7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589

General

Target

7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
Size

135KB
MD5

0fa7b57aa73d7e81d2019e3c327dbde6
SHA1

f866b1e97f5d92dceb9e9e302df5c4fa938ab9c9
SHA256

7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589
SHA512

d0b44e540eccb73e7fb1afef3f3c6a91a62584b5474b2f45104ede1ad49b82dc1749bfb0435ad604f75cfbbed27b381235b72e88c3dfda134f38dc368bb1b248
SSDEEP

1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbg+K:XVqoCl/YgjxEufVU0TbTyDDalZK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

3004 explorer.exe
2124 spoolsv.exe
2628 svchost.exe
2520 spoolsv.exe
Loads dropped DLL 4 IoCs

Processes:

7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exeexplorer.exespoolsv.exesvchost.exe

pid process

2172 7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3004 explorer.exe
2124 spoolsv.exe
2628 svchost.exe

pid	process
3004	explorer.exe
2124	spoolsv.exe
2628	svchost.exe
2520	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2424 schtasks.exe
616 schtasks.exe
2256 schtasks.exe

pid	process
2424	schtasks.exe
616	schtasks.exe
2256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exeexplorer.exesvchost.exe

pid	process
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
2628	svchost.exe
2628	svchost.exe
3004	explorer.exe
2628	svchost.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
2628	svchost.exe
3004	explorer.exe
3004	explorer.exe
2628	svchost.exe
2628	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

3004 explorer.exe
2628 svchost.exe

pid	process
3004	explorer.exe
2628	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3004	explorer.exe
3004	explorer.exe
2124	spoolsv.exe
2124	spoolsv.exe
2628	svchost.exe
2628	svchost.exe
2520	spoolsv.exe
2520	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2172 wrote to memory of 3004	2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe	explorer.exe
PID 2172 wrote to memory of 3004	2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe	explorer.exe
PID 2172 wrote to memory of 3004	2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe	explorer.exe
PID 2172 wrote to memory of 3004	2172	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe	explorer.exe
PID 3004 wrote to memory of 2124	3004	explorer.exe	spoolsv.exe
PID 3004 wrote to memory of 2124	3004	explorer.exe	spoolsv.exe
PID 3004 wrote to memory of 2124	3004	explorer.exe	spoolsv.exe
PID 3004 wrote to memory of 2124	3004	explorer.exe	spoolsv.exe
PID 2124 wrote to memory of 2628	2124	spoolsv.exe	svchost.exe
PID 2124 wrote to memory of 2628	2124	spoolsv.exe	svchost.exe
PID 2124 wrote to memory of 2628	2124	spoolsv.exe	svchost.exe
PID 2124 wrote to memory of 2628	2124	spoolsv.exe	svchost.exe
PID 2628 wrote to memory of 2520	2628	svchost.exe	spoolsv.exe
PID 2628 wrote to memory of 2520	2628	svchost.exe	spoolsv.exe
PID 2628 wrote to memory of 2520	2628	svchost.exe	spoolsv.exe
PID 2628 wrote to memory of 2520	2628	svchost.exe	spoolsv.exe
PID 3004 wrote to memory of 2556	3004	explorer.exe	Explorer.exe
PID 3004 wrote to memory of 2556	3004	explorer.exe	Explorer.exe
PID 3004 wrote to memory of 2556	3004	explorer.exe	Explorer.exe
PID 3004 wrote to memory of 2556	3004	explorer.exe	Explorer.exe
PID 2628 wrote to memory of 2424	2628	svchost.exe	schtasks.exe
PID 2628 wrote to memory of 2424	2628	svchost.exe	schtasks.exe
PID 2628 wrote to memory of 2424	2628	svchost.exe	schtasks.exe
PID 2628 wrote to memory of 2424	2628	svchost.exe	schtasks.exe
PID 2628 wrote to memory of 616	2628	svchost.exe	schtasks.exe
PID 2628 wrote to memory of 616	2628	svchost.exe	schtasks.exe
PID 2628 wrote to memory of 616	2628	svchost.exe	schtasks.exe
PID 2628 wrote to memory of 616	2628	svchost.exe	schtasks.exe
PID 2628 wrote to memory of 2256	2628	svchost.exe	schtasks.exe
PID 2628 wrote to memory of 2256	2628	svchost.exe	schtasks.exe
PID 2628 wrote to memory of 2256	2628	svchost.exe	schtasks.exe
PID 2628 wrote to memory of 2256	2628	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
"C:\Users\Admin\AppData\Local\Temp\7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:37 /f
5⤵
- Creates scheduled task(s)
PID:2424

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:38 /f
5⤵
- Creates scheduled task(s)
PID:616

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:39 /f
5⤵
- Creates scheduled task(s)
PID:2256

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
3⤵
PID:2556

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
fc9326c15beeda2e6fec65e278b8c706

SHA1
9d4ff4d18488b50a29003105aca8fe72201f18ce

SHA256
203e108b36ce61e9367a389bd0173b6abc83816b9a1058042d4040facb2e4246

SHA512
da156d48a6961c3ff27401501849ecf51a5ef5b301e7a5d89944fba010bd52f0bbb25d97b15343d345b22d7179f247103546e8d4369c2e6e69b63cae47bbbc45

Download Submit
\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
8c475e7824ffd4506746730d47aa2e2f

SHA1
723755cd42a6f99e72036fbdfaa272e2364c77a1

SHA256
b2364c128e8f09357ef6046bfe6a776c50f8af186f2c00ea84a6413151276c1d

SHA512
85fc681298a970821eaa55f37333ec0acdbb15988bd396fd7d11beb908a8ea5bf40fd40c0b3e17ed96a836c028a646bd6a4fe3ef871e38e9ace3a40b8fe3daa6

Download Submit
\Windows\Resources\svchost.exe
Filesize
135KB

MD5
7752209beff7a26a7febd2a31b5224b3

SHA1
76eec90bcc9ebe32fbcccfde5d08a075f5fe42de

SHA256
b86d11f67aab823ba8cfd3ed2ecfc8b89f96b9db6263c37d598ff349a599ba54

SHA512
ad2316cd8bd15692747043c0fada7a42a9dbbeb595cd9926ae958d8ad2b963795d5196236214b013c7a4f63905a55b22c363fe28825a46f483c8342c65d1ad3d

Download Submit
memory/2124-29-0x00000000005C0000-0x00000000005DF000-memory.dmp

Filesize
124KB

Download
memory/2124-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2172-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2172-8-0x0000000000450000-0x000000000046F000-memory.dmp

Filesize
124KB

Download
memory/2172-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2520-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2520-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads