f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c

General

Target

f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
Size

121KB
MD5

ef46b2a0b62c0d32c5d0a93e89afc02a
SHA1

675e9583128ff9d43034baf0952c52402edcf6d1
SHA256

f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c
SHA512

cf359456fdc87bc1685350d7af195bf96241747f7115bbf18430bb74ead11e2348097ba19382bd831de09461d2e9e54417b571554fb818b4dd80ba6423158400
SSDEEP

1536:9X9TaOt5OuXpBFZQUSvnsk+z/ypuOASsIc9XmkbxH3u:9X9TP3OuXpBkAz/yjvc9X/9Xu

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

3028 explorer.exe
2988 spoolsv.exe
2596 svchost.exe
2604 spoolsv.exe

pid	process
3028	explorer.exe
2988	spoolsv.exe
2596	svchost.exe
2604	spoolsv.exe

Loads dropped DLL 8 IoCs

Processes:

f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2936	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
2936	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
3028	explorer.exe
3028	explorer.exe
2988	spoolsv.exe
2988	spoolsv.exe
2596	svchost.exe
2596	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 4 IoCs

Processes:

f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\udsys.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2564 schtasks.exe
1788 schtasks.exe
2096 schtasks.exe

pid	process
2564	schtasks.exe
1788	schtasks.exe
2096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exeexplorer.exesvchost.exe

pid	process
2936	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
3028	explorer.exe
3028	explorer.exe
2596	svchost.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe
2596	svchost.exe
3028	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

3028 explorer.exe
2596 svchost.exe

pid	process
3028	explorer.exe
2596	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2936	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
2936	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
3028	explorer.exe
3028	explorer.exe
2988	spoolsv.exe
2988	spoolsv.exe
2596	svchost.exe
2596	svchost.exe
2604	spoolsv.exe
2604	spoolsv.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2936 wrote to memory of 3028	2936	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe	explorer.exe
PID 2936 wrote to memory of 3028	2936	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe	explorer.exe
PID 2936 wrote to memory of 3028	2936	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe	explorer.exe
PID 2936 wrote to memory of 3028	2936	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe	explorer.exe
PID 3028 wrote to memory of 2988	3028	explorer.exe	spoolsv.exe
PID 3028 wrote to memory of 2988	3028	explorer.exe	spoolsv.exe
PID 3028 wrote to memory of 2988	3028	explorer.exe	spoolsv.exe
PID 3028 wrote to memory of 2988	3028	explorer.exe	spoolsv.exe
PID 2988 wrote to memory of 2596	2988	spoolsv.exe	svchost.exe
PID 2988 wrote to memory of 2596	2988	spoolsv.exe	svchost.exe
PID 2988 wrote to memory of 2596	2988	spoolsv.exe	svchost.exe
PID 2988 wrote to memory of 2596	2988	spoolsv.exe	svchost.exe
PID 2596 wrote to memory of 2604	2596	svchost.exe	spoolsv.exe
PID 2596 wrote to memory of 2604	2596	svchost.exe	spoolsv.exe
PID 2596 wrote to memory of 2604	2596	svchost.exe	spoolsv.exe
PID 2596 wrote to memory of 2604	2596	svchost.exe	spoolsv.exe
PID 2596 wrote to memory of 2564	2596	svchost.exe	schtasks.exe
PID 2596 wrote to memory of 2564	2596	svchost.exe	schtasks.exe
PID 2596 wrote to memory of 2564	2596	svchost.exe	schtasks.exe
PID 2596 wrote to memory of 2564	2596	svchost.exe	schtasks.exe
PID 2596 wrote to memory of 1788	2596	svchost.exe	schtasks.exe
PID 2596 wrote to memory of 1788	2596	svchost.exe	schtasks.exe
PID 2596 wrote to memory of 1788	2596	svchost.exe	schtasks.exe
PID 2596 wrote to memory of 1788	2596	svchost.exe	schtasks.exe
PID 2596 wrote to memory of 2096	2596	svchost.exe	schtasks.exe
PID 2596 wrote to memory of 2096	2596	svchost.exe	schtasks.exe
PID 2596 wrote to memory of 2096	2596	svchost.exe	schtasks.exe
PID 2596 wrote to memory of 2096	2596	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
"C:\Users\Admin\AppData\Local\Temp\f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:26 /f
5⤵
- Creates scheduled task(s)
PID:2564

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:27 /f
5⤵
- Creates scheduled task(s)
PID:1788

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:28 /f
5⤵
- Creates scheduled task(s)
PID:2096

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe
Filesize
121KB

MD5
7d4fa3796b8c1995cc6312584c71e5a3

SHA1
ef07ddfa42f9ebaf04d27efdc06da61fd9579440

SHA256
1530d8dd523004f4336de576bcc617f2dbf9a934c6d9c2f0a75192f10563079c

SHA512
e0fd03b9111535e22135b935d72aef0e6b797f110942328f3029d539beed9074fc2a6174ffd34c9dbeaab8dd81416cb7e8965835354b36881b1bc92146893828

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
121KB

MD5
67294f2aa8cf006ab3e6735ca931d3d6

SHA1
433d607e9848a9a0c7298f529f40e1c48739c0cf

SHA256
55248a3f3c889d9edb3fdee532d15bbae934e88094ef92db6769e7e17bb5c7b8

SHA512
285fb324cf5b3d424ec652158f2f9f1deb3a9b1aadad871184109b676a46367e00aa653f5a263496657f6364cb561d351b2b55a9f824cb4be17874397020ecb7

Download Submit
\Windows\Resources\svchost.exe
Filesize
121KB

MD5
f0764c2a14abe55b95261815d4961c4c

SHA1
7a1d1add4d0a3d28b5eed7d587077fd816ae4381

SHA256
4aee39797934381957d8bfee342534df1429335bae30edcb677f738edf3d3077

SHA512
a34b96de4eb8fa2aefdcd93d8c35c75c40b70ecc4d6377ae429dc65bef707b90c7496c305cddc25565644b66589a3852ffee9d1f9c40e2c915f5b3bf27aa6882

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads