Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 02:32
Static task
static1
Behavioral task
behavioral1
Sample
bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
Resource
win10v2004-20240508-en
General
-
Target
bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
-
Size
135KB
-
MD5
b3bf8e1f053c084789d19225470626cb
-
SHA1
4d73391e70d27479d725274f923209ef1eec9958
-
SHA256
bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6
-
SHA512
08a2d2f6b2a7aedf03ec65ac547ba217f87475df8cd1d1d1354cad81a490b582149550e9e2ad39680908197d44b345ac33507a6f2ad88b28f724a8c3ed5de64f
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVle/:UVqoCl/YgjxEufVU0TbTyDDalG/
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 292 explorer.exe 1648 spoolsv.exe 2644 svchost.exe 2568 spoolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exeexplorer.exespoolsv.exesvchost.exepid process 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 292 explorer.exe 1648 spoolsv.exe 2644 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
Processes:
explorer.exespoolsv.exebbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exedescription ioc process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2792 schtasks.exe 2008 schtasks.exe 2460 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exeexplorer.exesvchost.exepid process 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 2644 svchost.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 2644 svchost.exe 2644 svchost.exe 292 explorer.exe 2644 svchost.exe 292 explorer.exe 2644 svchost.exe 292 explorer.exe 2644 svchost.exe 292 explorer.exe 2644 svchost.exe 292 explorer.exe 2644 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 292 explorer.exe 2644 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe 292 explorer.exe 292 explorer.exe 1648 spoolsv.exe 1648 spoolsv.exe 2644 svchost.exe 2644 svchost.exe 2568 spoolsv.exe 2568 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3048 wrote to memory of 292 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe explorer.exe PID 3048 wrote to memory of 292 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe explorer.exe PID 3048 wrote to memory of 292 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe explorer.exe PID 3048 wrote to memory of 292 3048 bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe explorer.exe PID 292 wrote to memory of 1648 292 explorer.exe spoolsv.exe PID 292 wrote to memory of 1648 292 explorer.exe spoolsv.exe PID 292 wrote to memory of 1648 292 explorer.exe spoolsv.exe PID 292 wrote to memory of 1648 292 explorer.exe spoolsv.exe PID 1648 wrote to memory of 2644 1648 spoolsv.exe svchost.exe PID 1648 wrote to memory of 2644 1648 spoolsv.exe svchost.exe PID 1648 wrote to memory of 2644 1648 spoolsv.exe svchost.exe PID 1648 wrote to memory of 2644 1648 spoolsv.exe svchost.exe PID 2644 wrote to memory of 2568 2644 svchost.exe spoolsv.exe PID 2644 wrote to memory of 2568 2644 svchost.exe spoolsv.exe PID 2644 wrote to memory of 2568 2644 svchost.exe spoolsv.exe PID 2644 wrote to memory of 2568 2644 svchost.exe spoolsv.exe PID 292 wrote to memory of 1032 292 explorer.exe Explorer.exe PID 292 wrote to memory of 1032 292 explorer.exe Explorer.exe PID 292 wrote to memory of 1032 292 explorer.exe Explorer.exe PID 292 wrote to memory of 1032 292 explorer.exe Explorer.exe PID 2644 wrote to memory of 2460 2644 svchost.exe schtasks.exe PID 2644 wrote to memory of 2460 2644 svchost.exe schtasks.exe PID 2644 wrote to memory of 2460 2644 svchost.exe schtasks.exe PID 2644 wrote to memory of 2460 2644 svchost.exe schtasks.exe PID 2644 wrote to memory of 2792 2644 svchost.exe schtasks.exe PID 2644 wrote to memory of 2792 2644 svchost.exe schtasks.exe PID 2644 wrote to memory of 2792 2644 svchost.exe schtasks.exe PID 2644 wrote to memory of 2792 2644 svchost.exe schtasks.exe PID 2644 wrote to memory of 2008 2644 svchost.exe schtasks.exe PID 2644 wrote to memory of 2008 2644 svchost.exe schtasks.exe PID 2644 wrote to memory of 2008 2644 svchost.exe schtasks.exe PID 2644 wrote to memory of 2008 2644 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe"C:\Users\Admin\AppData\Local\Temp\bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2568 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:34 /f5⤵
- Creates scheduled task(s)
PID:2460 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:35 /f5⤵
- Creates scheduled task(s)
PID:2792 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:36 /f5⤵
- Creates scheduled task(s)
PID:2008 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:1032
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD5302fe44e1797e207a336f3a2c9d253a9
SHA15a9b753abce2e8fc3b877ec9946180a823ca0497
SHA25680bc63c598a649c1d18080a5a5a23261a1982dce3787cc6f97f6f5dff9566d8b
SHA5127cb62cd235c10d3cd949841e0806115bc6a2d414e4f76d9890bbe30afe8ead640e36734f84caff0c8e81130c95797a0fa0d910b594206ab8745fadef1e4bac8e
-
\Windows\Resources\spoolsv.exeFilesize
135KB
MD508c0f7e14aff36fd5174ecea8a5fe737
SHA1a11510b0a97d3cdd61e9e847e7b3a30bdea8330c
SHA256fd770e7bb958fe3411e8d5695b240b4694bc9b24bef49459b1aa8bec958ebb39
SHA512ba8d8acde5682c1449c3f35cd11aa506d1057968ca7f1a1f8386f880914b25784d8a710e115d3a0fe3c313ea92ae021c3fa951e3d25a82a90232f6a8f50fc6c2
-
\Windows\Resources\svchost.exeFilesize
135KB
MD521a6465c40487e379adf0cb389a0f255
SHA171fe531eddddfc049475384197ba2ae2d571c9fd
SHA25602dfb809aa4581ef96c7f0980caa74923751a02482442435b0ad962d446f093b
SHA5128a3a66680734417d013fb985a10100131b85626161f30d69ea756c7b0ab906cd2f6e4ea117a544b9edfe934a8884a6d79ac06b1c22fbaf05023178bfef885d82
-
memory/292-13-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1648-31-0x00000000002B0000-0x00000000002CF000-memory.dmpFilesize
124KB
-
memory/1648-43-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2568-42-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2644-37-0x0000000000270000-0x000000000028F000-memory.dmpFilesize
124KB
-
memory/3048-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3048-44-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB