75e06033c5addd275ebd3d5a078d7a36143ab8fd4035864bccfb8e07d53493f2

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c514d6be438959884519abd5d83a1971.exe
Size

2.6MB
MD5

c514d6be438959884519abd5d83a1971
SHA1

ec0b968c127e88d9a57fd3816684b9ad8502f5b9
SHA256

75e06033c5addd275ebd3d5a078d7a36143ab8fd4035864bccfb8e07d53493f2
SHA512

e8038cde38e8ba865a92cfb2953431c4d7fbfeddf9d6b90f538d2c10df21d02803e23bf3e6e5de02d1447cba2979c0e6cb671fcca0b3f1a0d74ae359b978e13a
SSDEEP

49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/e:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/e

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2508	explorer.exe
4956	spoolsv.exe
2020	svchost.exe
2084	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs

pid	Process
996	c514d6be438959884519abd5d83a1971.exe
2508	explorer.exe
4956	spoolsv.exe
2508	explorer.exe
2020	svchost.exe
2084	spoolsv.exe
996	c514d6be438959884519abd5d83a1971.exe
2020	svchost.exe
2508	explorer.exe
2020	svchost.exe
2508	explorer.exe
2020	svchost.exe
2508	explorer.exe
2020	svchost.exe
2508	explorer.exe
2020	svchost.exe
2508	explorer.exe
2020	svchost.exe
2508	explorer.exe
2020	svchost.exe
2508	explorer.exe
2020	svchost.exe
2508	explorer.exe
2020	svchost.exe
2508	explorer.exe
2020	svchost.exe
2508	explorer.exe
2020	svchost.exe
2508	explorer.exe
2020	svchost.exe
2508	explorer.exe
2020	svchost.exe
2508	explorer.exe
2020	svchost.exe
2508	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	c514d6be438959884519abd5d83a1971.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2508	explorer.exe
2020	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
996	c514d6be438959884519abd5d83a1971.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
4956	spoolsv.exe
4956	spoolsv.exe
4956	spoolsv.exe
2020	svchost.exe
2020	svchost.exe
2020	svchost.exe
2084	spoolsv.exe
2084	spoolsv.exe
2084	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 2508	996	c514d6be438959884519abd5d83a1971.exe	89
PID 996 wrote to memory of 2508	996	c514d6be438959884519abd5d83a1971.exe	89
PID 996 wrote to memory of 2508	996	c514d6be438959884519abd5d83a1971.exe	89
PID 2508 wrote to memory of 4956	2508	explorer.exe	91
PID 2508 wrote to memory of 4956	2508	explorer.exe	91
PID 2508 wrote to memory of 4956	2508	explorer.exe	91
PID 4956 wrote to memory of 2020	4956	spoolsv.exe	92
PID 4956 wrote to memory of 2020	4956	spoolsv.exe	92
PID 4956 wrote to memory of 2020	4956	spoolsv.exe	92
PID 2020 wrote to memory of 2084	2020	svchost.exe	94
PID 2020 wrote to memory of 2084	2020	svchost.exe	94
PID 2020 wrote to memory of 2084	2020	svchost.exe	94

C:\Users\Admin\AppData\Local\Temp\c514d6be438959884519abd5d83a1971.exe
"C:\Users\Admin\AppData\Local\Temp\c514d6be438959884519abd5d83a1971.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2508
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2020
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
1e41498070dc397c972cf2413bf12a4c

SHA1
ea47343a4582c8b775d3e0714b677f52b61bb208

SHA256
ed3034ef6784cfbaa8608473efc1e6531bb6e5ace40316fcf98b4a7e41508fa5

SHA512
fc9305fe372a1dd4dc978f96b469adebc55dfada5895f4296867f4968a44132b9c596d91c247c9050901d202c3b85a8eba6a729efe9b08326a897203439f7163

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
1.1MB

MD5
06502e949be85e8787184d070717c3ff

SHA1
c65419048a487cee1cbc663c8f6705cbe23796a7

SHA256
55930713ded3442a6d90e58dd0ad66ac8b0cc95337fda1bd498b70846c838be0

SHA512
ffc2f634600a20f999eced9f95b21e766477452e19ccc8de40d25fc57ccf7285ab5fe4dcc9515e32ec58212f0107d27d77fa7265d7db1c0479555b3830eabaa6

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
726886ba0417b5124f535aa80158abb0

SHA1
f042ad7be03c8deadee7238ab85a6cca6419f76a

SHA256
ff8647d6ca71220e2deb72c0533c2ee5efce53e141d0ba4ad6de5195c09f2514

SHA512
2d9a92a4a1c39d907731fb95db8b9ece65c13aba5b2c0c16bc71cc6dc0df12e53a8ce37628d5bd2637ecca86b6edd32bdfde9143c959b0b4c477e84356d1ec9c

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
2.6MB

MD5
3a0e42223f39b8c730d9c6c8734c44b6

SHA1
66fccb6d5df6e94c9208c109a9a6292ea7e2550e

SHA256
5df6f121a335c36eb0306b74c18d69386b8d8c01038e0ea727d932f78f421b73

SHA512
5ea0cfff8a461894c48894b1cdcdfbc6347046cf8dfbe9e0fcd43caae353e79851e5e701cd96279026ab3d2ecf0cbd3e1bcceba614644107f8d9d738b5f80403

Download Submit
memory/996-40-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/996-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/996-0-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/996-43-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2020-47-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2020-67-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2020-53-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2020-59-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2020-55-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2020-69-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2020-51-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2020-28-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2020-50-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2020-29-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2020-65-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2020-63-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2020-71-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2020-61-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2020-75-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2084-39-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2084-42-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2084-35-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2084-34-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-49-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-45-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-58-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-52-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-60-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-48-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2508-62-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-46-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-64-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-56-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-66-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-10-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2508-68-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-74-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-70-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2508-72-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4956-19-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4956-41-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4956-44-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download