9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
Size

2.6MB
MD5

1e3a6a31db311756dde13aff8a860b99
SHA1

37b51c0dae5dd2a82ef11c179037dfe682df4b13
SHA256

9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d
SHA512

5c4bee464970cb766a5fda0da84c2e8e9a9d01833a9e40fe5ba63690a550975a7e950f7176889c1afb03f391f9c2db53d8004be6c3f248bc9f2d4edef7807228
SSDEEP

49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/a:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/a

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1924	explorer.exe
1604	spoolsv.exe
2452	svchost.exe
4448	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

pid	Process
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
1924	explorer.exe
1604	spoolsv.exe
2452	svchost.exe
4448	spoolsv.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
1924	explorer.exe
2452	svchost.exe
1924	explorer.exe
2452	svchost.exe
1924	explorer.exe
2452	svchost.exe
1924	explorer.exe
2452	svchost.exe
1924	explorer.exe
2452	svchost.exe
1924	explorer.exe
2452	svchost.exe
1924	explorer.exe
2452	svchost.exe
1924	explorer.exe
2452	svchost.exe
1924	explorer.exe
2452	svchost.exe
1924	explorer.exe
2452	svchost.exe
1924	explorer.exe
2452	svchost.exe
1924	explorer.exe
2452	svchost.exe
1924	explorer.exe
2452	svchost.exe
1924	explorer.exe
2452	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1924	explorer.exe
2452	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1604	spoolsv.exe
1604	spoolsv.exe
1604	spoolsv.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
4448	spoolsv.exe
4448	spoolsv.exe
4448	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 1924	3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe	89
PID 3588 wrote to memory of 1924	3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe	89
PID 3588 wrote to memory of 1924	3588	9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe	89
PID 1924 wrote to memory of 1604	1924	explorer.exe	91
PID 1924 wrote to memory of 1604	1924	explorer.exe	91
PID 1924 wrote to memory of 1604	1924	explorer.exe	91
PID 1604 wrote to memory of 2452	1604	spoolsv.exe	93
PID 1604 wrote to memory of 2452	1604	spoolsv.exe	93
PID 1604 wrote to memory of 2452	1604	spoolsv.exe	93
PID 2452 wrote to memory of 4448	2452	svchost.exe	95
PID 2452 wrote to memory of 4448	2452	svchost.exe	95
PID 2452 wrote to memory of 4448	2452	svchost.exe	95

C:\Users\Admin\AppData\Local\Temp\9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe
"C:\Users\Admin\AppData\Local\Temp\9fdbb3ac2a3c9814f05abb98daac8de7d6bfbed4caa002c9b01e7777c1c8851d.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1924
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2452
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
b20162198c94a7a0eadd02139cb2d4e8

SHA1
25d28893b68e00338f926ac701585e85d88eca34

SHA256
a8c1e373fdcf22fc82f9e8e016f8d7c399ff6eb70cfff227f1c3d306f36873ea

SHA512
639aea06202160743b36f19153321500a7998721e9b62686b28057d8086266dd5d1893c7554f2b2fb87b3d45d03a08e5ca5c2685ff704abcc4f7ab236d22db5f

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
f8fe173227a4bcfed28561c205c9abcb

SHA1
811405b0bd0270b4415dcdc69759616e69f059a9

SHA256
3ed28f327d3974c1b03b4696925529d5f4d0f8ecb3e378c9250c83a9ef704508

SHA512
9a1213d11121257559df1732873a3034b2c4a7f52c357c736cea1597f2ee3c8171cc9e98089b37c66af7e26c6c7efaee0e24338dfeff250a335a93a9d323d5a1

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
2.6MB

MD5
519b76fd3cea5c766f62528a2d7376f4

SHA1
ae5b59fdc8efd318e7e1bbe2e4b24b08d4668624

SHA256
9efcbcfead0c5b875097646046d23fe2b9d6862e70be797799628ff8d2b1e540

SHA512
707ab1ca41cec7ba86b491ea2fb235a4550475a2424cb6b0379de11e14a466dc83145575735f4180fc11e6fc4c871356019f8682c05887aa27fd38db600ec8de

Download Submit
memory/1604-21-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1604-44-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1604-40-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1604-20-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-63-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-50-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-75-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-71-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-69-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-10-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-65-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-61-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-59-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-57-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-11-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1924-46-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-47-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-53-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1924-49-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2452-54-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2452-58-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2452-52-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2452-48-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2452-76-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2452-56-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2452-30-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2452-66-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2452-74-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2452-70-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2452-62-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2452-51-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2452-64-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2452-68-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3588-0-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3588-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3588-45-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3588-43-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4448-36-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4448-42-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4448-35-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4448-41-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download