caee85b6b5716533b54047c8cd6bbe51589cb1429b54dcf16b613538a1efbc98

Analysis

max time kernel
174s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2024 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45316370c4acf18728aa5363cb7ca861.exe
Size

2.6MB
MD5

45316370c4acf18728aa5363cb7ca861
SHA1

dcacfe812e001b260b0c29e36a4190725b533737
SHA256

caee85b6b5716533b54047c8cd6bbe51589cb1429b54dcf16b613538a1efbc98
SHA512

d81efb8f2fdc1fdcaff49e87ce6923e8f9305240c6330958a7f8949a14ce89b1ae62cb3f8fdb6a2553b834015eafd8445cc0dabff347849cacebdd9285d4fc11
SSDEEP

49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/q:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/q

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2580	explorer.exe
4252	spoolsv.exe
1984	svchost.exe
216	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs

pid	Process
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
2580	explorer.exe
4252	spoolsv.exe
2580	explorer.exe
1984	svchost.exe
216	spoolsv.exe
1984	svchost.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
4252	spoolsv.exe
216	spoolsv.exe
2580	explorer.exe
1984	svchost.exe
2580	explorer.exe
1984	svchost.exe
2580	explorer.exe
1984	svchost.exe
2580	explorer.exe
1984	svchost.exe
2580	explorer.exe
1984	svchost.exe
2580	explorer.exe
1984	svchost.exe
2580	explorer.exe
1984	svchost.exe
2580	explorer.exe
1984	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	45316370c4acf18728aa5363cb7ca861.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2580	explorer.exe
1984	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
1648	45316370c4acf18728aa5363cb7ca861.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
4252	spoolsv.exe
4252	spoolsv.exe
4252	spoolsv.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
216	spoolsv.exe
216	spoolsv.exe
216	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2580	1648	45316370c4acf18728aa5363cb7ca861.exe	94
PID 1648 wrote to memory of 2580	1648	45316370c4acf18728aa5363cb7ca861.exe	94
PID 1648 wrote to memory of 2580	1648	45316370c4acf18728aa5363cb7ca861.exe	94
PID 2580 wrote to memory of 4252	2580	explorer.exe	95
PID 2580 wrote to memory of 4252	2580	explorer.exe	95
PID 2580 wrote to memory of 4252	2580	explorer.exe	95
PID 4252 wrote to memory of 1984	4252	spoolsv.exe	96
PID 4252 wrote to memory of 1984	4252	spoolsv.exe	96
PID 4252 wrote to memory of 1984	4252	spoolsv.exe	96
PID 1984 wrote to memory of 216	1984	svchost.exe	97
PID 1984 wrote to memory of 216	1984	svchost.exe	97
PID 1984 wrote to memory of 216	1984	svchost.exe	97

C:\Users\Admin\AppData\Local\Temp\45316370c4acf18728aa5363cb7ca861.exe
"C:\Users\Admin\AppData\Local\Temp\45316370c4acf18728aa5363cb7ca861.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2580
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1984
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
db96fb948310878fc8290e0f2934e2a5

SHA1
fedb5ab12b575f54297da695b77f46c59214983e

SHA256
0a15ab17527c176cd1b4ccdc3c5431c874c930491b74b6e72645759347bcc110

SHA512
aca1105b54bdb5f23a9d4c46eb8393fbec2fde8d2f9b19813c9365576334cbf23b36a12a078e1acc7429736c9d010e21be26727c87feb79961a2e2e6332f6810

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
00b0975267a35710d046effe333ee395

SHA1
6ecf529a8c00643c92dbee57fc3df6086cb95e14

SHA256
9a0d094ac030fcb3058112fc5eee166fca1e6f30c416242d153f1150fad84ff0

SHA512
165266324a062f6113b7d4b9b74a5c956fca3721a3e458c34e07bbe87cb8a945ba71eebf8817f72042f21d373f0c6d9f7ed0c0a391060a40e296f6564163579a

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
41714a5680efd2ebc1639d8bef689220

SHA1
04eed80f5d71efef970fd5a9caa8aed26927deee

SHA256
28aa7e677d0417a7eb1a581a90e55f172257e25df9903b02462d494272607afa

SHA512
5d24d9ab751f2836e40138baa07603bb95bb8fd1bb6f4fbec0f2c476778d33c9acbed3fb820f187ce6f78e16131f3b84d9636d03d03b1566353556fcb8b17375

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
73dbd8c008439623a53f2316d289a6f5

SHA1
2e4697621116f2345fbb9a7133e057f2e6ba13b2

SHA256
2c7a16cc588308b07e7276f9106a1e0c2b698556526c6331b4ab363a87bb4e13

SHA512
e7bf1efbe17b6670134265b531bf0d6381f4811c63cfd551056cc768f7d5b06cf88e888cbd81dce05827d1e9fb8c9118b15b62fe6c30127d5b456fa53dda70b7

Download Submit
memory/216-40-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/216-39-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/216-46-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/216-49-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1648-0-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1648-47-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1648-14-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1648-10-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1648-30-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1648-4-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1648-3-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1648-2-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1648-1-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1984-54-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1984-56-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1984-65-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1984-63-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1984-34-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1984-59-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1984-57-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1984-51-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2580-60-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2580-64-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2580-15-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2580-55-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2580-52-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2580-68-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2580-58-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2580-66-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2580-45-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2580-44-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2580-53-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4252-48-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4252-24-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4252-50-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download