fd13cc1399ef919d4cbc53caa9d6e0e5894b341064b34017671a924b76fb5549

Analysis

max time kernel
10s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 23:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

201ed0eae7d96307b3e5781744f5dee1.exe
Size

2.6MB
MD5

201ed0eae7d96307b3e5781744f5dee1
SHA1

bfe4646f6285347d73edaec3572f4a98e408355f
SHA256

fd13cc1399ef919d4cbc53caa9d6e0e5894b341064b34017671a924b76fb5549
SHA512

649654d8cd2ac3e030d7c9e354169f3e47ae4a03cd88c104399f1bf7130db4e940a26a536fcca8b9872f76e03b0082ed9dd38bc83aae79a47a01a2c23b22f396
SSDEEP

49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/i:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/i

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2412	explorer.exe
2804	spoolsv.exe
2832	svchost.exe
2676	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2412	explorer.exe
2804	spoolsv.exe
2832	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2412	explorer.exe
2804	spoolsv.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2832	svchost.exe
2676	spoolsv.exe
2412	explorer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	201ed0eae7d96307b3e5781744f5dee1.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1532	schtasks.exe
1312	schtasks.exe
2468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2148	201ed0eae7d96307b3e5781744f5dee1.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2804	spoolsv.exe
2804	spoolsv.exe
2804	spoolsv.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2676	spoolsv.exe
2676	spoolsv.exe
2676	spoolsv.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2412	2148	201ed0eae7d96307b3e5781744f5dee1.exe	28
PID 2148 wrote to memory of 2412	2148	201ed0eae7d96307b3e5781744f5dee1.exe	28
PID 2148 wrote to memory of 2412	2148	201ed0eae7d96307b3e5781744f5dee1.exe	28
PID 2148 wrote to memory of 2412	2148	201ed0eae7d96307b3e5781744f5dee1.exe	28
PID 2412 wrote to memory of 2804	2412	explorer.exe	29
PID 2412 wrote to memory of 2804	2412	explorer.exe	29
PID 2412 wrote to memory of 2804	2412	explorer.exe	29
PID 2412 wrote to memory of 2804	2412	explorer.exe	29
PID 2804 wrote to memory of 2832	2804	spoolsv.exe	32
PID 2804 wrote to memory of 2832	2804	spoolsv.exe	32
PID 2804 wrote to memory of 2832	2804	spoolsv.exe	32
PID 2804 wrote to memory of 2832	2804	spoolsv.exe	32
PID 2832 wrote to memory of 2676	2832	svchost.exe	31
PID 2832 wrote to memory of 2676	2832	svchost.exe	31
PID 2832 wrote to memory of 2676	2832	svchost.exe	31
PID 2832 wrote to memory of 2676	2832	svchost.exe	31
PID 2412 wrote to memory of 1652	2412	explorer.exe	30
PID 2412 wrote to memory of 1652	2412	explorer.exe	30
PID 2412 wrote to memory of 1652	2412	explorer.exe	30
PID 2412 wrote to memory of 1652	2412	explorer.exe	30
PID 2832 wrote to memory of 1532	2832	svchost.exe	33
PID 2832 wrote to memory of 1532	2832	svchost.exe	33
PID 2832 wrote to memory of 1532	2832	svchost.exe	33
PID 2832 wrote to memory of 1532	2832	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\201ed0eae7d96307b3e5781744f5dee1.exe
"C:\Users\Admin\AppData\Local\Temp\201ed0eae7d96307b3e5781744f5dee1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2412
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:31 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1532
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:32 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1312
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:33 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2468
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:1652

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
47KB

MD5
f3cba6097bd9d108fda94bbe90239691

SHA1
c6611dd402d5ade09df9783a8968fdb2dd480183

SHA256
0ead7eb6530f8ca9f4db72e4fee88cc5efc2caf43eaf98b5f8dedc7f0c4cee63

SHA512
b5591cba672ffda47915beb472f0ae73133b60686b499c76978904103bf13876a9ca438d3b1c14bd9e0ca771a401958213c58e8d7258b37e585be3889fe12a48

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
381KB

MD5
d8095fb782e84f24044a75abfe7a41ab

SHA1
170341335c4b3fa7ef8fe7fac5f751b90b852d8a

SHA256
d6f52a87473a70f9c3bdba5486e528f895697955e7ef81a0da380d0cce0ca755

SHA512
740c3c8a038531da7e5ba279adba291b573800cf46a75899f4ff1574e9ee5411088a4e7491efb0914860eabd02ec80c401663e5cc1da30c515adf7416103b0f8

Download Submit
memory/2148-0-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2148-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2148-11-0x00000000040F0000-0x0000000004A41000-memory.dmp

Filesize
9.3MB

Download
memory/2148-54-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2148-55-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2412-76-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2412-15-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2412-80-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2412-78-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2412-82-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2412-62-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2412-74-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2412-72-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2412-70-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2412-24-0x0000000004030000-0x0000000004981000-memory.dmp

Filesize
9.3MB

Download
memory/2412-13-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2412-68-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2412-66-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2412-64-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2412-56-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2412-58-0x0000000004030000-0x0000000004981000-memory.dmp

Filesize
9.3MB

Download
memory/2412-59-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2676-45-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2676-50-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2676-51-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-53-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2804-26-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2804-28-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2804-52-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2832-42-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2832-65-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2832-69-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2832-67-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2832-71-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2832-61-0x0000000004030000-0x0000000004981000-memory.dmp

Filesize
9.3MB

Download
memory/2832-73-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2832-48-0x0000000004030000-0x0000000004981000-memory.dmp

Filesize
9.3MB

Download
memory/2832-75-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2832-57-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2832-40-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2832-79-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2832-63-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2832-81-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2832-60-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2832-85-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download