75e06033c5addd275ebd3d5a078d7a36143ab8fd4035864bccfb8e07d53493f2

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 05:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c514d6be438959884519abd5d83a1971.exe
Size

2.6MB
MD5

c514d6be438959884519abd5d83a1971
SHA1

ec0b968c127e88d9a57fd3816684b9ad8502f5b9
SHA256

75e06033c5addd275ebd3d5a078d7a36143ab8fd4035864bccfb8e07d53493f2
SHA512

e8038cde38e8ba865a92cfb2953431c4d7fbfeddf9d6b90f538d2c10df21d02803e23bf3e6e5de02d1447cba2979c0e6cb671fcca0b3f1a0d74ae359b978e13a
SSDEEP

49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/e:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/e

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
3032	explorer.exe
2524	spoolsv.exe
2700	svchost.exe
2772	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
1888	c514d6be438959884519abd5d83a1971.exe
3032	explorer.exe
2524	spoolsv.exe
2700	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs

pid	Process
1888	c514d6be438959884519abd5d83a1971.exe
3032	explorer.exe
2524	spoolsv.exe
2700	svchost.exe
2772	spoolsv.exe
2524	spoolsv.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	c514d6be438959884519abd5d83a1971.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2516	schtasks.exe
2748	schtasks.exe
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
2700	svchost.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
2700	svchost.exe
2700	svchost.exe
3032	explorer.exe
3032	explorer.exe
2700	svchost.exe
3032	explorer.exe
2700	svchost.exe
2700	svchost.exe
3032	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2700	svchost.exe
3032	explorer.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
1888	c514d6be438959884519abd5d83a1971.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
2524	spoolsv.exe
2524	spoolsv.exe
2524	spoolsv.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2772	spoolsv.exe
2772	spoolsv.exe
2772	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 3032	1888	c514d6be438959884519abd5d83a1971.exe	28
PID 1888 wrote to memory of 3032	1888	c514d6be438959884519abd5d83a1971.exe	28
PID 1888 wrote to memory of 3032	1888	c514d6be438959884519abd5d83a1971.exe	28
PID 1888 wrote to memory of 3032	1888	c514d6be438959884519abd5d83a1971.exe	28
PID 3032 wrote to memory of 2524	3032	explorer.exe	29
PID 3032 wrote to memory of 2524	3032	explorer.exe	29
PID 3032 wrote to memory of 2524	3032	explorer.exe	29
PID 3032 wrote to memory of 2524	3032	explorer.exe	29
PID 2524 wrote to memory of 2700	2524	spoolsv.exe	30
PID 2524 wrote to memory of 2700	2524	spoolsv.exe	30
PID 2524 wrote to memory of 2700	2524	spoolsv.exe	30
PID 2524 wrote to memory of 2700	2524	spoolsv.exe	30
PID 2700 wrote to memory of 2772	2700	svchost.exe	31
PID 2700 wrote to memory of 2772	2700	svchost.exe	31
PID 2700 wrote to memory of 2772	2700	svchost.exe	31
PID 2700 wrote to memory of 2772	2700	svchost.exe	31
PID 3032 wrote to memory of 2408	3032	explorer.exe	32
PID 3032 wrote to memory of 2408	3032	explorer.exe	32
PID 3032 wrote to memory of 2408	3032	explorer.exe	32
PID 3032 wrote to memory of 2408	3032	explorer.exe	32
PID 2700 wrote to memory of 2516	2700	svchost.exe	33
PID 2700 wrote to memory of 2516	2700	svchost.exe	33
PID 2700 wrote to memory of 2516	2700	svchost.exe	33
PID 2700 wrote to memory of 2516	2700	svchost.exe	33
PID 2700 wrote to memory of 2748	2700	svchost.exe	38
PID 2700 wrote to memory of 2748	2700	svchost.exe	38
PID 2700 wrote to memory of 2748	2700	svchost.exe	38
PID 2700 wrote to memory of 2748	2700	svchost.exe	38
PID 2700 wrote to memory of 2136	2700	svchost.exe	40
PID 2700 wrote to memory of 2136	2700	svchost.exe	40
PID 2700 wrote to memory of 2136	2700	svchost.exe	40
PID 2700 wrote to memory of 2136	2700	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\c514d6be438959884519abd5d83a1971.exe
"C:\Users\Admin\AppData\Local\Temp\c514d6be438959884519abd5d83a1971.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3032
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2700
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2772
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:27 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2516
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:28 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2748
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:29 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2136
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\svchost.exe

Filesize
1.8MB

MD5
563897a2f92bee9e6e4e318865b03f84

SHA1
5966f11cdfb621870834643359a082fe15833197

SHA256
295a56e7b520e788480d7ac671e8dd3ae6e1e990cbf9a690c393e852a6567ca7

SHA512
a12821e2840da3b55a1f1c27ff32cde8ef16e325046ad0d7ee160a03a63f40af5c8bdd47e5ac3bd03a1dc2fddd12f5d1b4b84b24a11dc0c4aa7cc9979b7006a6

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
2.6MB

MD5
6abf57bb03a616de9c781f9a9fe02f9c

SHA1
69dea0ee3e50fca6e385db4ba2059c8c0981212c

SHA256
7af8a255449a86e8e0884876dbcc9a95d6a6a9a21256add2a92a41e3dd9d0745

SHA512
1f585d20b9cec6093ea4a118402f3714afdbece7118f3794845fc8d9b24ef850b9a24f081bb09416ace848606aaa90299398890c3100cdb30c5108c1aeef8651

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
31cefed207c097045b7a138a1c8a4e33

SHA1
b08f4f34a002d0300db5af4eb09fcff4de1a1902

SHA256
8a3bfc0b01cbebf519a5dbd50f7ef73f5738c7ab5981f5c8ca83a6ea71510433

SHA512
a270299eebc335d262540f98bd88485e7a9fe60ca02ef321862d6fcd8b255d02ed586969c453f892a886a859b6e15754390b295fb20b5687f5940f486292d696

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
e36bafa3f9ce4d8a43eeb1c9bcc7ed22

SHA1
7a77e960ad0b709a8d188fdc6d6556046722eb52

SHA256
6acdeeac37c3a427db89c7d2f5579a8a2ec7d9190d7bed7e2e02808a4cf6c68d

SHA512
fbcd4e98a32f74b275301f9369da46c7a173faee031948a291d86f83523c976094da5a96e128d4b466eff69654b22bfe0d5e2ca99e1892faaa33f6f96086226c

Download Submit
\Windows\Resources\svchost.exe

Filesize
1.8MB

MD5
9b1d5d3fe2719bbf9d6daaa4026af752

SHA1
89263a668f02327ff2f557bbb022622246736e86

SHA256
402cb76751149219509cb2f4c668edccfa8ae8ffde6236c2d975965355e3b304

SHA512
99d2a6d5c80ec67eae882a50f8b2b292fc2bc5c2c3d6079a35c5ba4d680f718df22e8bf97a1227fe9b8e0093d51d732387cb04b4f81abaff73ed7b991e43e27b

Download Submit
memory/1888-0-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1888-58-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1888-57-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1888-47-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1888-11-0x0000000004510000-0x0000000004E61000-memory.dmp

Filesize
9.3MB

Download
memory/1888-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2524-26-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2524-27-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2524-38-0x0000000004570000-0x0000000004EC1000-memory.dmp

Filesize
9.3MB

Download
memory/2524-56-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2524-54-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-83-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-63-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-73-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-69-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-39-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-77-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-41-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2700-79-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-85-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-87-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-89-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-71-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-81-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-46-0x0000000004480000-0x0000000004DD1000-memory.dmp

Filesize
9.3MB

Download
memory/2700-64-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2700-65-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2772-53-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2772-55-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2772-49-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2772-48-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-59-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/3032-70-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-74-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-76-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-68-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-78-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-66-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-80-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-61-0x00000000042B0000-0x0000000004C01000-memory.dmp

Filesize
9.3MB

Download
memory/3032-82-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-60-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-84-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-23-0x00000000042B0000-0x0000000004C01000-memory.dmp

Filesize
9.3MB

Download
memory/3032-86-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-15-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-88-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3032-13-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/3032-90-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download