38d8d273a575ce24ccbeb8d4a49fce55c22eacbeec70d6e48

SHA512
d155756ac667ad80520646c6dee27bac0a9b9c31f6702d96a7aa48f989abde53e582ffc2d578ab11e96cb0ce243afc61b30a0113371f8d21d2870838a417955c

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
2.0MB

MD5
629a371c9aca26338bde237be1fff42c

SHA1
bcb7782e0783f5d47247b633a429bba4e944d18c

SHA256
f2141e4d216bf3d385729547b0c64962c22bc3654ec5b281e980e0d087653904

SHA512
cde82238c878299a6f73f42ba842032c92f10d11c863174574efe268d55b8f987ccf25b334694ee7617b9e33e0bd7a6640bc1b44646eb19b40fb4b547517681f

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
98fa6567e929f8fd40221744e684984d

SHA1
2956576b405d009051e826ed01ef3a4cfd8c9adb

SHA256
7d1e1ceace8d197b7424f0c74a947a1143a0383998f5ce021cc6cc3f427e4f7a

SHA512
41a933e62a8bddaa01072411711f898d86127fff1fb9a4a8e877e87547d501839afc7b7e73c6438c14a1a558fb12b6e4f91bc0b5ad957affad63e37780e3727a

Download Submit
\Windows\Resources\svchost.exe

Filesize
1.4MB

MD5
8e5e5976f4fdabe76fbbcedead2c7699

SHA1
48180fe131f4c08dc945f45ce3a0ff4ef8b453f8

SHA256
4144f743dd7e8a20cef20dd20598c0f62abcc0bb08a8c6f2d15bf7c2b081b6f2

SHA512
a61a8eb7ee54df5796e1594db708197da3b50c30d4d7f2cc72de938c7f730fc1a93ccbdc519533d9a18fc8a78e4077911194c18ea1051f948981a8e9b61d153c

Download Submit
memory/1732-38-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1732-48-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1732-54-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1732-50-0x0000000004190000-0x0000000004AE1000-memory.dmp

Filesize
9.3MB

Download
memory/1732-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1732-0-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2072-64-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2072-74-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2072-60-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2072-82-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2072-66-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2072-24-0x00000000040D0000-0x0000000004A21000-memory.dmp

Filesize
9.3MB

Download
memory/2072-12-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2072-72-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2072-11-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2072-70-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2072-68-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2072-55-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2072-80-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2072-57-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2072-58-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2072-76-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2500-25-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2500-53-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2500-28-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2760-52-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2760-51-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2760-47-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-36-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-69-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-67-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-71-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-65-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-73-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-61-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-75-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-59-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-77-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-79-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-56-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-81-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-40-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2804-83-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download