66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866

General

Target

66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
Size

135KB
MD5

28c450127304cb7dca5ee42830c680c0
SHA1

400ccdc95dfb43ab8730072cd1bdfbabe6e28337
SHA256

66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866
SHA512

8e1a5e812db5ad6096b2127ade3f087fbe9bd28ad5a2cd97f61a1d6031bccbde7b50adc34f8526aad01f1a85e85d7822de5dffded0b7d8f35dc0156c9155f5fd
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVPi4Vg6k+:UVqoCl/YgjxEufVU0TbTyDDalc+

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2968 explorer.exe
2596 spoolsv.exe
2548 svchost.exe
2716 spoolsv.exe
Loads dropped DLL 4 IoCs

Processes:

66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exeexplorer.exespoolsv.exesvchost.exe

pid process

2724 66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2968 explorer.exe
2596 spoolsv.exe
2548 svchost.exe

pid	process
2968	explorer.exe
2596	spoolsv.exe
2548	svchost.exe
2716	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3056 schtasks.exe
2568 schtasks.exe
1804 schtasks.exe

pid	process
3056	schtasks.exe
2568	schtasks.exe
1804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exeexplorer.exesvchost.exe

pid	process
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2548	svchost.exe
2968	explorer.exe
2548	svchost.exe
2968	explorer.exe
2548	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2968 explorer.exe
2548 svchost.exe

pid	process
2968	explorer.exe
2548	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
2968	explorer.exe
2968	explorer.exe
2596	spoolsv.exe
2596	spoolsv.exe
2548	svchost.exe
2548	svchost.exe
2716	spoolsv.exe
2716	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2724 wrote to memory of 2968	2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe	explorer.exe
PID 2724 wrote to memory of 2968	2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe	explorer.exe
PID 2724 wrote to memory of 2968	2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe	explorer.exe
PID 2724 wrote to memory of 2968	2724	66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe	explorer.exe
PID 2968 wrote to memory of 2596	2968	explorer.exe	spoolsv.exe
PID 2968 wrote to memory of 2596	2968	explorer.exe	spoolsv.exe
PID 2968 wrote to memory of 2596	2968	explorer.exe	spoolsv.exe
PID 2968 wrote to memory of 2596	2968	explorer.exe	spoolsv.exe
PID 2596 wrote to memory of 2548	2596	spoolsv.exe	svchost.exe
PID 2596 wrote to memory of 2548	2596	spoolsv.exe	svchost.exe
PID 2596 wrote to memory of 2548	2596	spoolsv.exe	svchost.exe
PID 2596 wrote to memory of 2548	2596	spoolsv.exe	svchost.exe
PID 2548 wrote to memory of 2716	2548	svchost.exe	spoolsv.exe
PID 2548 wrote to memory of 2716	2548	svchost.exe	spoolsv.exe
PID 2548 wrote to memory of 2716	2548	svchost.exe	spoolsv.exe
PID 2548 wrote to memory of 2716	2548	svchost.exe	spoolsv.exe
PID 2968 wrote to memory of 2944	2968	explorer.exe	Explorer.exe
PID 2968 wrote to memory of 2944	2968	explorer.exe	Explorer.exe
PID 2968 wrote to memory of 2944	2968	explorer.exe	Explorer.exe
PID 2968 wrote to memory of 2944	2968	explorer.exe	Explorer.exe
PID 2548 wrote to memory of 2568	2548	svchost.exe	schtasks.exe
PID 2548 wrote to memory of 2568	2548	svchost.exe	schtasks.exe
PID 2548 wrote to memory of 2568	2548	svchost.exe	schtasks.exe
PID 2548 wrote to memory of 2568	2548	svchost.exe	schtasks.exe
PID 2548 wrote to memory of 1804	2548	svchost.exe	schtasks.exe
PID 2548 wrote to memory of 1804	2548	svchost.exe	schtasks.exe
PID 2548 wrote to memory of 1804	2548	svchost.exe	schtasks.exe
PID 2548 wrote to memory of 1804	2548	svchost.exe	schtasks.exe
PID 2548 wrote to memory of 3056	2548	svchost.exe	schtasks.exe
PID 2548 wrote to memory of 3056	2548	svchost.exe	schtasks.exe
PID 2548 wrote to memory of 3056	2548	svchost.exe	schtasks.exe
PID 2548 wrote to memory of 3056	2548	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
"C:\Users\Admin\AppData\Local\Temp\66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:57 /f
5⤵
- Creates scheduled task(s)
PID:2568

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:58 /f
5⤵
- Creates scheduled task(s)
PID:1804

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:59 /f
5⤵
- Creates scheduled task(s)
PID:3056

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
3⤵
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
43ac3a6aaab3f9d7cbbbf6101607a9ba

SHA1
af5efb0c26ebf66c7b51147ba5f392844945b271

SHA256
34addf8c6d98cd10ed0dc8a27bc24bac4800ca3d9cc0c4551a300d648e8dafeb

SHA512
f8ac57e09a658288a2b5e324b4f3bfe6bfbb3177f09dd7e04360d45a8d25d562b007684c710e94c30a106cd8f319f4b905a2b71bf8bfda288f8a088002592362

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
22ae4e28a6f587b65fe797b393466fe1

SHA1
399d7a980b86f32217d75464d8416bdf9ff24314

SHA256
664b6ec5071480cdbcb38801d8c5fd37705895958880542e378b2a3bb1de5691

SHA512
25d69c5d9499644f7a0bc377e08f7d3c6844096f95145dc43abefddbd0ad946106845313ab54546b27be68ce9d3f5dc1d4ad85ffabd0bcb4d69a3eafe2ed8ffd

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
8c1629cbca300f95dfbbc3dd53003704

SHA1
7699903f1509a2b0e04c9166b7496373e186f151

SHA256
4dabe0bd6914bd9485be0ede061ff76f2993a594f9dd4e0411ba4c44892a23b2

SHA512
01171cb3e800e29f6a64da1c7bb35fe0e50f6bcf0f733d337cd7f167d091b97202582cde51fdecb9d107997a63cd04b250f65bfb8693d7bd793d4f114850baa4

Download Submit
memory/2596-28-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2596-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2716-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2724-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2724-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads