Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
Resource
win10v2004-20240426-en
General
-
Target
7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
-
Size
135KB
-
MD5
0fa7b57aa73d7e81d2019e3c327dbde6
-
SHA1
f866b1e97f5d92dceb9e9e302df5c4fa938ab9c9
-
SHA256
7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589
-
SHA512
d0b44e540eccb73e7fb1afef3f3c6a91a62584b5474b2f45104ede1ad49b82dc1749bfb0435ad604f75cfbbed27b381235b72e88c3dfda134f38dc368bb1b248
-
SSDEEP
1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbg+K:XVqoCl/YgjxEufVU0TbTyDDalZK
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 3004 explorer.exe 2124 spoolsv.exe 2628 svchost.exe 2520 spoolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exeexplorer.exespoolsv.exesvchost.exepid process 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 3004 explorer.exe 2124 spoolsv.exe 2628 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
Processes:
7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exeexplorer.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\resources\themes\explorer.exe 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2424 schtasks.exe 616 schtasks.exe 2256 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exeexplorer.exesvchost.exepid process 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 2628 svchost.exe 2628 svchost.exe 3004 explorer.exe 2628 svchost.exe 3004 explorer.exe 3004 explorer.exe 3004 explorer.exe 2628 svchost.exe 3004 explorer.exe 3004 explorer.exe 2628 svchost.exe 2628 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 3004 explorer.exe 2628 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe 3004 explorer.exe 3004 explorer.exe 2124 spoolsv.exe 2124 spoolsv.exe 2628 svchost.exe 2628 svchost.exe 2520 spoolsv.exe 2520 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2172 wrote to memory of 3004 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe explorer.exe PID 2172 wrote to memory of 3004 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe explorer.exe PID 2172 wrote to memory of 3004 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe explorer.exe PID 2172 wrote to memory of 3004 2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe explorer.exe PID 3004 wrote to memory of 2124 3004 explorer.exe spoolsv.exe PID 3004 wrote to memory of 2124 3004 explorer.exe spoolsv.exe PID 3004 wrote to memory of 2124 3004 explorer.exe spoolsv.exe PID 3004 wrote to memory of 2124 3004 explorer.exe spoolsv.exe PID 2124 wrote to memory of 2628 2124 spoolsv.exe svchost.exe PID 2124 wrote to memory of 2628 2124 spoolsv.exe svchost.exe PID 2124 wrote to memory of 2628 2124 spoolsv.exe svchost.exe PID 2124 wrote to memory of 2628 2124 spoolsv.exe svchost.exe PID 2628 wrote to memory of 2520 2628 svchost.exe spoolsv.exe PID 2628 wrote to memory of 2520 2628 svchost.exe spoolsv.exe PID 2628 wrote to memory of 2520 2628 svchost.exe spoolsv.exe PID 2628 wrote to memory of 2520 2628 svchost.exe spoolsv.exe PID 3004 wrote to memory of 2556 3004 explorer.exe Explorer.exe PID 3004 wrote to memory of 2556 3004 explorer.exe Explorer.exe PID 3004 wrote to memory of 2556 3004 explorer.exe Explorer.exe PID 3004 wrote to memory of 2556 3004 explorer.exe Explorer.exe PID 2628 wrote to memory of 2424 2628 svchost.exe schtasks.exe PID 2628 wrote to memory of 2424 2628 svchost.exe schtasks.exe PID 2628 wrote to memory of 2424 2628 svchost.exe schtasks.exe PID 2628 wrote to memory of 2424 2628 svchost.exe schtasks.exe PID 2628 wrote to memory of 616 2628 svchost.exe schtasks.exe PID 2628 wrote to memory of 616 2628 svchost.exe schtasks.exe PID 2628 wrote to memory of 616 2628 svchost.exe schtasks.exe PID 2628 wrote to memory of 616 2628 svchost.exe schtasks.exe PID 2628 wrote to memory of 2256 2628 svchost.exe schtasks.exe PID 2628 wrote to memory of 2256 2628 svchost.exe schtasks.exe PID 2628 wrote to memory of 2256 2628 svchost.exe schtasks.exe PID 2628 wrote to memory of 2256 2628 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe"C:\Users\Admin\AppData\Local\Temp\7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:37 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:38 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:39 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\spoolsv.exeFilesize
135KB
MD5fc9326c15beeda2e6fec65e278b8c706
SHA19d4ff4d18488b50a29003105aca8fe72201f18ce
SHA256203e108b36ce61e9367a389bd0173b6abc83816b9a1058042d4040facb2e4246
SHA512da156d48a6961c3ff27401501849ecf51a5ef5b301e7a5d89944fba010bd52f0bbb25d97b15343d345b22d7179f247103546e8d4369c2e6e69b63cae47bbbc45
-
\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD58c475e7824ffd4506746730d47aa2e2f
SHA1723755cd42a6f99e72036fbdfaa272e2364c77a1
SHA256b2364c128e8f09357ef6046bfe6a776c50f8af186f2c00ea84a6413151276c1d
SHA51285fc681298a970821eaa55f37333ec0acdbb15988bd396fd7d11beb908a8ea5bf40fd40c0b3e17ed96a836c028a646bd6a4fe3ef871e38e9ace3a40b8fe3daa6
-
\Windows\Resources\svchost.exeFilesize
135KB
MD57752209beff7a26a7febd2a31b5224b3
SHA176eec90bcc9ebe32fbcccfde5d08a075f5fe42de
SHA256b86d11f67aab823ba8cfd3ed2ecfc8b89f96b9db6263c37d598ff349a599ba54
SHA512ad2316cd8bd15692747043c0fada7a42a9dbbeb595cd9926ae958d8ad2b963795d5196236214b013c7a4f63905a55b22c363fe28825a46f483c8342c65d1ad3d
-
memory/2124-29-0x00000000005C0000-0x00000000005DF000-memory.dmpFilesize
124KB
-
memory/2124-43-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2172-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2172-8-0x0000000000450000-0x000000000046F000-memory.dmpFilesize
124KB
-
memory/2172-44-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2520-40-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2520-42-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB