Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 21:27
Behavioral task
behavioral1
Sample
8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
Resource
win10v2004-20240426-en
General
-
Target
8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe
-
Size
2.5MB
-
MD5
2596d7ffd5a33ee9b9eb9198ca7c56f0
-
SHA1
fd8c50cf801adc61f2e03c328692f3015c4fffc7
-
SHA256
8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a
-
SHA512
532b1f13ceae966843cc80bb50eac0d839310e0f61d2ce30a7181c098599822c6c9e496407c2f1ed0f11eea631fb0405ec78b1e219d773380969c2275c853100
-
SSDEEP
49152:8xmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyx7:8xx9NUFkQx753uWuCyyx7
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
spoolsv.exe8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exespoolsv.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 1980 explorer.exe 3692 spoolsv.exe 4916 svchost.exe 2888 spoolsv.exe -
Processes:
resource yara_rule behavioral2/memory/1844-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\Themes\explorer.exe themida behavioral2/memory/1980-10-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral2/memory/3692-19-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\svchost.exe themida behavioral2/memory/4916-28-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/2888-33-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3692-41-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1844-42-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/2888-38-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1980-43-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4916-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1980-49-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1980-55-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4916-62-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4916-66-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Processes:
8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1980 explorer.exe 3692 spoolsv.exe 4916 svchost.exe 2888 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
explorer.exespoolsv.exe8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exedescription ioc process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exepid process 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe 1980 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1980 explorer.exe 4916 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe 1980 explorer.exe 1980 explorer.exe 3692 spoolsv.exe 3692 spoolsv.exe 4916 svchost.exe 4916 svchost.exe 2888 spoolsv.exe 2888 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1844 wrote to memory of 1980 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe explorer.exe PID 1844 wrote to memory of 1980 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe explorer.exe PID 1844 wrote to memory of 1980 1844 8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe explorer.exe PID 1980 wrote to memory of 3692 1980 explorer.exe spoolsv.exe PID 1980 wrote to memory of 3692 1980 explorer.exe spoolsv.exe PID 1980 wrote to memory of 3692 1980 explorer.exe spoolsv.exe PID 3692 wrote to memory of 4916 3692 spoolsv.exe svchost.exe PID 3692 wrote to memory of 4916 3692 spoolsv.exe svchost.exe PID 3692 wrote to memory of 4916 3692 spoolsv.exe svchost.exe PID 4916 wrote to memory of 2888 4916 svchost.exe spoolsv.exe PID 4916 wrote to memory of 2888 4916 svchost.exe spoolsv.exe PID 4916 wrote to memory of 2888 4916 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe"C:\Users\Admin\AppData\Local\Temp\8d894c4adf3144a4e3f675f3068a04b3e74b27aca8901d6ae982f874d5cb976a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\Themes\explorer.exeFilesize
2.5MB
MD5bd6e552a580fa80f9c1db2ae832e1804
SHA114567ea42624a586352af65c8c22e09c684d668b
SHA256382370b763353d457dbc72e29334b8a809f0d3179b5000101691a8647a9e0cff
SHA512f5aa20c4b53fc64b762ec5b05788ff121502860b3a784b9d82a91c40b91c7d9d1252d92934cbcad501fb44497b49ea79be06d38617bd0f06d986021354d818d5
-
C:\Windows\Resources\spoolsv.exeFilesize
2.5MB
MD53d5b5a5e6d361878020bfd7372be897a
SHA1cc41058c04f20e5d2b2c8aeba1a705e5e3095972
SHA256966f9ef7647cfacaa12d11c783e9f2ce6cf2d2fc42ece22eaa8b8f562f7bfdd1
SHA51283e90f79e088c35b64caec7130ca9534ca5359fd419d712cbc30264816494c4f0d1f10c29859eb42c7df9c97de9ef6d6d964ebbe41bd53a7119e8a8dc306f87c
-
C:\Windows\Resources\svchost.exeFilesize
2.5MB
MD5d554c00197197ef72ecacc801a6acd42
SHA1d112899585b8c27c71c3a5a7667d5623fc5502aa
SHA256eee414fe3ba570af0ea596018100165b3e2049ea75d06a10e80fe53e9c300966
SHA512c595e754c4ba8a39baebb2706d02fe4868a2d665467e1cfa986b3c8625ca2dbd1f6385c5de4b98b16c45162fe57b0441ae1ddb0de921b19df159037c453258ea
-
memory/1844-1-0x0000000077934000-0x0000000077936000-memory.dmpFilesize
8KB
-
memory/1844-0-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1844-42-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1980-43-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1980-10-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1980-49-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1980-55-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2888-33-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2888-38-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3692-41-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3692-19-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4916-28-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4916-44-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4916-62-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4916-66-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB