bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6

General

Target

bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
Size

135KB
MD5

b3bf8e1f053c084789d19225470626cb
SHA1

4d73391e70d27479d725274f923209ef1eec9958
SHA256

bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6
SHA512

08a2d2f6b2a7aedf03ec65ac547ba217f87475df8cd1d1d1354cad81a490b582149550e9e2ad39680908197d44b345ac33507a6f2ad88b28f724a8c3ed5de64f
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVle/:UVqoCl/YgjxEufVU0TbTyDDalG/

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1188 explorer.exe
1752 spoolsv.exe
3516 svchost.exe
4624 spoolsv.exe

pid	process
1188	explorer.exe
1752	spoolsv.exe
3516	svchost.exe
4624	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exebbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exeexplorer.exe

pid	process
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1188 explorer.exe
3516 svchost.exe

pid	process
1188	explorer.exe
3516	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
1188	explorer.exe
1188	explorer.exe
1752	spoolsv.exe
1752	spoolsv.exe
3516	svchost.exe
3516	svchost.exe
4624	spoolsv.exe
4624	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3212 wrote to memory of 1188	3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe	explorer.exe
PID 3212 wrote to memory of 1188	3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe	explorer.exe
PID 3212 wrote to memory of 1188	3212	bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe	explorer.exe
PID 1188 wrote to memory of 1752	1188	explorer.exe	spoolsv.exe
PID 1188 wrote to memory of 1752	1188	explorer.exe	spoolsv.exe
PID 1188 wrote to memory of 1752	1188	explorer.exe	spoolsv.exe
PID 1752 wrote to memory of 3516	1752	spoolsv.exe	svchost.exe
PID 1752 wrote to memory of 3516	1752	spoolsv.exe	svchost.exe
PID 1752 wrote to memory of 3516	1752	spoolsv.exe	svchost.exe
PID 3516 wrote to memory of 4624	3516	svchost.exe	spoolsv.exe
PID 3516 wrote to memory of 4624	3516	svchost.exe	spoolsv.exe
PID 3516 wrote to memory of 4624	3516	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe
"C:\Users\Admin\AppData\Local\Temp\bbe620d70aad0c662d2502f678791f914bd318917ffc7af4452b66a243ac83b6.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3212

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
a8e4de714fedf0280c214eb685d8ed03

SHA1
3c4896585e76fa733aa240ed54ebe9802d4de30e

SHA256
6d8afc40d7c3ac223b1f102975c369941939731562e62faf5082505ab1c61f24

SHA512
b9393c9e387f508e71803239a9140815dd92b05207544d4b45f0abb36fbe1169b95aef1d45a390dd1bdfc35e91c9fdb96ec869fcd8a0d4dbd5f8f18add8f8b78

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
6cc58cec15e852f63464a899b160a5d8

SHA1
070ee1868135b6c9ad5028f62b4c0ba3b0a5a631

SHA256
cb410c8df148b7caffa15aa6f648753b355217b05648e88b060fbc297c6b20e8

SHA512
61753a3fe6711d38d83cf5ec14641dc15e53a76d8224c90012207ec230a064e8089be2d87c192aed2d4fd41c64cff014735883b3cb37c0adf756747adbbb9db9

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
a734b1a455b1fa1185ea2e5a49c59b1a

SHA1
f45b183d00c24625c1d59b699d121567f246b278

SHA256
29553e1b97186d0899bd55f997401f4b2179ba4db47d0eaa036f53f7fad0f83c

SHA512
0999ef7d2e878c91ea72f12ba66b3be80d8d624c05c1450f10b0af61e6d9989dc8f349cbabaa5dc680948d8028c55fe1c8fec1b1d8d988788282d09bf3e97fcb

Download Submit
memory/1188-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1752-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3212-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3212-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4624-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads