d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
Size

206KB
MD5

9f9eb1d413db97ce17f5e0719de171ed
SHA1

dcd68fc17e73f37becb6671a7dd79d896cb647ea
SHA256

d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314
SHA512

3cd82e449c02b7ca181efe68e6d7a3e271ef00dceb44b83280ef3f61b22ea9c85ddb5f82e222be35a0f2e1b1300fe7609728bea69e745f2cc71aac08c59e44a6
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJd9:/VqoCl/YgjxEufVU0TbTyDDalb9

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1748	explorer.exe
2932	spoolsv.exe
2832	svchost.exe
2608	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1748	explorer.exe
1748	explorer.exe
2932	spoolsv.exe
2932	spoolsv.exe
2832	svchost.exe
2832	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2472	schtasks.exe
2512	schtasks.exe
1536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
2832	svchost.exe
2832	svchost.exe
1748	explorer.exe
2832	svchost.exe
1748	explorer.exe
2832	svchost.exe
1748	explorer.exe
2832	svchost.exe
1748	explorer.exe
2832	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1748	explorer.exe
2832	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
1748	explorer.exe
1748	explorer.exe
2932	spoolsv.exe
2932	spoolsv.exe
2832	svchost.exe
2832	svchost.exe
2608	spoolsv.exe
2608	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1748	1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe	28
PID 1280 wrote to memory of 1748	1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe	28
PID 1280 wrote to memory of 1748	1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe	28
PID 1280 wrote to memory of 1748	1280	d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe	28
PID 1748 wrote to memory of 2932	1748	explorer.exe	29
PID 1748 wrote to memory of 2932	1748	explorer.exe	29
PID 1748 wrote to memory of 2932	1748	explorer.exe	29
PID 1748 wrote to memory of 2932	1748	explorer.exe	29
PID 2932 wrote to memory of 2832	2932	spoolsv.exe	30
PID 2932 wrote to memory of 2832	2932	spoolsv.exe	30
PID 2932 wrote to memory of 2832	2932	spoolsv.exe	30
PID 2932 wrote to memory of 2832	2932	spoolsv.exe	30
PID 2832 wrote to memory of 2608	2832	svchost.exe	31
PID 2832 wrote to memory of 2608	2832	svchost.exe	31
PID 2832 wrote to memory of 2608	2832	svchost.exe	31
PID 2832 wrote to memory of 2608	2832	svchost.exe	31
PID 1748 wrote to memory of 2568	1748	explorer.exe	32
PID 1748 wrote to memory of 2568	1748	explorer.exe	32
PID 1748 wrote to memory of 2568	1748	explorer.exe	32
PID 1748 wrote to memory of 2568	1748	explorer.exe	32
PID 2832 wrote to memory of 2472	2832	svchost.exe	33
PID 2832 wrote to memory of 2472	2832	svchost.exe	33
PID 2832 wrote to memory of 2472	2832	svchost.exe	33
PID 2832 wrote to memory of 2472	2832	svchost.exe	33
PID 2832 wrote to memory of 2512	2832	svchost.exe	38
PID 2832 wrote to memory of 2512	2832	svchost.exe	38
PID 2832 wrote to memory of 2512	2832	svchost.exe	38
PID 2832 wrote to memory of 2512	2832	svchost.exe	38
PID 2832 wrote to memory of 1536	2832	svchost.exe	40
PID 2832 wrote to memory of 1536	2832	svchost.exe	40
PID 2832 wrote to memory of 1536	2832	svchost.exe	40
PID 2832 wrote to memory of 1536	2832	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
"C:\Users\Admin\AppData\Local\Temp\d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1748
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2832
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:37 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2472
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:38 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2512
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:39 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1536
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
acc84a146870d4937a163c349e9441a3

SHA1
75efd9ca224d93eaf219e366c621654478f26983

SHA256
a8c611e9a359f7bd34ea1e9fb8aa2d42dbff8d64bc151bf771af46e985a9f23e

SHA512
5972b0c014bf83120b24674352b21eeca67720d7688d859b506ab993f5173cb158e28a78c9c7b0be4aeb86166977ffb5f064610a68e2b8bd69026e22d7dab01a

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
f1c12901461382aba906d06c88d4fc3f

SHA1
9e540660435024adb5e654955d33a7d8b22d7e86

SHA256
78d33b34a96e62d177443272f54de0482edc12d59bb5aca0f622ef2f5d8bef2b

SHA512
eb2a615ae4bc4c386a83f9c91ba3b3ab1b8354badf53160cc8d97f95728855eb9aaafc9104201fad9460cd12d6ef910aa761a52a0e994fbe5110b6aed90b472c

Download Submit
\Windows\Resources\svchost.exe

Filesize
206KB

MD5
037d2917d1ef05f9b568bfeff8432798

SHA1
9e5ebd27983d7061688de3a7a1dce2fedfd23ecb

SHA256
91de99486559ec681649eefcc4c8cfdd0e3316cab63cc1cea3ecbb0afd6306f6

SHA512
9d312363060641ce8bf1db29f65d0633c22480f495eccbe626e738de7661352f1179dc4d2f2eaeaa96ba2fe73d8e6687b991379f01cff403a05d0410e9cfd973

Download Submit
memory/1280-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1280-13-0x0000000000240000-0x000000000026F000-memory.dmp

Filesize
188KB

Download
memory/1280-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-50-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download