758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe
Size

121KB
MD5

84fb158562b34837e5796b7142b9e7a9
SHA1

b2bff9c5887ff5b7aeec642aeb476f088085efac
SHA256

758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3
SHA512

fe9768c08b57d43e96bc2f0d0a63411bee8be0035b6dfe3c97982763627368c8342c0c3919ed6b1b49813df48f6775f50bf08712dc8473ad8e011c3c1b07aaf4
SSDEEP

1536:9X9TaOt5OuXpBFZQUSvnsk+z/ypuOASsIc9XmkbxH3w:9X9TP3OuXpBkAz/yjvc9X/9Xw

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
5040	explorer.exe
4488	spoolsv.exe
2028	svchost.exe
1920	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
8	758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe
8	758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe
2028	svchost.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe
2028	svchost.exe
2028	svchost.exe
5040	explorer.exe
5040	explorer.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe
2028	svchost.exe
5040	explorer.exe
5040	explorer.exe
2028	svchost.exe
2028	svchost.exe
5040	explorer.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe
2028	svchost.exe
5040	explorer.exe
5040	explorer.exe
2028	svchost.exe
2028	svchost.exe
2028	svchost.exe
5040	explorer.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe
5040	explorer.exe
2028	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5040	explorer.exe
2028	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
8	758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe
8	758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe
5040	explorer.exe
5040	explorer.exe
4488	spoolsv.exe
4488	spoolsv.exe
2028	svchost.exe
2028	svchost.exe
1920	spoolsv.exe
1920	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 5040	8	758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe	82
PID 8 wrote to memory of 5040	8	758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe	82
PID 8 wrote to memory of 5040	8	758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe	82
PID 5040 wrote to memory of 4488	5040	explorer.exe	83
PID 5040 wrote to memory of 4488	5040	explorer.exe	83
PID 5040 wrote to memory of 4488	5040	explorer.exe	83
PID 4488 wrote to memory of 2028	4488	spoolsv.exe	84
PID 4488 wrote to memory of 2028	4488	spoolsv.exe	84
PID 4488 wrote to memory of 2028	4488	spoolsv.exe	84
PID 2028 wrote to memory of 1920	2028	svchost.exe	85
PID 2028 wrote to memory of 1920	2028	svchost.exe	85
PID 2028 wrote to memory of 1920	2028	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe
"C:\Users\Admin\AppData\Local\Temp\758e786222776e431a4edb09db6199e84f18333c7d904859aaed984b9677bef3.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5040
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2028
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
121KB

MD5
349045c0646296931a0897f2b3567b6a

SHA1
bc6983d769cba18e0d3a18545f671dd5df335bac

SHA256
4a8c1d886e3728a45d13772a219c4c20ebd405aa7989f671dfca0c114e287093

SHA512
833a1927ec49cfbb345470427e8734b7f83d2bd3006cdbe931c0f2b206eb5b190936aaea2b5b0fd95e587d16dd08abe39b8fe5609c9803aa3d32a06ead5623c1

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
121KB

MD5
cea353d80c835f06c9bed1a1a9a66cbb

SHA1
fe7b1c44e067a26d494a7f59339bcf0ee12cdb6d

SHA256
5cbcf9c783f5ad09b583faafa622744fe6ad2939755668458bffefca4ed125a2

SHA512
805c714f32870016149e7e1fde90c9787baa7c73e0037f4e97864da0c1107eaf40088b042a951f5f18c22ebeb7400e59c705198df79263881d1012c73f7d9b9c

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
121KB

MD5
90a7dbb138fabff0e7356c5b66ccd56c

SHA1
def6f9c86d6c82176c5ffb63398863352c0c549b

SHA256
4f62b495cb7b88361444f038945ff1a2145b06b44ae5e2b82a4bf7803d1b2cb4

SHA512
3cab6762bc56495954cd87df53770fdf4cdf5629b142dccd7f1c559971a42f7c48afa0331b300025747f98e90602f681886437b32cba7a1ebefe16742b9ae5e7

Download Submit