Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 04:25
Static task
static1
Behavioral task
behavioral1
Sample
a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
Resource
win10v2004-20240508-en
General
-
Target
a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
-
Size
135KB
-
MD5
02e4168fe15eaba294ee087503c25250
-
SHA1
8085542c354fcfe7ad650dfe431ce26c3a01b712
-
SHA256
a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d
-
SHA512
7313a55bc4136bb5daa0f4c6aaac544b9a97960b0419eb07946485a7fb76f51e1ba41df1fe68674509ce24c91b1a70a64f62bfd5bcedec2571ce744dcbc9ef25
-
SSDEEP
1536:4fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV5jp00000000000E:4VqoCl/YgjxEufVU0TbTyDDal3jb
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 1316 explorer.exe 2124 spoolsv.exe 2652 svchost.exe 2800 spoolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exeexplorer.exespoolsv.exesvchost.exepid process 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1316 explorer.exe 2124 spoolsv.exe 2652 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
Processes:
a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exeexplorer.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\resources\themes\explorer.exe a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2624 schtasks.exe 2156 schtasks.exe 2912 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exeexplorer.exesvchost.exepid process 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 1316 explorer.exe 1316 explorer.exe 1316 explorer.exe 2652 svchost.exe 2652 svchost.exe 1316 explorer.exe 2652 svchost.exe 1316 explorer.exe 2652 svchost.exe 1316 explorer.exe 2652 svchost.exe 1316 explorer.exe 2652 svchost.exe 1316 explorer.exe 2652 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1316 explorer.exe 2652 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe 1316 explorer.exe 1316 explorer.exe 2124 spoolsv.exe 2124 spoolsv.exe 2652 svchost.exe 2652 svchost.exe 2800 spoolsv.exe 2800 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1684 wrote to memory of 1316 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe explorer.exe PID 1684 wrote to memory of 1316 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe explorer.exe PID 1684 wrote to memory of 1316 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe explorer.exe PID 1684 wrote to memory of 1316 1684 a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe explorer.exe PID 1316 wrote to memory of 2124 1316 explorer.exe spoolsv.exe PID 1316 wrote to memory of 2124 1316 explorer.exe spoolsv.exe PID 1316 wrote to memory of 2124 1316 explorer.exe spoolsv.exe PID 1316 wrote to memory of 2124 1316 explorer.exe spoolsv.exe PID 2124 wrote to memory of 2652 2124 spoolsv.exe svchost.exe PID 2124 wrote to memory of 2652 2124 spoolsv.exe svchost.exe PID 2124 wrote to memory of 2652 2124 spoolsv.exe svchost.exe PID 2124 wrote to memory of 2652 2124 spoolsv.exe svchost.exe PID 2652 wrote to memory of 2800 2652 svchost.exe spoolsv.exe PID 2652 wrote to memory of 2800 2652 svchost.exe spoolsv.exe PID 2652 wrote to memory of 2800 2652 svchost.exe spoolsv.exe PID 2652 wrote to memory of 2800 2652 svchost.exe spoolsv.exe PID 1316 wrote to memory of 2512 1316 explorer.exe Explorer.exe PID 1316 wrote to memory of 2512 1316 explorer.exe Explorer.exe PID 1316 wrote to memory of 2512 1316 explorer.exe Explorer.exe PID 1316 wrote to memory of 2512 1316 explorer.exe Explorer.exe PID 2652 wrote to memory of 2624 2652 svchost.exe schtasks.exe PID 2652 wrote to memory of 2624 2652 svchost.exe schtasks.exe PID 2652 wrote to memory of 2624 2652 svchost.exe schtasks.exe PID 2652 wrote to memory of 2624 2652 svchost.exe schtasks.exe PID 2652 wrote to memory of 2156 2652 svchost.exe schtasks.exe PID 2652 wrote to memory of 2156 2652 svchost.exe schtasks.exe PID 2652 wrote to memory of 2156 2652 svchost.exe schtasks.exe PID 2652 wrote to memory of 2156 2652 svchost.exe schtasks.exe PID 2652 wrote to memory of 2912 2652 svchost.exe schtasks.exe PID 2652 wrote to memory of 2912 2652 svchost.exe schtasks.exe PID 2652 wrote to memory of 2912 2652 svchost.exe schtasks.exe PID 2652 wrote to memory of 2912 2652 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe"C:\Users\Admin\AppData\Local\Temp\a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:27 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:28 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:29 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\spoolsv.exeFilesize
135KB
MD52a7fb615f8a5564202d5ae3cf053f47f
SHA15990285bf0e8a7684305dcb35d493c492624d6d3
SHA256fc0cc0a333a55664c755015d58a7f1097106599b3851a22908aaab789279049e
SHA5124b8ca41d1aab6487c70cf8407fa5f8811d6c23a200b127a31bcbb824b7ad59281c678bb8392a1953389146e743529c19ed35d78e53f60fa562bf0ed71cc43123
-
\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD5a0a5113822249dfbd01aa21b9b55e5fe
SHA10cc4e004e0969b5de32a23704f16d299d65f8892
SHA2566caa86b8b48bdd7b9eccb48e221877b8ae6696e7d814859d0b2e3fc6e41ee695
SHA5129c2df2f2c835d2e222772acda07f742f867143b71aeff67a681c15793b2622fd9e8ee3a91c94ffc0cd9e36ae570d20844d0de9dc822668084e90ad211317428e
-
\Windows\Resources\svchost.exeFilesize
135KB
MD505756cbb6178d07f2fe0e5a253cd012f
SHA15559cffe1f2c2a3cc31740120d1dcf1e61eb7f80
SHA256fb070010bd655f2e5d7a75229766b9592a19f47d5d9a6536b8dbbca03349c361
SHA512587f8aaf6684ba17bbcbdc40821be2e578d95a0d74647f5f1f89b8c55881058d36230e402d70a84fc0a4de58bfb8d6c52156013f8804a90dd82516b65dcf5a6c
-
memory/1316-19-0x0000000000440000-0x000000000045F000-memory.dmpFilesize
124KB
-
memory/1684-1-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1684-8-0x00000000005E0000-0x00000000005FF000-memory.dmpFilesize
124KB
-
memory/1684-45-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2124-25-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2124-44-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2800-41-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2800-43-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB