f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c

General

Target

f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
Size

121KB
MD5

ef46b2a0b62c0d32c5d0a93e89afc02a
SHA1

675e9583128ff9d43034baf0952c52402edcf6d1
SHA256

f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c
SHA512

cf359456fdc87bc1685350d7af195bf96241747f7115bbf18430bb74ead11e2348097ba19382bd831de09461d2e9e54417b571554fb818b4dd80ba6423158400
SSDEEP

1536:9X9TaOt5OuXpBFZQUSvnsk+z/ypuOASsIc9XmkbxH3u:9X9TP3OuXpBkAz/yjvc9X/9Xu

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1892 explorer.exe
4564 spoolsv.exe
4616 svchost.exe
5032 spoolsv.exe

pid	process
1892	explorer.exe
4564	spoolsv.exe
4616	svchost.exe
5032	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\udsys.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exeexplorer.exesvchost.exe

pid	process
3292	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
3292	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
1892	explorer.exe
1892	explorer.exe
1892	explorer.exe
1892	explorer.exe
1892	explorer.exe
1892	explorer.exe
1892	explorer.exe
1892	explorer.exe
1892	explorer.exe
1892	explorer.exe
1892	explorer.exe
4616	svchost.exe
1892	explorer.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
1892	explorer.exe
1892	explorer.exe
4616	svchost.exe
4616	svchost.exe
1892	explorer.exe
1892	explorer.exe
4616	svchost.exe
4616	svchost.exe
1892	explorer.exe
1892	explorer.exe
4616	svchost.exe
4616	svchost.exe
1892	explorer.exe
1892	explorer.exe
4616	svchost.exe
4616	svchost.exe
1892	explorer.exe
1892	explorer.exe
4616	svchost.exe
4616	svchost.exe
1892	explorer.exe
1892	explorer.exe
4616	svchost.exe
4616	svchost.exe
1892	explorer.exe
1892	explorer.exe
4616	svchost.exe
4616	svchost.exe
1892	explorer.exe
1892	explorer.exe
4616	svchost.exe
4616	svchost.exe
1892	explorer.exe
1892	explorer.exe
4616	svchost.exe
4616	svchost.exe
1892	explorer.exe
1892	explorer.exe
4616	svchost.exe
4616	svchost.exe
1892	explorer.exe
1892	explorer.exe
4616	svchost.exe
4616	svchost.exe
1892	explorer.exe
1892	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1892 explorer.exe
4616 svchost.exe

pid	process
1892	explorer.exe
4616	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3292	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
3292	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
1892	explorer.exe
1892	explorer.exe
4564	spoolsv.exe
4564	spoolsv.exe
4616	svchost.exe
4616	svchost.exe
5032	spoolsv.exe
5032	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3292 wrote to memory of 1892	3292	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe	explorer.exe
PID 3292 wrote to memory of 1892	3292	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe	explorer.exe
PID 3292 wrote to memory of 1892	3292	f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe	explorer.exe
PID 1892 wrote to memory of 4564	1892	explorer.exe	spoolsv.exe
PID 1892 wrote to memory of 4564	1892	explorer.exe	spoolsv.exe
PID 1892 wrote to memory of 4564	1892	explorer.exe	spoolsv.exe
PID 4564 wrote to memory of 4616	4564	spoolsv.exe	svchost.exe
PID 4564 wrote to memory of 4616	4564	spoolsv.exe	svchost.exe
PID 4564 wrote to memory of 4616	4564	spoolsv.exe	svchost.exe
PID 4616 wrote to memory of 5032	4616	svchost.exe	spoolsv.exe
PID 4616 wrote to memory of 5032	4616	svchost.exe	spoolsv.exe
PID 4616 wrote to memory of 5032	4616	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
"C:\Users\Admin\AppData\Local\Temp\f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4616

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe
Filesize
121KB

MD5
29a2c406abe6a58a6bfbc10cd083092a

SHA1
0f42aef60e8619da084497c3a01d3ec67b067b72

SHA256
8753001b7250e9dd1c936e9ce6e4a29a26a4fe5704a2e22bc2d01c3ddb0ca9c4

SHA512
507163cfd7260ef03bf22990f5fae2c8fc3f861242307d03a32d12f16858cb2820f3057591d6b57398bcfa1bbb0a7b61a777642edddf5f131dcf81b06db29f87

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
121KB

MD5
bcdd8dd298ab9e3e54b5bed0eacdf324

SHA1
d0f2b8161073dcd71f5cab997caa63942739b66d

SHA256
a5f69c72e6d700140b60d19f5034f8289542067edc6e3e96253a8100efaf811e

SHA512
235e88981bc073daa7cac13bf2f1ccb0ba0d8c5cb2a71ffb634b724fc254c988d40238cfbed34bd86fc8882ce05b4c35b02f3206f225ace3309b2889e66b00da

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
121KB

MD5
ea1669311afb01c62a76cbc8ad400d21

SHA1
f965667f56317d919ebcf0f25b1bf19f10cb1bdd

SHA256
bed5af81efbac455b8e9e0a9c25cee7c6f9630dade8557f46f400f06ad4f61f0

SHA512
dfecd616e68a40efe64f03eb989b37d391310044314756636ca4a9b0a3d10729c37e32d9ecc7ec102c833ba09eba02e6f8ce39a571d88f1f273a4d31bed39b52

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads