Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 04:40
Static task
static1
Behavioral task
behavioral1
Sample
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
Resource
win10v2004-20240412-en
General
-
Target
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
-
Size
135KB
-
MD5
1d0a66f30196a3f2590cd3d9e4f797d9
-
SHA1
75e713603788c63e69610922a1c9f2e1472e9e94
-
SHA256
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50
-
SHA512
fd370dd449a5f0dcc2b389bf32433c97147c1560c53e5fbd00f7314a90ecbbb3b37a9e69ce80f59ab3e376bb26dfcbc8ba1b428fc2dc7ffb65bebac908a96d1e
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVIU:UVqoCl/YgjxEufVU0TbTyDDal+U
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 1836 explorer.exe 4356 spoolsv.exe 8 svchost.exe 4112 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
Processes:
explorer.exee680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exeexplorer.exepid process 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe 1836 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1836 explorer.exe 8 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe 1836 explorer.exe 1836 explorer.exe 4356 spoolsv.exe 4356 spoolsv.exe 8 svchost.exe 8 svchost.exe 4112 spoolsv.exe 4112 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 4960 wrote to memory of 1836 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe explorer.exe PID 4960 wrote to memory of 1836 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe explorer.exe PID 4960 wrote to memory of 1836 4960 e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe explorer.exe PID 1836 wrote to memory of 4356 1836 explorer.exe spoolsv.exe PID 1836 wrote to memory of 4356 1836 explorer.exe spoolsv.exe PID 1836 wrote to memory of 4356 1836 explorer.exe spoolsv.exe PID 4356 wrote to memory of 8 4356 spoolsv.exe svchost.exe PID 4356 wrote to memory of 8 4356 spoolsv.exe svchost.exe PID 4356 wrote to memory of 8 4356 spoolsv.exe svchost.exe PID 8 wrote to memory of 4112 8 svchost.exe spoolsv.exe PID 8 wrote to memory of 4112 8 svchost.exe spoolsv.exe PID 8 wrote to memory of 4112 8 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe"C:\Users\Admin\AppData\Local\Temp\e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD5cdfb026859a70874a5692b7bb302348e
SHA13a48b020331f95457323f68700f0a508cfc996f5
SHA2564912da3494e2b30f8fd5f2da153668cdfd571605c4b72dacd3c3652223fc5518
SHA512c04290235941178e6eae5d07e8c7d419c458ee68c739f775213a9507c2fe915bb75ed9cc764f6ef053319841e9abb717f080da82554fb735612e89febf80baf3
-
C:\Windows\Resources\spoolsv.exeFilesize
135KB
MD548cc2f05c385866745b200f237acd177
SHA19695dbc585c4cef07d7b27af017a4db9e1d10ba3
SHA25615426b21a4cccff99a7aec4617fc05a89909e2d6f13f2814be0a291ae878ae8e
SHA512c334a819df29dd76bca33a711649499a038eab04ea840ef2b8853a6c8b3bbc7b6ba22646399806d39ffe2ad0e2e561f33d6f719218d310004cd82f80f0d4a9a2
-
C:\Windows\Resources\svchost.exeFilesize
135KB
MD5dbe6fecc97e04b3551766da536d2c2ac
SHA1074f243f819c9081b549cfe631051c995d4cf006
SHA256665918ae26fdbee27901c619f9dd335892f216acb28d12cd1eee297e954c874d
SHA512638539841f31e33859f7eb3d415ec1b79fc0cab932910ae34f82835013b10daf2276484fb5d14469ed17bf77c0caed2a92980e00a1182c8b1e72287bd6358ee7
-
memory/1836-9-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4112-33-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4356-34-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4960-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4960-35-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB