Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 02:55
Static task
static1
Behavioral task
behavioral1
Sample
c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe
Resource
win10v2004-20240412-en
General
-
Target
c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe
-
Size
135KB
-
MD5
8e54bcbc6d7c3c11ce5a058463f02a6f
-
SHA1
867552607510068f384c9d6986947fa63c3c9768
-
SHA256
c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200
-
SHA512
b072a96e130a26f0663eedca29b42fa169607a54a4241193562f9a58a21a6ae5352624172e25fc4e2e21cfdda32b9c14b1332b019be60018ced6ba066285e986
-
SSDEEP
1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbgtx:XVqoCl/YgjxEufVU0TbTyDDalqx
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2752 explorer.exe 3904 spoolsv.exe 5100 svchost.exe 4524 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2752 explorer.exe 5100 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 2752 explorer.exe 2752 explorer.exe 3904 spoolsv.exe 3904 spoolsv.exe 5100 svchost.exe 5100 svchost.exe 4524 spoolsv.exe 4524 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2752 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 85 PID 2732 wrote to memory of 2752 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 85 PID 2732 wrote to memory of 2752 2732 c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe 85 PID 2752 wrote to memory of 3904 2752 explorer.exe 86 PID 2752 wrote to memory of 3904 2752 explorer.exe 86 PID 2752 wrote to memory of 3904 2752 explorer.exe 86 PID 3904 wrote to memory of 5100 3904 spoolsv.exe 87 PID 3904 wrote to memory of 5100 3904 spoolsv.exe 87 PID 3904 wrote to memory of 5100 3904 spoolsv.exe 87 PID 5100 wrote to memory of 4524 5100 svchost.exe 88 PID 5100 wrote to memory of 4524 5100 svchost.exe 88 PID 5100 wrote to memory of 4524 5100 svchost.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe"C:\Users\Admin\AppData\Local\Temp\c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4524
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5b93008756f8b9003f1c995726a30f94d
SHA1435814163fee63440c638c858ff587b6304a6b3f
SHA256d2d034a8d1c21fc190629d34362b96e93ae1481e208152d7d20d4d687bf94887
SHA512158fc9065b4705632374482a40fc94f843111a0fd5b4790c0a43ee833ad95713295f249fc6e29c61738b290f161b10aad212ce03ba5a7838419286602e6441d1
-
Filesize
135KB
MD5571d3203bd9ce6fec45f6a4048c3545e
SHA1283273a2425ef6842945b01cf75e1d781027134d
SHA256ebb074e6b90ced520b5f90454234aaf35d521f747249da112179756d76bca968
SHA51241cf214b86cfb515016083720ecfbb88ca7dfe76e89028e603c5265cdefe6f784a37cdba5f3e47a23b7ffca36f4e81f6163668b560a6c5e9017b2ab4d365530e
-
Filesize
135KB
MD55cf70b9cece345094ad29e9375ccb0dd
SHA1a417e9c42f9508c17b796587726c6b33b049dd32
SHA2569e35cb70ced859c5c04795561ac735e3a922c807c704b97061f0868c8ba5db5d
SHA51201541fe482242f6c6e6b82d2d055400bbd42250508fd689b7c611b30c812b2492e7c95e7f0990e19c9efbfec8a40ed63488f7e9d86f18a8ab28a33fe620e77a0