a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d

General

Target

a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
Size

135KB
MD5

02e4168fe15eaba294ee087503c25250
SHA1

8085542c354fcfe7ad650dfe431ce26c3a01b712
SHA256

a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d
SHA512

7313a55bc4136bb5daa0f4c6aaac544b9a97960b0419eb07946485a7fb76f51e1ba41df1fe68674509ce24c91b1a70a64f62bfd5bcedec2571ce744dcbc9ef25
SSDEEP

1536:4fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV5jp00000000000E:4VqoCl/YgjxEufVU0TbTyDDal3jb

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1316 explorer.exe
2124 spoolsv.exe
2652 svchost.exe
2800 spoolsv.exe
Loads dropped DLL 4 IoCs

Processes:

a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exeexplorer.exespoolsv.exesvchost.exe

pid process

1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1316 explorer.exe
2124 spoolsv.exe
2652 svchost.exe

pid	process
1316	explorer.exe
2124	spoolsv.exe
2652	svchost.exe
2800	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2624 schtasks.exe
2156 schtasks.exe
2912 schtasks.exe

pid	process
2624	schtasks.exe
2156	schtasks.exe
2912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exeexplorer.exesvchost.exe

pid	process
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
2652	svchost.exe
2652	svchost.exe
1316	explorer.exe
2652	svchost.exe
1316	explorer.exe
2652	svchost.exe
1316	explorer.exe
2652	svchost.exe
1316	explorer.exe
2652	svchost.exe
1316	explorer.exe
2652	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1316 explorer.exe
2652 svchost.exe

pid	process
1316	explorer.exe
2652	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
1316	explorer.exe
1316	explorer.exe
2124	spoolsv.exe
2124	spoolsv.exe
2652	svchost.exe
2652	svchost.exe
2800	spoolsv.exe
2800	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1684 wrote to memory of 1316	1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe	explorer.exe
PID 1684 wrote to memory of 1316	1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe	explorer.exe
PID 1684 wrote to memory of 1316	1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe	explorer.exe
PID 1684 wrote to memory of 1316	1684	a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe	explorer.exe
PID 1316 wrote to memory of 2124	1316	explorer.exe	spoolsv.exe
PID 1316 wrote to memory of 2124	1316	explorer.exe	spoolsv.exe
PID 1316 wrote to memory of 2124	1316	explorer.exe	spoolsv.exe
PID 1316 wrote to memory of 2124	1316	explorer.exe	spoolsv.exe
PID 2124 wrote to memory of 2652	2124	spoolsv.exe	svchost.exe
PID 2124 wrote to memory of 2652	2124	spoolsv.exe	svchost.exe
PID 2124 wrote to memory of 2652	2124	spoolsv.exe	svchost.exe
PID 2124 wrote to memory of 2652	2124	spoolsv.exe	svchost.exe
PID 2652 wrote to memory of 2800	2652	svchost.exe	spoolsv.exe
PID 2652 wrote to memory of 2800	2652	svchost.exe	spoolsv.exe
PID 2652 wrote to memory of 2800	2652	svchost.exe	spoolsv.exe
PID 2652 wrote to memory of 2800	2652	svchost.exe	spoolsv.exe
PID 1316 wrote to memory of 2512	1316	explorer.exe	Explorer.exe
PID 1316 wrote to memory of 2512	1316	explorer.exe	Explorer.exe
PID 1316 wrote to memory of 2512	1316	explorer.exe	Explorer.exe
PID 1316 wrote to memory of 2512	1316	explorer.exe	Explorer.exe
PID 2652 wrote to memory of 2624	2652	svchost.exe	schtasks.exe
PID 2652 wrote to memory of 2624	2652	svchost.exe	schtasks.exe
PID 2652 wrote to memory of 2624	2652	svchost.exe	schtasks.exe
PID 2652 wrote to memory of 2624	2652	svchost.exe	schtasks.exe
PID 2652 wrote to memory of 2156	2652	svchost.exe	schtasks.exe
PID 2652 wrote to memory of 2156	2652	svchost.exe	schtasks.exe
PID 2652 wrote to memory of 2156	2652	svchost.exe	schtasks.exe
PID 2652 wrote to memory of 2156	2652	svchost.exe	schtasks.exe
PID 2652 wrote to memory of 2912	2652	svchost.exe	schtasks.exe
PID 2652 wrote to memory of 2912	2652	svchost.exe	schtasks.exe
PID 2652 wrote to memory of 2912	2652	svchost.exe	schtasks.exe
PID 2652 wrote to memory of 2912	2652	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
"C:\Users\Admin\AppData\Local\Temp\a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:27 /f
5⤵
- Creates scheduled task(s)
PID:2624

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:28 /f
5⤵
- Creates scheduled task(s)
PID:2156

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:29 /f
5⤵
- Creates scheduled task(s)
PID:2912

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
3⤵
PID:2512

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
2a7fb615f8a5564202d5ae3cf053f47f

SHA1
5990285bf0e8a7684305dcb35d493c492624d6d3

SHA256
fc0cc0a333a55664c755015d58a7f1097106599b3851a22908aaab789279049e

SHA512
4b8ca41d1aab6487c70cf8407fa5f8811d6c23a200b127a31bcbb824b7ad59281c678bb8392a1953389146e743529c19ed35d78e53f60fa562bf0ed71cc43123

Download Submit
\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
a0a5113822249dfbd01aa21b9b55e5fe

SHA1
0cc4e004e0969b5de32a23704f16d299d65f8892

SHA256
6caa86b8b48bdd7b9eccb48e221877b8ae6696e7d814859d0b2e3fc6e41ee695

SHA512
9c2df2f2c835d2e222772acda07f742f867143b71aeff67a681c15793b2622fd9e8ee3a91c94ffc0cd9e36ae570d20844d0de9dc822668084e90ad211317428e

Download Submit
\Windows\Resources\svchost.exe
Filesize
135KB

MD5
05756cbb6178d07f2fe0e5a253cd012f

SHA1
5559cffe1f2c2a3cc31740120d1dcf1e61eb7f80

SHA256
fb070010bd655f2e5d7a75229766b9592a19f47d5d9a6536b8dbbca03349c361

SHA512
587f8aaf6684ba17bbcbdc40821be2e578d95a0d74647f5f1f89b8c55881058d36230e402d70a84fc0a4de58bfb8d6c52156013f8804a90dd82516b65dcf5a6c

Download Submit
memory/1316-19-0x0000000000440000-0x000000000045F000-memory.dmp

Filesize
124KB

Download
memory/1684-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-8-0x00000000005E0000-0x00000000005FF000-memory.dmp

Filesize
124KB

Download
memory/1684-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-25-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2800-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2800-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads