ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
Size

135KB
MD5

27580e16d98942bd17c7fc15ee21b3b3
SHA1

fb1f6eb6aa320f19bbbaf053c8f5a8c361ef589b
SHA256

ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5
SHA512

46609d708a3e23642307206ad933e68c535273541cb6decb11bb7a9baf11a67cc7ebaa2444f4854c37e546a679593cca1332e4f5babd6394af2a913d4ab64be3
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVK2:UVqoCl/YgjxEufVU0TbTyDDal82

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4392	explorer.exe
1104	spoolsv.exe
2832	svchost.exe
4792	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4392	explorer.exe
2832	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
4392	explorer.exe
4392	explorer.exe
1104	spoolsv.exe
1104	spoolsv.exe
2832	svchost.exe
2832	svchost.exe
4792	spoolsv.exe
4792	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4392	4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe	82
PID 4740 wrote to memory of 4392	4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe	82
PID 4740 wrote to memory of 4392	4740	ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe	82
PID 4392 wrote to memory of 1104	4392	explorer.exe	83
PID 4392 wrote to memory of 1104	4392	explorer.exe	83
PID 4392 wrote to memory of 1104	4392	explorer.exe	83
PID 1104 wrote to memory of 2832	1104	spoolsv.exe	85
PID 1104 wrote to memory of 2832	1104	spoolsv.exe	85
PID 1104 wrote to memory of 2832	1104	spoolsv.exe	85
PID 2832 wrote to memory of 4792	2832	svchost.exe	86
PID 2832 wrote to memory of 4792	2832	svchost.exe	86
PID 2832 wrote to memory of 4792	2832	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe
"C:\Users\Admin\AppData\Local\Temp\ee2fd8cfd4cf2626509b165bd26eaccb406f8336ae23146bc231677f601b70f5.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4392
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2832
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
e482f1d363e92d0efa0414751308fb46

SHA1
bdffcc2116184ca9116a8fe9006c10b9181392bf

SHA256
fdf66f56a91fe04f4becf1f858f597cec591ce3e6643eae9ce3744c40d58f8e7

SHA512
1a8dfd1842d61620dd1fec611a402a63e26af583693d63c54d827b04c207718cd672afc6b71bce1ab719fe71942ffd67d914522691d9465acb66baf2128149c5

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
7f7dc4ab34e0d65734fd4aff0f659d3a

SHA1
213d921ff3cb4618bc09331035d6a4e1bcbe30dd

SHA256
39df95b06cd52ba4c91c7abf3bce9e3e4c0a90766437b673eca381d644d8b1b6

SHA512
0f5da521b638acf3c3e3335b401151893baad02781fa02ae85ffd797c83b0136fd63a593dd60bf60250b590a3dc880380910c3e4e919a5be98646849f60af40b

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
1e64e87737c38e882876b95964624fa2

SHA1
b4882e5afa2dd7cc0d6d6eeabab850d480516980

SHA256
79c3100ab8e2b5775098db5f643c4b7930199aab7388675b7102433252ae6bdb

SHA512
fe9ad4e39034a30603847350acd5d66e1e77bb593bbe87f0d4da7c0de6a5e167a659e317a7ac915d5d1922c4435699c0857bff50a593aba930236217ef53f1df

Download Submit
memory/1104-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1104-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4740-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4740-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4792-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download