1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 19:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
Size

135KB
MD5

5979cb3f8a939852e8bf8e866fc7e949
SHA1

0785ad12473a0814d96395cb21dd03c1c3641ef9
SHA256

1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439
SHA512

90292c48118686d89192e07f513f56a4f795f23f361a0d202db2cc2355b239dceea88f631906a6e41450f399a06035ed41c2cc51b2b1ae7cdd8e088f055cb246
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVQ/:UVqoCl/YgjxEufVU0TbTyDDal2/

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
1296	explorer.exe
2552	spoolsv.exe
2672	svchost.exe
2604	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
1296	explorer.exe
2552	spoolsv.exe
2672	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2828	schtasks.exe
1700	schtasks.exe
2052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
2672	svchost.exe
2672	svchost.exe
1296	explorer.exe
2672	svchost.exe
1296	explorer.exe
2672	svchost.exe
1296	explorer.exe
2672	svchost.exe
1296	explorer.exe
2672	svchost.exe
1296	explorer.exe
2672	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1296	explorer.exe
2672	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
1296	explorer.exe
1296	explorer.exe
2552	spoolsv.exe
2552	spoolsv.exe
2672	svchost.exe
2672	svchost.exe
2604	spoolsv.exe
2604	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1296	2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe	28
PID 2300 wrote to memory of 1296	2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe	28
PID 2300 wrote to memory of 1296	2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe	28
PID 2300 wrote to memory of 1296	2300	1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe	28
PID 1296 wrote to memory of 2552	1296	explorer.exe	29
PID 1296 wrote to memory of 2552	1296	explorer.exe	29
PID 1296 wrote to memory of 2552	1296	explorer.exe	29
PID 1296 wrote to memory of 2552	1296	explorer.exe	29
PID 2552 wrote to memory of 2672	2552	spoolsv.exe	30
PID 2552 wrote to memory of 2672	2552	spoolsv.exe	30
PID 2552 wrote to memory of 2672	2552	spoolsv.exe	30
PID 2552 wrote to memory of 2672	2552	spoolsv.exe	30
PID 2672 wrote to memory of 2604	2672	svchost.exe	31
PID 2672 wrote to memory of 2604	2672	svchost.exe	31
PID 2672 wrote to memory of 2604	2672	svchost.exe	31
PID 2672 wrote to memory of 2604	2672	svchost.exe	31
PID 1296 wrote to memory of 2728	1296	explorer.exe	32
PID 1296 wrote to memory of 2728	1296	explorer.exe	32
PID 1296 wrote to memory of 2728	1296	explorer.exe	32
PID 1296 wrote to memory of 2728	1296	explorer.exe	32
PID 2672 wrote to memory of 2828	2672	svchost.exe	33
PID 2672 wrote to memory of 2828	2672	svchost.exe	33
PID 2672 wrote to memory of 2828	2672	svchost.exe	33
PID 2672 wrote to memory of 2828	2672	svchost.exe	33
PID 2672 wrote to memory of 1700	2672	svchost.exe	38
PID 2672 wrote to memory of 1700	2672	svchost.exe	38
PID 2672 wrote to memory of 1700	2672	svchost.exe	38
PID 2672 wrote to memory of 1700	2672	svchost.exe	38
PID 2672 wrote to memory of 2052	2672	svchost.exe	40
PID 2672 wrote to memory of 2052	2672	svchost.exe	40
PID 2672 wrote to memory of 2052	2672	svchost.exe	40
PID 2672 wrote to memory of 2052	2672	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe
"C:\Users\Admin\AppData\Local\Temp\1c46d3271c090f1ccf0c745d398a11ff62ddec0ad5a25b70127615390278f439.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1296
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2672
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2604
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:14 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2828
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:15 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1700
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:16 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2052
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
8d462f3e475876b008331949c43ddf77

SHA1
310271ef7dd7d1a577e2c7594ea5968bc0c50a17

SHA256
a0d2530d6665c8af8fa51a8362a372c3b06315b02d7cd246788375c4f7fbd427

SHA512
e504e5e6dd0e7a957796b6c34ca4e527b5102ac73b12c6496535eeb3a4d0fe35e39870a81a434ce0c2c4cd7840ecd7b1ff76d3b995e410d681403f4b35f1211b

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
2d1878a1292d4bf4871958c78ede6980

SHA1
93d70c895b962500e7cd121e9fa5d0407b6e224e

SHA256
39a8a4d8222acfe25be78427f93e19a1b71daec1b0298b0ea8c02446470a0443

SHA512
682df6d52b0e44e1d6911d363fff60e0d31a1d8b151c76f708a936d9227960ff50f32fbe1f18b96c857e5d89b0c041ed264364036b4265a832cb37e037c9c8c9

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
c9e23728cca8f5e2a3f75a2920a5016d

SHA1
13251b1c04350010e91f9612aa2ff4d9ca57a506

SHA256
3e21f1047fe288032d914a94e2612cb4eb8ebb44a2799a35ccf0ecafdd6aa47b

SHA512
38c5b965923e996c55557cd33499bd71ae470f2a34d5ac1df576afe55fb43be6f2c9aa4cea90b55869f2097fa990fc3908f5219ca4a25b84cba5d1482915341a

Download Submit
memory/1296-21-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2300-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2300-10-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2300-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2552-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2604-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download