c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
Size

135KB
MD5

80fa50927d648aaf6e91d76720af56cc
SHA1

8c26e72ea27529e3407045e3163b39ba1a777279
SHA256

c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb
SHA512

45427fb5de220ff97bb250fa02c4fdf04c70109ce5a3be6d0647b0577466b47391a2fce0e4b633fb80a736f747b3cb3d78207a82fc12fcfbdf93c65049409ac6
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVVKR:UVqoCl/YgjxEufVU0TbTyDDalLKR

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2468	explorer.exe
2576	spoolsv.exe
2688	svchost.exe
2680	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2468	explorer.exe
2576	spoolsv.exe
2688	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2600	schtasks.exe
1800	schtasks.exe
268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2468	explorer.exe
2688	svchost.exe
2688	svchost.exe
2468	explorer.exe
2688	svchost.exe
2468	explorer.exe
2688	svchost.exe
2468	explorer.exe
2688	svchost.exe
2468	explorer.exe
2688	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2468	explorer.exe
2688	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
2468	explorer.exe
2468	explorer.exe
2576	spoolsv.exe
2576	spoolsv.exe
2688	svchost.exe
2688	svchost.exe
2680	spoolsv.exe
2680	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2468	2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe	28
PID 2456 wrote to memory of 2468	2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe	28
PID 2456 wrote to memory of 2468	2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe	28
PID 2456 wrote to memory of 2468	2456	c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe	28
PID 2468 wrote to memory of 2576	2468	explorer.exe	29
PID 2468 wrote to memory of 2576	2468	explorer.exe	29
PID 2468 wrote to memory of 2576	2468	explorer.exe	29
PID 2468 wrote to memory of 2576	2468	explorer.exe	29
PID 2576 wrote to memory of 2688	2576	spoolsv.exe	30
PID 2576 wrote to memory of 2688	2576	spoolsv.exe	30
PID 2576 wrote to memory of 2688	2576	spoolsv.exe	30
PID 2576 wrote to memory of 2688	2576	spoolsv.exe	30
PID 2688 wrote to memory of 2680	2688	svchost.exe	31
PID 2688 wrote to memory of 2680	2688	svchost.exe	31
PID 2688 wrote to memory of 2680	2688	svchost.exe	31
PID 2688 wrote to memory of 2680	2688	svchost.exe	31
PID 2468 wrote to memory of 2696	2468	explorer.exe	32
PID 2468 wrote to memory of 2696	2468	explorer.exe	32
PID 2468 wrote to memory of 2696	2468	explorer.exe	32
PID 2468 wrote to memory of 2696	2468	explorer.exe	32
PID 2688 wrote to memory of 2600	2688	svchost.exe	33
PID 2688 wrote to memory of 2600	2688	svchost.exe	33
PID 2688 wrote to memory of 2600	2688	svchost.exe	33
PID 2688 wrote to memory of 2600	2688	svchost.exe	33
PID 2688 wrote to memory of 1800	2688	svchost.exe	38
PID 2688 wrote to memory of 1800	2688	svchost.exe	38
PID 2688 wrote to memory of 1800	2688	svchost.exe	38
PID 2688 wrote to memory of 1800	2688	svchost.exe	38
PID 2688 wrote to memory of 268	2688	svchost.exe	40
PID 2688 wrote to memory of 268	2688	svchost.exe	40
PID 2688 wrote to memory of 268	2688	svchost.exe	40
PID 2688 wrote to memory of 268	2688	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe
"C:\Users\Admin\AppData\Local\Temp\c5227b37fb633730ff54db4da6178cca87ec5b84b2446ada8384fbe4a344c5eb.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2468
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2688
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2680
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:57 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2600
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:58 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1800
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:59 /f
        5⤵
        Creates scheduled task(s)
        
        PID:268
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
e429f458f5cbd7c910b2d2a13e65e31d

SHA1
371a9df2c7371170d90ba912b790d929e8ad74a0

SHA256
ad75981140bdb0f9499f7a45b086d1aca8b54c21f899204eb4d34cb4cae819d2

SHA512
c07a19c98e4a040b66e6a36abe108771a3c660d137f3bf05afc66bfdc3a4bfc825c31a3558ace69fa891235e6d075845927eaab4a2b71ff9f3212844c40a3e46

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
d368e37f8feff964d321d014e0647bdb

SHA1
b49eda596cf6758459109603d73591199cfca21c

SHA256
364142a3328913ca275cec954bd6f3eb3a49d3b7e2792026f717a8f49cf77a1c

SHA512
84baa3cfc319619caabf36df724a497369d0dc2d88969b3f93e24289c25ebb84d826b83ce5982764c285a31f5978316af8d4211397ca2868b1300f22ce8e1a4a

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
c1def31078162d5eb32c8150f4599b98

SHA1
f6e89566651007f4025ce9190793528fbe4ae7e1

SHA256
84734eba6e09e12dfd495f9e4a39a3b8e9b497eb57166a6eaaccd4d494578431

SHA512
3e794386816a991ef92ade572b32d8de5384869d0c1fdb799a91b1754928607409f58c68349906088e4ae4e05104c888792be9fb12a57e2a5b2470673f05a93e

Download Submit
memory/2456-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2456-9-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/2456-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2576-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2680-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2688-37-0x0000000000460000-0x000000000047F000-memory.dmp

Filesize
124KB

Download