Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-04-2024 04:40
Static task
static1
Behavioral task
behavioral1
Sample
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
Resource
win10v2004-20240412-en
General
-
Target
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
-
Size
135KB
-
MD5
1d0a66f30196a3f2590cd3d9e4f797d9
-
SHA1
75e713603788c63e69610922a1c9f2e1472e9e94
-
SHA256
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50
-
SHA512
fd370dd449a5f0dcc2b389bf32433c97147c1560c53e5fbd00f7314a90ecbbb3b37a9e69ce80f59ab3e376bb26dfcbc8ba1b428fc2dc7ffb65bebac908a96d1e
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVIU:UVqoCl/YgjxEufVU0TbTyDDal+U
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2388 explorer.exe 1420 spoolsv.exe 2556 svchost.exe 2704 spoolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exeexplorer.exespoolsv.exesvchost.exepid process 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 2388 explorer.exe 1420 spoolsv.exe 2556 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
Processes:
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exeexplorer.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\resources\themes\explorer.exe e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2284 schtasks.exe 2476 schtasks.exe 2780 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exeexplorer.exesvchost.exepid process 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2556 svchost.exe 2556 svchost.exe 2388 explorer.exe 2556 svchost.exe 2388 explorer.exe 2556 svchost.exe 2388 explorer.exe 2556 svchost.exe 2388 explorer.exe 2556 svchost.exe 2388 explorer.exe 2556 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2388 explorer.exe 2556 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 2388 explorer.exe 2388 explorer.exe 1420 spoolsv.exe 1420 spoolsv.exe 2556 svchost.exe 2556 svchost.exe 2704 spoolsv.exe 2704 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1036 wrote to memory of 2388 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe explorer.exe PID 1036 wrote to memory of 2388 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe explorer.exe PID 1036 wrote to memory of 2388 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe explorer.exe PID 1036 wrote to memory of 2388 1036 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe explorer.exe PID 2388 wrote to memory of 1420 2388 explorer.exe spoolsv.exe PID 2388 wrote to memory of 1420 2388 explorer.exe spoolsv.exe PID 2388 wrote to memory of 1420 2388 explorer.exe spoolsv.exe PID 2388 wrote to memory of 1420 2388 explorer.exe spoolsv.exe PID 1420 wrote to memory of 2556 1420 spoolsv.exe svchost.exe PID 1420 wrote to memory of 2556 1420 spoolsv.exe svchost.exe PID 1420 wrote to memory of 2556 1420 spoolsv.exe svchost.exe PID 1420 wrote to memory of 2556 1420 spoolsv.exe svchost.exe PID 2556 wrote to memory of 2704 2556 svchost.exe spoolsv.exe PID 2556 wrote to memory of 2704 2556 svchost.exe spoolsv.exe PID 2556 wrote to memory of 2704 2556 svchost.exe spoolsv.exe PID 2556 wrote to memory of 2704 2556 svchost.exe spoolsv.exe PID 2388 wrote to memory of 3032 2388 explorer.exe Explorer.exe PID 2388 wrote to memory of 3032 2388 explorer.exe Explorer.exe PID 2388 wrote to memory of 3032 2388 explorer.exe Explorer.exe PID 2388 wrote to memory of 3032 2388 explorer.exe Explorer.exe PID 2556 wrote to memory of 2476 2556 svchost.exe schtasks.exe PID 2556 wrote to memory of 2476 2556 svchost.exe schtasks.exe PID 2556 wrote to memory of 2476 2556 svchost.exe schtasks.exe PID 2556 wrote to memory of 2476 2556 svchost.exe schtasks.exe PID 2556 wrote to memory of 2780 2556 svchost.exe schtasks.exe PID 2556 wrote to memory of 2780 2556 svchost.exe schtasks.exe PID 2556 wrote to memory of 2780 2556 svchost.exe schtasks.exe PID 2556 wrote to memory of 2780 2556 svchost.exe schtasks.exe PID 2556 wrote to memory of 2284 2556 svchost.exe schtasks.exe PID 2556 wrote to memory of 2284 2556 svchost.exe schtasks.exe PID 2556 wrote to memory of 2284 2556 svchost.exe schtasks.exe PID 2556 wrote to memory of 2284 2556 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe"C:\Users\Admin\AppData\Local\Temp\e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:42 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:43 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:44 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\spoolsv.exeFilesize
135KB
MD51776fb75867cd4824b524a793265ab16
SHA1ed10b129e1bd146019bd5b10fa63a7a962d3ccc9
SHA256d38974f03623a3b95382abf358ad5b40357991441159b219d4e24bc0b4baef36
SHA512c047eaed6a95a37d058223b3ea89e3cde04a95f12840ae01c354d4d9b7daa55a6182df038693a1529ec6321c4a049073535d4d4c51006e8a70d45419d29b1919
-
\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD5de6b213fa4a119cd858d1448715c0241
SHA13846c8cb24b7a7e3bb9af096951d1f1c932f4235
SHA256cecce2f94c0bc80843905f927fc21b8671f6ee018877ded1dfed26bdaef5f366
SHA51271a6f8ead4c34384c9712d1aa106cb87310ad75c8db7de63b5f3c8ba9bdf75f04c655cf34759763da2cb92d3e131c62ca8b5fa5bec6b0ca77f787eba6f1c914d
-
\Windows\Resources\svchost.exeFilesize
135KB
MD5a027451244e6484ae6b8317782e9e248
SHA11489d1f98e17fc40690c26aa5d00e43d090d9437
SHA2561562c5142e39dc3f0aac8e476b5b0bdc9acda9b7bb9a15f1d918b549618422ae
SHA5120f1c375a73ca158746c21dcdff6b3883671e0891f4c2153f62b4d7a4ae1d2395b2d095dca7a41a3c1bae24d4a5601e29ecf51ba93fc456ed6403ca584acedb34
-
memory/1036-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1036-43-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1420-42-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2388-20-0x0000000001CB0000-0x0000000001CCF000-memory.dmpFilesize
124KB
-
memory/2556-37-0x0000000000290000-0x00000000002AF000-memory.dmpFilesize
124KB
-
memory/2704-41-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB