720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 23:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
Size

135KB
MD5

17f0cdb95b66d02b3367560cb1f8d566
SHA1

a439e14a54806d76b66bd706449ffa5745e9dd72
SHA256

720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7
SHA512

ff2134abe47219f0f249ffb956aa9fc939308dc826e0c2e03e411617e4d26d65bc9905b37e0c798b9278aae1a158f6ff4bc32d5e724b68d2f4bb7b6012aa09ef
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVhpal5:UVqoCl/YgjxEufVU0TbTyDDalQl5

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3184	explorer.exe
316	spoolsv.exe
1772	svchost.exe
1956	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe
3184	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3184	explorer.exe
1772	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
3184	explorer.exe
3184	explorer.exe
316	spoolsv.exe
316	spoolsv.exe
1772	svchost.exe
1772	svchost.exe
1956	spoolsv.exe
1956	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 3184	4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe	82
PID 4568 wrote to memory of 3184	4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe	82
PID 4568 wrote to memory of 3184	4568	720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe	82
PID 3184 wrote to memory of 316	3184	explorer.exe	83
PID 3184 wrote to memory of 316	3184	explorer.exe	83
PID 3184 wrote to memory of 316	3184	explorer.exe	83
PID 316 wrote to memory of 1772	316	spoolsv.exe	84
PID 316 wrote to memory of 1772	316	spoolsv.exe	84
PID 316 wrote to memory of 1772	316	spoolsv.exe	84
PID 1772 wrote to memory of 1956	1772	svchost.exe	85
PID 1772 wrote to memory of 1956	1772	svchost.exe	85
PID 1772 wrote to memory of 1956	1772	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe
"C:\Users\Admin\AppData\Local\Temp\720b1b84d84a3db109045395cfc4fa73ed69ae08aad4017f93c189fc5744edc7.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3184
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:316
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1772
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
cbae96688f7f72d6a6a2d63bb3222d0a

SHA1
a69f9abc0699ba41ac600dfcc706b3f75bcd7a2d

SHA256
eee93ed405ccfb4b6b9dd44aa4c6c080b15e6e9e3028b00296bfabe18d1a2d61

SHA512
52feaf802ad1e627a110dfe81d1c31a54254c31adbe81274be84a2202fba7bc5e036651b801d10686706ebdecf83c34149196d94e441a9053d19351a4bb73fda

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
4345084eb4472a06ece45e23a19fa16a

SHA1
18d5322b8b8220e86f357f2acb52cfc7f4bd3c1f

SHA256
dc573c0363d96b37130b9fda124023a5b2dcc46283fe98444c4114b08de06382

SHA512
142e667abd4f4eae014392e2cf3ae4ae41ad2e9c8975a472563f98ce1d55353f6351fb29ef9b4512a6ac50119e3eb3fa932488588cfae5850e79e4645610699c

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
f643add8ef3af049e5ecd8ac2ac70ca3

SHA1
1f9be7cf2c2b36a38da96b4e342b3b4de3c86b79

SHA256
fc055cdce6d741a5d63bd3001256e595b77975f35526d4ae3c135178deef82b5

SHA512
e15ff2d953025e493cc1fefa0472b46c497a1bc5e1af47790d331ca699100537594455d848a2cb14f5e6c904b38f28bd9227a86c7e774024a12a4ab199fd9af2

Download Submit
memory/316-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/316-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4568-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4568-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download