Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 23:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe
Resource
win7-20240508-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe
-
Size
121KB
-
MD5
84fb158562b34837e5796b7142b9e7a9
-
SHA1
b2bff9c5887ff5b7aeec642aeb476f088085efac
-
SHA256
758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3
-
SHA512
fe9768c08b57d43e96bc2f0d0a63411bee8be0035b6dfe3c97982763627368c8342c0c3919ed6b1b49813df48f6775f50bf08712dc8473ad8e011c3c1b07aaf4
-
SSDEEP
1536:9X9TaOt5OuXpBFZQUSvnsk+z/ypuOASsIc9XmkbxH3w:9X9TP3OuXpBkAz/yjvc9X/9Xw
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3016 explorer.exe 2680 spoolsv.exe 3024 svchost.exe 2808 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1920 758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe 1920 758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe 3016 explorer.exe 3016 explorer.exe 2680 spoolsv.exe 2680 spoolsv.exe 3024 svchost.exe 3024 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\udsys.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1716 schtasks.exe 1676 schtasks.exe 2212 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1920 758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe 3016 explorer.exe 3016 explorer.exe 3024 svchost.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe 3024 svchost.exe 3016 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3016 explorer.exe 3024 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1920 758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe 1920 758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe 3016 explorer.exe 3016 explorer.exe 2680 spoolsv.exe 2680 spoolsv.exe 3024 svchost.exe 3024 svchost.exe 2808 spoolsv.exe 2808 spoolsv.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1920 wrote to memory of 3016 1920 758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe 28 PID 1920 wrote to memory of 3016 1920 758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe 28 PID 1920 wrote to memory of 3016 1920 758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe 28 PID 1920 wrote to memory of 3016 1920 758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe 28 PID 3016 wrote to memory of 2680 3016 explorer.exe 29 PID 3016 wrote to memory of 2680 3016 explorer.exe 29 PID 3016 wrote to memory of 2680 3016 explorer.exe 29 PID 3016 wrote to memory of 2680 3016 explorer.exe 29 PID 2680 wrote to memory of 3024 2680 spoolsv.exe 30 PID 2680 wrote to memory of 3024 2680 spoolsv.exe 30 PID 2680 wrote to memory of 3024 2680 spoolsv.exe 30 PID 2680 wrote to memory of 3024 2680 spoolsv.exe 30 PID 3024 wrote to memory of 2808 3024 svchost.exe 31 PID 3024 wrote to memory of 2808 3024 svchost.exe 31 PID 3024 wrote to memory of 2808 3024 svchost.exe 31 PID 3024 wrote to memory of 2808 3024 svchost.exe 31 PID 3024 wrote to memory of 1716 3024 svchost.exe 32 PID 3024 wrote to memory of 1716 3024 svchost.exe 32 PID 3024 wrote to memory of 1716 3024 svchost.exe 32 PID 3024 wrote to memory of 1716 3024 svchost.exe 32 PID 3024 wrote to memory of 1676 3024 svchost.exe 36 PID 3024 wrote to memory of 1676 3024 svchost.exe 36 PID 3024 wrote to memory of 1676 3024 svchost.exe 36 PID 3024 wrote to memory of 1676 3024 svchost.exe 36 PID 3024 wrote to memory of 2212 3024 svchost.exe 38 PID 3024 wrote to memory of 2212 3024 svchost.exe 38 PID 3024 wrote to memory of 2212 3024 svchost.exe 38 PID 3024 wrote to memory of 2212 3024 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe"C:\Users\Admin\AppData\Local\Temp\758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:22 /f5⤵
- Creates scheduled task(s)
PID:1716
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:23 /f5⤵
- Creates scheduled task(s)
PID:1676
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:24 /f5⤵
- Creates scheduled task(s)
PID:2212
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD5f5b3b60e6b38a7e61a097fbcedb44b5c
SHA12b9be4c730852ff9091a6713aa36d20908100bf7
SHA2566bfa74c5b6f829030780cc99d2b461edf3bb33c4814c2682470a50287672dd02
SHA5127aba6e9b97cc8d4229ddbed7f518885b2ce44cbd5c8c54db197e288b408b2690ba39f74b7d1358b09ab58bad0b61b2e8532dc89083d56a2aaedc2694c5d57dbf
-
Filesize
121KB
MD50240ebad6ca9233e97c6a20d127c16e1
SHA1b6e3bd094fd837726a82135bc12da67a5fdd8453
SHA256b1bc8db06d8b42ba00a8bc048039a0eb3079621976f9f64541fcbab95b7c5827
SHA51225a7516b06853bc7e7efd28a6750cca2bd48793467860be23964fd0597c0ebe31f708ed12480a3b081847af21fba1946f574e772ddf3f97d5885260a531e0d78
-
Filesize
121KB
MD53d7b663d61b5f53381188b628524b34f
SHA1db695b4c2cd9a76ea473cff646406b1abd685b66
SHA256882ac43c75b432e8848905845f1de013acccf67cf008552c8b7f683757314640
SHA51289f0531f23f9e4c1b8e01c2ba2d8c78dd78a4800b90fcce2d994f709f129f712dc3674863bc1c50b5dd25fc48879f600c742eea5f67a2e89e302ebcf2d2a2f02