0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9

General

Target

0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
Size

135KB
MD5

130dde846901b9301657e6f10f4b5320
SHA1

11e55f65af1bfa54c8e542267f59bc3545b62652
SHA256

0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9
SHA512

d521f05934159521099cb17401032e396d92990198fd8fbac3455314c9acf15cfb5c5c87cbd590375993de0313b59e0d5437c46a7edd0cae4d218d81ca4b1a66
SSDEEP

3072:XVqoCl/YgjxEufVU0TbTyDDaljXcHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH/:XsLqdufVUNDae

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2096 explorer.exe
1676 spoolsv.exe
2040 svchost.exe
2648 spoolsv.exe
Loads dropped DLL 4 IoCs

Processes:

0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exeexplorer.exespoolsv.exesvchost.exe

pid process

1196 0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
2096 explorer.exe
1676 spoolsv.exe
2040 svchost.exe

pid	process
2096	explorer.exe
1676	spoolsv.exe
2040	svchost.exe
2648	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2680 schtasks.exe
1940 schtasks.exe
2280 schtasks.exe

pid	process
2680	schtasks.exe
1940	schtasks.exe
2280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exeexplorer.exesvchost.exe

pid	process
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2040	svchost.exe
2040	svchost.exe
2096	explorer.exe
2040	svchost.exe
2096	explorer.exe
2040	svchost.exe
2040	svchost.exe
2096	explorer.exe
2040	svchost.exe
2096	explorer.exe
2040	svchost.exe
2096	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2096 explorer.exe
2040 svchost.exe

pid	process
2096	explorer.exe
2040	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
2096	explorer.exe
2096	explorer.exe
1676	spoolsv.exe
1676	spoolsv.exe
2040	svchost.exe
2040	svchost.exe
2648	spoolsv.exe
2648	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1196 wrote to memory of 2096	1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe	explorer.exe
PID 1196 wrote to memory of 2096	1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe	explorer.exe
PID 1196 wrote to memory of 2096	1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe	explorer.exe
PID 1196 wrote to memory of 2096	1196	0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe	explorer.exe
PID 2096 wrote to memory of 1676	2096	explorer.exe	spoolsv.exe
PID 2096 wrote to memory of 1676	2096	explorer.exe	spoolsv.exe
PID 2096 wrote to memory of 1676	2096	explorer.exe	spoolsv.exe
PID 2096 wrote to memory of 1676	2096	explorer.exe	spoolsv.exe
PID 1676 wrote to memory of 2040	1676	spoolsv.exe	svchost.exe
PID 1676 wrote to memory of 2040	1676	spoolsv.exe	svchost.exe
PID 1676 wrote to memory of 2040	1676	spoolsv.exe	svchost.exe
PID 1676 wrote to memory of 2040	1676	spoolsv.exe	svchost.exe
PID 2040 wrote to memory of 2648	2040	svchost.exe	spoolsv.exe
PID 2040 wrote to memory of 2648	2040	svchost.exe	spoolsv.exe
PID 2040 wrote to memory of 2648	2040	svchost.exe	spoolsv.exe
PID 2040 wrote to memory of 2648	2040	svchost.exe	spoolsv.exe
PID 2096 wrote to memory of 3016	2096	explorer.exe	Explorer.exe
PID 2096 wrote to memory of 3016	2096	explorer.exe	Explorer.exe
PID 2096 wrote to memory of 3016	2096	explorer.exe	Explorer.exe
PID 2096 wrote to memory of 3016	2096	explorer.exe	Explorer.exe
PID 2040 wrote to memory of 2680	2040	svchost.exe	schtasks.exe
PID 2040 wrote to memory of 2680	2040	svchost.exe	schtasks.exe
PID 2040 wrote to memory of 2680	2040	svchost.exe	schtasks.exe
PID 2040 wrote to memory of 2680	2040	svchost.exe	schtasks.exe
PID 2040 wrote to memory of 1940	2040	svchost.exe	schtasks.exe
PID 2040 wrote to memory of 1940	2040	svchost.exe	schtasks.exe
PID 2040 wrote to memory of 1940	2040	svchost.exe	schtasks.exe
PID 2040 wrote to memory of 1940	2040	svchost.exe	schtasks.exe
PID 2040 wrote to memory of 2280	2040	svchost.exe	schtasks.exe
PID 2040 wrote to memory of 2280	2040	svchost.exe	schtasks.exe
PID 2040 wrote to memory of 2280	2040	svchost.exe	schtasks.exe
PID 2040 wrote to memory of 2280	2040	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
"C:\Users\Admin\AppData\Local\Temp\0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2096
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2040
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:18 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2680
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:19 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1940
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:20 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2280
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
b7554442dd4d1bbd0421918eff7241ce

SHA1
b912b53d1510d201a5ba365da2d32f29e3779811

SHA256
ed6c378991d07550da5eb67ee5eb9fdca38cc48b6dae8330cf8bf20487886025

SHA512
742a5f417a8252807b5d258f25ddb215f2bbfd6a9179fcbd5bd12e5f2c79a7449d72d09c7faab65eff491c094c25cbf761922752aa9002a80b8df3a1fb8c468c

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
184cb94072c4a1a1387e855f21e912d2

SHA1
7efd7c7b1752ac74bd051b85e1e18b710232e268

SHA256
d8f0c015dbbb035612fff50a405a7d5404f2ef0fde60e8da8c810341b539bb1a

SHA512
db3b9144f389b7870d9ac96e54ad37954d455fa4c712174018ab63e237245c5e40c6da7ca9954820062ca367a6a971c807f62ed7fe246582cbd273410da482e5

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
06fe66d0d7d5e068d228048a9aeaecb5

SHA1
dca0615c356710128510d0d6a32e7f131dc0fae2

SHA256
460243ab1d7b0756b8cafd3a331bce2b0e40ffe3db522a0b4390cd3b018bfeb6

SHA512
60c7a847cc58519a4fac3f8d6aba862e4f32f722a54c4bf1986a2acce2ad9b87ffdec61d7f8972513c3464208be6e18fd3bd7260b7a11af2d2e8282872334e07

Download Submit
memory/1196-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1196-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1676-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-36-0x0000000000380000-0x000000000039F000-memory.dmp

Filesize
124KB

Download
memory/2096-20-0x0000000000360000-0x000000000037F000-memory.dmp

Filesize
124KB

Download
memory/2648-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads