ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
Size

135KB
MD5

27580e16d98942bd17c7fc15ee21b3b3
SHA1

fb1f6eb6aa320f19bbbaf053c8f5a8c361ef589b
SHA256

ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5
SHA512

46609d708a3e23642307206ad933e68c535273541cb6decb11bb7a9baf11a67cc7ebaa2444f4854c37e546a679593cca1332e4f5babd6394af2a913d4ab64be3
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVK2:UVqoCl/YgjxEufVU0TbTyDDal82

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2516	explorer.exe
2996	spoolsv.exe
1212	svchost.exe
2564	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
2516	explorer.exe
2996	spoolsv.exe
1212	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2668	schtasks.exe
2800	schtasks.exe
2056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
1212	svchost.exe
1212	svchost.exe
2516	explorer.exe
1212	svchost.exe
2516	explorer.exe
1212	svchost.exe
2516	explorer.exe
1212	svchost.exe
2516	explorer.exe
1212	svchost.exe
2516	explorer.exe
1212	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2516	explorer.exe
1212	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
2516	explorer.exe
2516	explorer.exe
2996	spoolsv.exe
2996	spoolsv.exe
1212	svchost.exe
1212	svchost.exe
2564	spoolsv.exe
2564	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2516	1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe	28
PID 1988 wrote to memory of 2516	1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe	28
PID 1988 wrote to memory of 2516	1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe	28
PID 1988 wrote to memory of 2516	1988	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe	28
PID 2516 wrote to memory of 2996	2516	explorer.exe	29
PID 2516 wrote to memory of 2996	2516	explorer.exe	29
PID 2516 wrote to memory of 2996	2516	explorer.exe	29
PID 2516 wrote to memory of 2996	2516	explorer.exe	29
PID 2996 wrote to memory of 1212	2996	spoolsv.exe	30
PID 2996 wrote to memory of 1212	2996	spoolsv.exe	30
PID 2996 wrote to memory of 1212	2996	spoolsv.exe	30
PID 2996 wrote to memory of 1212	2996	spoolsv.exe	30
PID 1212 wrote to memory of 2564	1212	svchost.exe	31
PID 1212 wrote to memory of 2564	1212	svchost.exe	31
PID 1212 wrote to memory of 2564	1212	svchost.exe	31
PID 1212 wrote to memory of 2564	1212	svchost.exe	31
PID 2516 wrote to memory of 2592	2516	explorer.exe	32
PID 2516 wrote to memory of 2592	2516	explorer.exe	32
PID 2516 wrote to memory of 2592	2516	explorer.exe	32
PID 2516 wrote to memory of 2592	2516	explorer.exe	32
PID 1212 wrote to memory of 2668	1212	svchost.exe	33
PID 1212 wrote to memory of 2668	1212	svchost.exe	33
PID 1212 wrote to memory of 2668	1212	svchost.exe	33
PID 1212 wrote to memory of 2668	1212	svchost.exe	33
PID 1212 wrote to memory of 2800	1212	svchost.exe	38
PID 1212 wrote to memory of 2800	1212	svchost.exe	38
PID 1212 wrote to memory of 2800	1212	svchost.exe	38
PID 1212 wrote to memory of 2800	1212	svchost.exe	38
PID 1212 wrote to memory of 2056	1212	svchost.exe	40
PID 1212 wrote to memory of 2056	1212	svchost.exe	40
PID 1212 wrote to memory of 2056	1212	svchost.exe	40
PID 1212 wrote to memory of 2056	1212	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
"C:\Users\Admin\AppData\Local\Temp\ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2516
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1212
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2564
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:17 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2668
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:18 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2800
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:19 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2056
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
32868ddd73037bec8139722515a882da

SHA1
a05484143ebf0bb8e1894a9e2f02e4351001a5a8

SHA256
e617172885815dd981cf1fcb7dc2a87dcac040dece7f61781e239dc68918b77d

SHA512
0827e583d77a11ae5775eda1b47c39affd3a756480f73d6b6c5094e3bf13669eb3c67ab55f13cf285d765bb2f48fc380915ff15a37403e67bd1297b445ea9e50

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
272285d4f97e19b327fbebf69ac0cc4c

SHA1
176d9f3a42ded30df1e55f5c681d073f057f564b

SHA256
4dd89ab440917113f34dd387c6dbf374c57b351697c918e4857da695da1c5152

SHA512
a2748940c04ff56982f1a504c51a23c476a387f019682ea889fb8c294aa78ec8266147750481e6e2f384cf7abb091361337991b100cb1941075e40067e8dcdaf

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
fc5776a4303375d7897f94bd1967695f

SHA1
bbc3b0dad303e6907171b93d68dbd88546822066

SHA256
1d4119e424260bf1a5e74649f1886bd0a57cb306ab43bfe5159ceffecb894767

SHA512
08cda49fc1a64f80d9188d95992b0e5a2ed676f15af3e6ffb95efc0dad013532c3d9029b86b4a6271a3a17594e47c0566b2cbda3484ab31ffa10d1823aae4db5

Download Submit
memory/1988-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-10-0x0000000000780000-0x000000000079F000-memory.dmp

Filesize
124KB

Download
memory/1988-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2564-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2996-31-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2996-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download