4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
Size

206KB
MD5

9a1e5dd8c4198a78bfa202fe081634bd
SHA1

509363381c10aae1eb77dd784052bf6f3e19c796
SHA256

4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa
SHA512

bfa82be9b7a9fb2de057c81616d08d3a4c76e5824dc1f2bcb7f13167b5f06330d47303878c51c2d85ec1275932a8f0b2c6e4eed4fb4dace10112cebb8cea51ed
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdVW:/VqoCl/YgjxEufVU0TbTyDDalbVW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1868	explorer.exe
2556	spoolsv.exe
2560	svchost.exe
2680	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1868	explorer.exe
1868	explorer.exe
2556	spoolsv.exe
2556	spoolsv.exe
2560	svchost.exe
2560	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2424	schtasks.exe
756	schtasks.exe
2092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
1868	explorer.exe
2560	svchost.exe
1868	explorer.exe
2560	svchost.exe
1868	explorer.exe
2560	svchost.exe
1868	explorer.exe
2560	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1868	explorer.exe
2560	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
1868	explorer.exe
1868	explorer.exe
2556	spoolsv.exe
2556	spoolsv.exe
2560	svchost.exe
2560	svchost.exe
2680	spoolsv.exe
2680	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1868	1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe	28
PID 1712 wrote to memory of 1868	1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe	28
PID 1712 wrote to memory of 1868	1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe	28
PID 1712 wrote to memory of 1868	1712	4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe	28
PID 1868 wrote to memory of 2556	1868	explorer.exe	29
PID 1868 wrote to memory of 2556	1868	explorer.exe	29
PID 1868 wrote to memory of 2556	1868	explorer.exe	29
PID 1868 wrote to memory of 2556	1868	explorer.exe	29
PID 2556 wrote to memory of 2560	2556	spoolsv.exe	30
PID 2556 wrote to memory of 2560	2556	spoolsv.exe	30
PID 2556 wrote to memory of 2560	2556	spoolsv.exe	30
PID 2556 wrote to memory of 2560	2556	spoolsv.exe	30
PID 2560 wrote to memory of 2680	2560	svchost.exe	31
PID 2560 wrote to memory of 2680	2560	svchost.exe	31
PID 2560 wrote to memory of 2680	2560	svchost.exe	31
PID 2560 wrote to memory of 2680	2560	svchost.exe	31
PID 1868 wrote to memory of 1660	1868	explorer.exe	32
PID 1868 wrote to memory of 1660	1868	explorer.exe	32
PID 1868 wrote to memory of 1660	1868	explorer.exe	32
PID 1868 wrote to memory of 1660	1868	explorer.exe	32
PID 2560 wrote to memory of 2424	2560	svchost.exe	33
PID 2560 wrote to memory of 2424	2560	svchost.exe	33
PID 2560 wrote to memory of 2424	2560	svchost.exe	33
PID 2560 wrote to memory of 2424	2560	svchost.exe	33
PID 2560 wrote to memory of 756	2560	svchost.exe	38
PID 2560 wrote to memory of 756	2560	svchost.exe	38
PID 2560 wrote to memory of 756	2560	svchost.exe	38
PID 2560 wrote to memory of 756	2560	svchost.exe	38
PID 2560 wrote to memory of 2092	2560	svchost.exe	40
PID 2560 wrote to memory of 2092	2560	svchost.exe	40
PID 2560 wrote to memory of 2092	2560	svchost.exe	40
PID 2560 wrote to memory of 2092	2560	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
"C:\Users\Admin\AppData\Local\Temp\4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1868
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2560
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2680
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:11 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2424
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:12 /f
        5⤵
        Creates scheduled task(s)
        
        PID:756
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:13 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2092
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
68793b0a5a0530ae03d34670b722c4f8

SHA1
71cc43c823471ad3fd3fd91f96d8350f9f96dd04

SHA256
e267c381f2614dba86e7dc868e2afd7d3c5b2d4dc1dc8c00b43c0ff6b11c11c3

SHA512
62b141335d8ffc656541d0f45224917543e92df873d27d7e2a0cf77e0a76a4a7aa9dc07d8a5f0b1c2ca4b6dcc8efe6823aad2eee8f30de39fb1e47ff0d466df4

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
1a8fb62abfcd0d9b4ec25d6ed74f5a25

SHA1
6c81c4259b5226f1eae5b512fdfb739013e84f54

SHA256
874f4ff2aed49155e0377b410b1385c296960fffba2176202060f7dd2317be12

SHA512
e60b0e2c03363576a12fd1c20f9bc11e25662f0fa4015eabcbac74daa915748741611521093655d9b3c74a69caa9ae1dff6e16028eae8a6b557574b39bf7f2dc

Download Submit
\Windows\Resources\svchost.exe

Filesize
206KB

MD5
7dda2636cee88e2a59cb00e6d0b0c6e4

SHA1
03102df0d672f17b1ec7133a4f30d74c1bb9db3f

SHA256
efe4fbc4abccd16a0154ba45b09490eb3d85a506fd49c4d6ca7c9b314fe9ca48

SHA512
b90c8f5cf2a5b92d05c85a7659a52fb5beb19bd47f6aea8e8c9d8ac2d07e6f64454cb08129dc4ff660c6de55719e2ff14acd5b8273d912dc0b77ee6225c2a313

Download Submit
memory/1712-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-13-0x0000000000330000-0x000000000035F000-memory.dmp

Filesize
188KB

Download
memory/1712-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-50-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download