b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
Size

206KB
MD5

cc46def2c67d319aec841722dff26c03
SHA1

dcc8f27c4fd27152172ff2bedba3ea5c552248a9
SHA256

b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f
SHA512

a4e08a42cdf1570c4ac16c890bb9c6272b48f0f10126dc566aa715d7400c71e975adc7b5447afa51f1dcd47a6781b3962c56cc80e587ef90c481b5f95a311b03
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJds:/VqoCl/YgjxEufVU0TbTyDDalbs

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
64	explorer.exe
3352	spoolsv.exe
2040	svchost.exe
2660	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe
64	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
64	explorer.exe
2040	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
64	explorer.exe
64	explorer.exe
3352	spoolsv.exe
3352	spoolsv.exe
2040	svchost.exe
2040	svchost.exe
2660	spoolsv.exe
2660	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 64	1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe	88
PID 1516 wrote to memory of 64	1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe	88
PID 1516 wrote to memory of 64	1516	b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe	88
PID 64 wrote to memory of 3352	64	explorer.exe	90
PID 64 wrote to memory of 3352	64	explorer.exe	90
PID 64 wrote to memory of 3352	64	explorer.exe	90
PID 3352 wrote to memory of 2040	3352	spoolsv.exe	91
PID 3352 wrote to memory of 2040	3352	spoolsv.exe	91
PID 3352 wrote to memory of 2040	3352	spoolsv.exe	91
PID 2040 wrote to memory of 2660	2040	svchost.exe	93
PID 2040 wrote to memory of 2660	2040	svchost.exe	93
PID 2040 wrote to memory of 2660	2040	svchost.exe	93

C:\Users\Admin\AppData\Local\Temp\b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
"C:\Users\Admin\AppData\Local\Temp\b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:64
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2040
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
aabd7896ad61853c22a51aefcb0a411c

SHA1
26558aa496b5f92622e8769d29f0ed2f046d4ba4

SHA256
dd5252b3f267ee3fc15d8a713bedde346201cb8e23d1826a0ccf81e7b67040fa

SHA512
016703213ce768e96d09badeeac62a1e52d223ad426f1d98b990e930d076081d658807afa5656b2ef24a9d57fa64d203027d9b81d9f612d0921715af1972d413

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
207KB

MD5
c495e1da8769ebc51f765d9aa9df04e0

SHA1
92433b3721db7dd43d15f0cfa94b36cd661c015f

SHA256
2984bef1cfbe2451309f34f880c4ef759453cf10c77978a58c5a8c44dbbb47f5

SHA512
d8ad4b092d1536e2ff0961749023be4afe356bc1b3797e87a73c0495d2c01efaf29b9c1c62b4a0a657d84cf79e0f573f24d996bc7ddafae8802527907795f83c

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
206KB

MD5
fca30bfe7c5e3b55269ff6bce89299e2

SHA1
b96bd150b6afecf44cf2d9aad1162447968989c6

SHA256
90a4affcdc84df2b5c37a19d9716e4562bb8cca566c0289bac6a4aad66b6e737

SHA512
f4d86eaae898130de45dae6a581740adf93413a96c54be3a1e77eb3027a9c7e961d7f430771c18add298e94540122eef33349c516489f5fbaad30ca2fb656dc7

Download Submit
memory/1516-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3352-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download