bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6

General

Target

bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
Size

135KB
MD5

b3bf8e1f053c084789d19225470626cb
SHA1

4d73391e70d27479d725274f923209ef1eec9958
SHA256

bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6
SHA512

08a2d2f6b2a7aedf03ec65ac547ba217f87475df8cd1d1d1354cad81a490b582149550e9e2ad39680908197d44b345ac33507a6f2ad88b28f724a8c3ed5de64f
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVle/:UVqoCl/YgjxEufVU0TbTyDDalG/

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

292 explorer.exe
1648 spoolsv.exe
2644 svchost.exe
2568 spoolsv.exe
Loads dropped DLL 4 IoCs

Processes:

bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exeexplorer.exespoolsv.exesvchost.exe

pid process

3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
292 explorer.exe
1648 spoolsv.exe
2644 svchost.exe

pid	process
292	explorer.exe
1648	spoolsv.exe
2644	svchost.exe
2568	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exebbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2792 schtasks.exe
2008 schtasks.exe
2460 schtasks.exe

pid	process
2792	schtasks.exe
2008	schtasks.exe
2460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exeexplorer.exesvchost.exe

pid	process
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
2644	svchost.exe
292	explorer.exe
292	explorer.exe
292	explorer.exe
2644	svchost.exe
2644	svchost.exe
292	explorer.exe
2644	svchost.exe
292	explorer.exe
2644	svchost.exe
292	explorer.exe
2644	svchost.exe
292	explorer.exe
2644	svchost.exe
292	explorer.exe
2644	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

292 explorer.exe
2644 svchost.exe

pid	process
292	explorer.exe
2644	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
292	explorer.exe
292	explorer.exe
1648	spoolsv.exe
1648	spoolsv.exe
2644	svchost.exe
2644	svchost.exe
2568	spoolsv.exe
2568	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3048 wrote to memory of 292	3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe	explorer.exe
PID 3048 wrote to memory of 292	3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe	explorer.exe
PID 3048 wrote to memory of 292	3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe	explorer.exe
PID 3048 wrote to memory of 292	3048	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe	explorer.exe
PID 292 wrote to memory of 1648	292	explorer.exe	spoolsv.exe
PID 292 wrote to memory of 1648	292	explorer.exe	spoolsv.exe
PID 292 wrote to memory of 1648	292	explorer.exe	spoolsv.exe
PID 292 wrote to memory of 1648	292	explorer.exe	spoolsv.exe
PID 1648 wrote to memory of 2644	1648	spoolsv.exe	svchost.exe
PID 1648 wrote to memory of 2644	1648	spoolsv.exe	svchost.exe
PID 1648 wrote to memory of 2644	1648	spoolsv.exe	svchost.exe
PID 1648 wrote to memory of 2644	1648	spoolsv.exe	svchost.exe
PID 2644 wrote to memory of 2568	2644	svchost.exe	spoolsv.exe
PID 2644 wrote to memory of 2568	2644	svchost.exe	spoolsv.exe
PID 2644 wrote to memory of 2568	2644	svchost.exe	spoolsv.exe
PID 2644 wrote to memory of 2568	2644	svchost.exe	spoolsv.exe
PID 292 wrote to memory of 1032	292	explorer.exe	Explorer.exe
PID 292 wrote to memory of 1032	292	explorer.exe	Explorer.exe
PID 292 wrote to memory of 1032	292	explorer.exe	Explorer.exe
PID 292 wrote to memory of 1032	292	explorer.exe	Explorer.exe
PID 2644 wrote to memory of 2460	2644	svchost.exe	schtasks.exe
PID 2644 wrote to memory of 2460	2644	svchost.exe	schtasks.exe
PID 2644 wrote to memory of 2460	2644	svchost.exe	schtasks.exe
PID 2644 wrote to memory of 2460	2644	svchost.exe	schtasks.exe
PID 2644 wrote to memory of 2792	2644	svchost.exe	schtasks.exe
PID 2644 wrote to memory of 2792	2644	svchost.exe	schtasks.exe
PID 2644 wrote to memory of 2792	2644	svchost.exe	schtasks.exe
PID 2644 wrote to memory of 2792	2644	svchost.exe	schtasks.exe
PID 2644 wrote to memory of 2008	2644	svchost.exe	schtasks.exe
PID 2644 wrote to memory of 2008	2644	svchost.exe	schtasks.exe
PID 2644 wrote to memory of 2008	2644	svchost.exe	schtasks.exe
PID 2644 wrote to memory of 2008	2644	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
"C:\Users\Admin\AppData\Local\Temp\bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:34 /f
5⤵
- Creates scheduled task(s)
PID:2460

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:35 /f
5⤵
- Creates scheduled task(s)
PID:2792

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:36 /f
5⤵
- Creates scheduled task(s)
PID:2008

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
3⤵
PID:1032

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
302fe44e1797e207a336f3a2c9d253a9

SHA1
5a9b753abce2e8fc3b877ec9946180a823ca0497

SHA256
80bc63c598a649c1d18080a5a5a23261a1982dce3787cc6f97f6f5dff9566d8b

SHA512
7cb62cd235c10d3cd949841e0806115bc6a2d414e4f76d9890bbe30afe8ead640e36734f84caff0c8e81130c95797a0fa0d910b594206ab8745fadef1e4bac8e

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
08c0f7e14aff36fd5174ecea8a5fe737

SHA1
a11510b0a97d3cdd61e9e847e7b3a30bdea8330c

SHA256
fd770e7bb958fe3411e8d5695b240b4694bc9b24bef49459b1aa8bec958ebb39

SHA512
ba8d8acde5682c1449c3f35cd11aa506d1057968ca7f1a1f8386f880914b25784d8a710e115d3a0fe3c313ea92ae021c3fa951e3d25a82a90232f6a8f50fc6c2

Download Submit
\Windows\Resources\svchost.exe
Filesize
135KB

MD5
21a6465c40487e379adf0cb389a0f255

SHA1
71fe531eddddfc049475384197ba2ae2d571c9fd

SHA256
02dfb809aa4581ef96c7f0980caa74923751a02482442435b0ad962d446f093b

SHA512
8a3a66680734417d013fb985a10100131b85626161f30d69ea756c7b0ab906cd2f6e4ea117a544b9edfe934a8884a6d79ac06b1c22fbaf05023178bfef885d82

Download Submit
memory/292-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-31-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/1648-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2568-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2644-37-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/3048-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3048-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads