bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
Size

135KB
MD5

1e0ee1f883b737358b779734a99007f3
SHA1

dceab1a01b2c6aaf5232d7bcbad56e75d2ae89f2
SHA256

bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7
SHA512

ab6d5f24dae7e942f49c5f61e3c27ca6a0e1291007fc80fa4b116cafba0783d39963e84050ac661d63161c8ada049769636217da1163acda2cca197e949ae5a3
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVCME:UVqoCl/YgjxEufVU0TbTyDDal3E

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4332	explorer.exe
2824	spoolsv.exe
4368	svchost.exe
2160	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4332	explorer.exe
4368	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
4332	explorer.exe
4332	explorer.exe
2824	spoolsv.exe
2824	spoolsv.exe
4368	svchost.exe
4368	svchost.exe
2160	spoolsv.exe
2160	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 4332	4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe	89
PID 4860 wrote to memory of 4332	4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe	89
PID 4860 wrote to memory of 4332	4860	bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe	89
PID 4332 wrote to memory of 2824	4332	explorer.exe	91
PID 4332 wrote to memory of 2824	4332	explorer.exe	91
PID 4332 wrote to memory of 2824	4332	explorer.exe	91
PID 2824 wrote to memory of 4368	2824	spoolsv.exe	92
PID 2824 wrote to memory of 4368	2824	spoolsv.exe	92
PID 2824 wrote to memory of 4368	2824	spoolsv.exe	92
PID 4368 wrote to memory of 2160	4368	svchost.exe	93
PID 4368 wrote to memory of 2160	4368	svchost.exe	93
PID 4368 wrote to memory of 2160	4368	svchost.exe	93

C:\Users\Admin\AppData\Local\Temp\bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe
"C:\Users\Admin\AppData\Local\Temp\bcdc33e3abb923706f104085c46f6c72b6917c677b966003a5163e847b732ec7.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4332
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4368
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
374b3c50ce6df6d532baffce8e7a494d

SHA1
61c8e5f74d14f6041e64c81807e6b7ea5847204a

SHA256
445cc2ead2bafc2e53068d27981d1c3d1de21bc02bce089e281436897d1d887b

SHA512
bb6b43a789ed8bdea5fa14186ea37876cb58a6976922d65a747c74a769b7ebb1f15c2139c3a15d58b86dab24875047d4283829dd17768d0fe47795ebb2aaeefd

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
5e2b00453b541f5d887c6c58ba168139

SHA1
0d031e5d4c6bcb7641589de14156260a8440bf05

SHA256
ed12f66e097b549674b779874c284de862b3f43e0627caaebdf0e2f444555abd

SHA512
f01ea2c91fddb3a5c1bebcb1bf60aa635862486b65feb9cb2c786f3f64c2ce5c60569c5144c3cffa5e13fa4e8ae3ee3b3905bb8f14eabe556f1358da3bffe06a

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
af250912f26c866b3f356bd56e59b05e

SHA1
04f7a6ab27dda418b9892ecaf963ae51726dd3a9

SHA256
c5530b2fdc4c57575c33f0098ed7cdfa3279a932d3b9f4ad50875954ef3f2b42

SHA512
4b52b841d0a4ee7f950b5264988a6e584d466669c8ecb79748c67fe62d6fdfb19e1946ef43d8a612cbcd1b9bb18e1aa75f58efe92a0114072cbd672f71288a9e

Download Submit
memory/2160-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2824-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4860-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4860-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download