e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
Size

206KB
MD5

23b8389fd7dac23be82bc5943fd1093a
SHA1

b58b4eb52b3781814d75efe07c3a940a36beab5c
SHA256

e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3
SHA512

791ce1a30dfa36c1b5ecb3b7f1df3bccaff675b240fc8bdaa42925fb46f9023932611323e4916a88511264b45b07cf8e8ff31c7954e5a49f61aaee8a3f2ba978
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdVx:/VqoCl/YgjxEufVU0TbTyDDalbVx

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3008	explorer.exe
2672	spoolsv.exe
2524	svchost.exe
2896	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
3008	explorer.exe
3008	explorer.exe
2672	spoolsv.exe
2672	spoolsv.exe
2524	svchost.exe
2524	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2436	schtasks.exe
2732	schtasks.exe
1424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
2524	svchost.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
2524	svchost.exe
2524	svchost.exe
3008	explorer.exe
2524	svchost.exe
3008	explorer.exe
2524	svchost.exe
3008	explorer.exe
2524	svchost.exe
3008	explorer.exe
2524	svchost.exe
3008	explorer.exe
2524	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3008	explorer.exe
2524	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
3008	explorer.exe
3008	explorer.exe
2672	spoolsv.exe
2672	spoolsv.exe
2524	svchost.exe
2524	svchost.exe
2896	spoolsv.exe
2896	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3008	2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe	28
PID 2240 wrote to memory of 3008	2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe	28
PID 2240 wrote to memory of 3008	2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe	28
PID 2240 wrote to memory of 3008	2240	e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe	28
PID 3008 wrote to memory of 2672	3008	explorer.exe	29
PID 3008 wrote to memory of 2672	3008	explorer.exe	29
PID 3008 wrote to memory of 2672	3008	explorer.exe	29
PID 3008 wrote to memory of 2672	3008	explorer.exe	29
PID 2672 wrote to memory of 2524	2672	spoolsv.exe	30
PID 2672 wrote to memory of 2524	2672	spoolsv.exe	30
PID 2672 wrote to memory of 2524	2672	spoolsv.exe	30
PID 2672 wrote to memory of 2524	2672	spoolsv.exe	30
PID 2524 wrote to memory of 2896	2524	svchost.exe	31
PID 2524 wrote to memory of 2896	2524	svchost.exe	31
PID 2524 wrote to memory of 2896	2524	svchost.exe	31
PID 2524 wrote to memory of 2896	2524	svchost.exe	31
PID 3008 wrote to memory of 2360	3008	explorer.exe	32
PID 3008 wrote to memory of 2360	3008	explorer.exe	32
PID 3008 wrote to memory of 2360	3008	explorer.exe	32
PID 3008 wrote to memory of 2360	3008	explorer.exe	32
PID 2524 wrote to memory of 2436	2524	svchost.exe	33
PID 2524 wrote to memory of 2436	2524	svchost.exe	33
PID 2524 wrote to memory of 2436	2524	svchost.exe	33
PID 2524 wrote to memory of 2436	2524	svchost.exe	33
PID 2524 wrote to memory of 2732	2524	svchost.exe	38
PID 2524 wrote to memory of 2732	2524	svchost.exe	38
PID 2524 wrote to memory of 2732	2524	svchost.exe	38
PID 2524 wrote to memory of 2732	2524	svchost.exe	38
PID 2524 wrote to memory of 1424	2524	svchost.exe	40
PID 2524 wrote to memory of 1424	2524	svchost.exe	40
PID 2524 wrote to memory of 1424	2524	svchost.exe	40
PID 2524 wrote to memory of 1424	2524	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
"C:\Users\Admin\AppData\Local\Temp\e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3008
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2524
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2896
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:00 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2436
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:01 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2732
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:02 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1424
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
a666fb88e231107ef0860042fa1eb0e3

SHA1
8c28e991d74ba8358659ce1bb42090acf8d7326a

SHA256
7d5edae48d7190f05a999aabc1198901f0223e8a8cc48c77bb0ce65d98c4606c

SHA512
de65255faa590b96c2abadee5261b29a7df822e0929c8a16193046905645c7042b54fd3453d73075e0af6c4ead630fb317aa4e5aea15c486cf94dcee8c5ae600

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
b5fed14e91dbe7766903a4501597f766

SHA1
7bd7eb22a2c76c5f4c39f233bb69cb5d89be192f

SHA256
da77fc172c1ac85526f0abfc2c223aaa68131c2d88e9d51dec733b6694303032

SHA512
8ad2d70d23d0cb523993af8686f0d49e4732c9a038fbac92744afa6ac60167d29736df663524cb6ff84126f5c4792973b9c793f022ff2ac89355c2e3b0a20086

Download Submit
\Windows\Resources\svchost.exe

Filesize
206KB

MD5
dbec132af2b8f50584440778d6039f5b

SHA1
a6e920bcb6d4b66697c56f607ff594e015637e23

SHA256
b6271098ccd355ed917ff27ec6cc0a2a1e0f9404760b4d537d22242ed2315607

SHA512
97507a90a74807b86653033ffe7c5366cd13b753b779b2c9c827567ef586c4fb2542e2de0b71d534df6caf2366257de7c136759d03b0e0bef20deb9db6bbfc53

Download Submit
memory/2240-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-13-0x0000000001D80000-0x0000000001DAF000-memory.dmp

Filesize
188KB

Download
memory/2240-14-0x0000000001D80000-0x0000000001DAF000-memory.dmp

Filesize
188KB

Download
memory/2240-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download