Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/04/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
Resource
win10v2004-20240412-en
General
-
Target
9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
-
Size
2.6MB
-
MD5
1e3a6a31db311756dde13aff8a860b99
-
SHA1
37b51c0dae5dd2a82ef11c179037dfe682df4b13
-
SHA256
9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d
-
SHA512
5c4bee464970cb766a5fda0da84c2e8e9a9d01833a9e40fe5ba63690a550975a7e950f7176889c1afb03f391f9c2db53d8004be6c3f248bc9f2d4edef7807228
-
SSDEEP
49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/a:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/a
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2956 explorer.exe 2588 spoolsv.exe 2976 svchost.exe 1204 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 2956 explorer.exe 2588 spoolsv.exe 2976 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs
pid Process 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 2956 explorer.exe 2588 spoolsv.exe 2976 svchost.exe 1204 spoolsv.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe 2956 explorer.exe 2976 svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1792 schtasks.exe 3056 schtasks.exe 2860 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 2956 explorer.exe 2956 explorer.exe 2976 svchost.exe 2976 svchost.exe 2956 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2956 explorer.exe 2976 svchost.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2588 spoolsv.exe 2588 spoolsv.exe 2588 spoolsv.exe 2976 svchost.exe 2976 svchost.exe 2976 svchost.exe 1204 spoolsv.exe 1204 spoolsv.exe 1204 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2956 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 28 PID 3000 wrote to memory of 2956 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 28 PID 3000 wrote to memory of 2956 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 28 PID 3000 wrote to memory of 2956 3000 9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe 28 PID 2956 wrote to memory of 2588 2956 explorer.exe 29 PID 2956 wrote to memory of 2588 2956 explorer.exe 29 PID 2956 wrote to memory of 2588 2956 explorer.exe 29 PID 2956 wrote to memory of 2588 2956 explorer.exe 29 PID 2588 wrote to memory of 2976 2588 spoolsv.exe 30 PID 2588 wrote to memory of 2976 2588 spoolsv.exe 30 PID 2588 wrote to memory of 2976 2588 spoolsv.exe 30 PID 2588 wrote to memory of 2976 2588 spoolsv.exe 30 PID 2976 wrote to memory of 1204 2976 svchost.exe 31 PID 2976 wrote to memory of 1204 2976 svchost.exe 31 PID 2976 wrote to memory of 1204 2976 svchost.exe 31 PID 2976 wrote to memory of 1204 2976 svchost.exe 31 PID 2956 wrote to memory of 2460 2956 explorer.exe 32 PID 2956 wrote to memory of 2460 2956 explorer.exe 32 PID 2956 wrote to memory of 2460 2956 explorer.exe 32 PID 2956 wrote to memory of 2460 2956 explorer.exe 32 PID 2976 wrote to memory of 1792 2976 svchost.exe 33 PID 2976 wrote to memory of 1792 2976 svchost.exe 33 PID 2976 wrote to memory of 1792 2976 svchost.exe 33 PID 2976 wrote to memory of 1792 2976 svchost.exe 33 PID 2976 wrote to memory of 3056 2976 svchost.exe 38 PID 2976 wrote to memory of 3056 2976 svchost.exe 38 PID 2976 wrote to memory of 3056 2976 svchost.exe 38 PID 2976 wrote to memory of 3056 2976 svchost.exe 38 PID 2976 wrote to memory of 2860 2976 svchost.exe 40 PID 2976 wrote to memory of 2860 2976 svchost.exe 40 PID 2976 wrote to memory of 2860 2976 svchost.exe 40 PID 2976 wrote to memory of 2860 2976 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe"C:\Users\Admin\AppData\Local\Temp\9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1204
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:17 /f5⤵
- Creates scheduled task(s)
PID:1792
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:18 /f5⤵
- Creates scheduled task(s)
PID:3056
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:19 /f5⤵
- Creates scheduled task(s)
PID:2860
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2460
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a732c208aeaddda982dde26c5634a0bb
SHA164676a6ab73dcf9793e806bbef484fb36761d77d
SHA25625b438a6c3fe4c3b33cc8a654f047b84128026a2efafa39be6082ff6ab41b719
SHA5128fb5c5bcc4825b04d37d2de3d3fa8ba6d8a91c8fc5abe349dcf507aae1b32ce0aa25481dc6976670fe88518016f62e197fdbc874937153c9a90c9da820b5ce32
-
Filesize
2.6MB
MD5153dab4d97b11ae1c07d833d807dc57a
SHA1b3c55be91e3434a0e3d161f124c30d8e3fbd664f
SHA256f9ae505bf4636da432002e3fef6cae244184a1aaa415fa11d0d1ba23a4cc81f7
SHA51230817a2a0f529196591ae0422f3eb9a66e4fe812fbb51ffbb08089d8dccf1771cb5bf1787472541efa661e7d536239d1bb614e77bc84af57e280e7e967f610a0
-
Filesize
2.6MB
MD55fc402a41651afb30cf2ce7fdb3952f8
SHA15105a361c0c5a7cdc85b2332038d8caa499f5865
SHA2567854c84500ec9ef220a331e406be84cf3ee810d3bc087a6e85ca098e5f85955b
SHA512257a23bd2dc81d719de4f0969aa500a8d635af1954500f6064627f82fd1d0ec8ff55825bcbf482de0db30ad99943948114f8e4b7f8e6cb528b11175ac8f7c0e0