7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589

General

Target

7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
Size

135KB
MD5

0fa7b57aa73d7e81d2019e3c327dbde6
SHA1

f866b1e97f5d92dceb9e9e302df5c4fa938ab9c9
SHA256

7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589
SHA512

d0b44e540eccb73e7fb1afef3f3c6a91a62584b5474b2f45104ede1ad49b82dc1749bfb0435ad604f75cfbbed27b381235b72e88c3dfda134f38dc368bb1b248
SSDEEP

1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbg+K:XVqoCl/YgjxEufVU0TbTyDDalZK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1840 explorer.exe
848 spoolsv.exe
3364 svchost.exe
4664 spoolsv.exe

pid	process
1840	explorer.exe
848	spoolsv.exe
3364	svchost.exe
4664	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exe7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exeexplorer.exe

pid	process
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1840 explorer.exe
3364 svchost.exe

pid	process
1840	explorer.exe
3364	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
1840	explorer.exe
1840	explorer.exe
848	spoolsv.exe
848	spoolsv.exe
3364	svchost.exe
3364	svchost.exe
4664	spoolsv.exe
4664	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3332 wrote to memory of 1840	3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe	explorer.exe
PID 3332 wrote to memory of 1840	3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe	explorer.exe
PID 3332 wrote to memory of 1840	3332	7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe	explorer.exe
PID 1840 wrote to memory of 848	1840	explorer.exe	spoolsv.exe
PID 1840 wrote to memory of 848	1840	explorer.exe	spoolsv.exe
PID 1840 wrote to memory of 848	1840	explorer.exe	spoolsv.exe
PID 848 wrote to memory of 3364	848	spoolsv.exe	svchost.exe
PID 848 wrote to memory of 3364	848	spoolsv.exe	svchost.exe
PID 848 wrote to memory of 3364	848	spoolsv.exe	svchost.exe
PID 3364 wrote to memory of 4664	3364	svchost.exe	spoolsv.exe
PID 3364 wrote to memory of 4664	3364	svchost.exe	spoolsv.exe
PID 3364 wrote to memory of 4664	3364	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe
"C:\Users\Admin\AppData\Local\Temp\7b85af78b32d06e2ea9a5bd129167644cc8c30243adad96fa0757b7dcea25589.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3332

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
37bba916fadeaaff80b6cfb90ebd9e1c

SHA1
6b77283aef04757e62279efb31c9c9c365f0fc33

SHA256
c69facd8929168744bc5947891d700950de5580b6c6cf02e32033a1d3276559b

SHA512
84a22280c4b02171977e50e08c2ee2baa5cb7730fb2524f1676a5c94ff344366b3962c427ee4e93f135918f1be87585f9735240426e2dcd93aa705b7feff74a2

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
43ac972d626258aec9bcf20d86a4595e

SHA1
94430a9cce364f6daf01098ba34741062cd20f1f

SHA256
883e0dfcd9fa2245250c6d4fb30d595aa43eb06cedd276de322163acb5278d2c

SHA512
c1dd838b107b8ce1df9116c70673ad56e06eed8ef915be8448afc8400b332b0c7caf7f63a592fdd897a69bfc708a65f7d2532179a479c81b924b305eeedeb770

Download Submit
\??\c:\windows\resources\themes\explorer.exe
Filesize
135KB

MD5
ec080cf16a942ab1f93361ae519ccdbc

SHA1
fbca694664cf44dd7b880a360ff6e19b31025177

SHA256
ca0f7843a436a59075726ae32e077f5d60ec7bcbf8853a5c9b41e1b0d8bc417c

SHA512
61f93e11cebb6c40658425a66447af7ebbe28c67a0f72027031301b3c9cc61d07e69b453dabd346a8dc7d42a4bdb79e6382a8c5ffc003f57c033f091c9fafc04

Download Submit
memory/848-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3332-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3332-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3364-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4664-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads