e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50

General

Target

e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
Size

135KB
MD5

1d0a66f30196a3f2590cd3d9e4f797d9
SHA1

75e713603788c63e69610922a1c9f2e1472e9e94
SHA256

e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50
SHA512

fd370dd449a5f0dcc2b389bf32433c97147c1560c53e5fbd00f7314a90ecbbb3b37a9e69ce80f59ab3e376bb26dfcbc8ba1b428fc2dc7ffb65bebac908a96d1e
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVIU:UVqoCl/YgjxEufVU0TbTyDDal+U

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2388 explorer.exe
1420 spoolsv.exe
2556 svchost.exe
2704 spoolsv.exe
Loads dropped DLL 4 IoCs

Processes:

e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exeexplorer.exespoolsv.exesvchost.exe

pid process

1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
2388 explorer.exe
1420 spoolsv.exe
2556 svchost.exe

pid	process
2388	explorer.exe
1420	spoolsv.exe
2556	svchost.exe
2704	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2284 schtasks.exe
2476 schtasks.exe
2780 schtasks.exe

pid	process
2284	schtasks.exe
2476	schtasks.exe
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exeexplorer.exesvchost.exe

pid	process
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2388	explorer.exe
2388	explorer.exe
2388	explorer.exe
2556	svchost.exe
2556	svchost.exe
2388	explorer.exe
2556	svchost.exe
2388	explorer.exe
2556	svchost.exe
2388	explorer.exe
2556	svchost.exe
2388	explorer.exe
2556	svchost.exe
2388	explorer.exe
2556	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2388 explorer.exe
2556 svchost.exe

pid	process
2388	explorer.exe
2556	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
2388	explorer.exe
2388	explorer.exe
1420	spoolsv.exe
1420	spoolsv.exe
2556	svchost.exe
2556	svchost.exe
2704	spoolsv.exe
2704	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1036 wrote to memory of 2388	1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe	explorer.exe
PID 1036 wrote to memory of 2388	1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe	explorer.exe
PID 1036 wrote to memory of 2388	1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe	explorer.exe
PID 1036 wrote to memory of 2388	1036	e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe	explorer.exe
PID 2388 wrote to memory of 1420	2388	explorer.exe	spoolsv.exe
PID 2388 wrote to memory of 1420	2388	explorer.exe	spoolsv.exe
PID 2388 wrote to memory of 1420	2388	explorer.exe	spoolsv.exe
PID 2388 wrote to memory of 1420	2388	explorer.exe	spoolsv.exe
PID 1420 wrote to memory of 2556	1420	spoolsv.exe	svchost.exe
PID 1420 wrote to memory of 2556	1420	spoolsv.exe	svchost.exe
PID 1420 wrote to memory of 2556	1420	spoolsv.exe	svchost.exe
PID 1420 wrote to memory of 2556	1420	spoolsv.exe	svchost.exe
PID 2556 wrote to memory of 2704	2556	svchost.exe	spoolsv.exe
PID 2556 wrote to memory of 2704	2556	svchost.exe	spoolsv.exe
PID 2556 wrote to memory of 2704	2556	svchost.exe	spoolsv.exe
PID 2556 wrote to memory of 2704	2556	svchost.exe	spoolsv.exe
PID 2388 wrote to memory of 3032	2388	explorer.exe	Explorer.exe
PID 2388 wrote to memory of 3032	2388	explorer.exe	Explorer.exe
PID 2388 wrote to memory of 3032	2388	explorer.exe	Explorer.exe
PID 2388 wrote to memory of 3032	2388	explorer.exe	Explorer.exe
PID 2556 wrote to memory of 2476	2556	svchost.exe	schtasks.exe
PID 2556 wrote to memory of 2476	2556	svchost.exe	schtasks.exe
PID 2556 wrote to memory of 2476	2556	svchost.exe	schtasks.exe
PID 2556 wrote to memory of 2476	2556	svchost.exe	schtasks.exe
PID 2556 wrote to memory of 2780	2556	svchost.exe	schtasks.exe
PID 2556 wrote to memory of 2780	2556	svchost.exe	schtasks.exe
PID 2556 wrote to memory of 2780	2556	svchost.exe	schtasks.exe
PID 2556 wrote to memory of 2780	2556	svchost.exe	schtasks.exe
PID 2556 wrote to memory of 2284	2556	svchost.exe	schtasks.exe
PID 2556 wrote to memory of 2284	2556	svchost.exe	schtasks.exe
PID 2556 wrote to memory of 2284	2556	svchost.exe	schtasks.exe
PID 2556 wrote to memory of 2284	2556	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
"C:\Users\Admin\AppData\Local\Temp\e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:42 /f
5⤵
- Creates scheduled task(s)
PID:2476

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:43 /f
5⤵
- Creates scheduled task(s)
PID:2780

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:44 /f
5⤵
- Creates scheduled task(s)
PID:2284

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
3⤵
PID:3032

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
1776fb75867cd4824b524a793265ab16

SHA1
ed10b129e1bd146019bd5b10fa63a7a962d3ccc9

SHA256
d38974f03623a3b95382abf358ad5b40357991441159b219d4e24bc0b4baef36

SHA512
c047eaed6a95a37d058223b3ea89e3cde04a95f12840ae01c354d4d9b7daa55a6182df038693a1529ec6321c4a049073535d4d4c51006e8a70d45419d29b1919

Download Submit
\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
de6b213fa4a119cd858d1448715c0241

SHA1
3846c8cb24b7a7e3bb9af096951d1f1c932f4235

SHA256
cecce2f94c0bc80843905f927fc21b8671f6ee018877ded1dfed26bdaef5f366

SHA512
71a6f8ead4c34384c9712d1aa106cb87310ad75c8db7de63b5f3c8ba9bdf75f04c655cf34759763da2cb92d3e131c62ca8b5fa5bec6b0ca77f787eba6f1c914d

Download Submit
\Windows\Resources\svchost.exe
Filesize
135KB

MD5
a027451244e6484ae6b8317782e9e248

SHA1
1489d1f98e17fc40690c26aa5d00e43d090d9437

SHA256
1562c5142e39dc3f0aac8e476b5b0bdc9acda9b7bb9a15f1d918b549618422ae

SHA512
0f1c375a73ca158746c21dcdff6b3883671e0891f4c2153f62b4d7a4ae1d2395b2d095dca7a41a3c1bae24d4a5601e29ecf51ba93fc456ed6403ca584acedb34

Download Submit
memory/1036-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1036-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1420-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2388-20-0x0000000001CB0000-0x0000000001CCF000-memory.dmp

Filesize
124KB

Download
memory/2556-37-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/2704-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads