f8c846285569aac1973ed33b5753496ac15b8703b37dfc4a22e6d67fe08ad10e

Analysis

max time kernel
150s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
31-05-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spoolsv.exe
Size

135KB
MD5

173a4448fed6a11b178af74fe4fe4905
SHA1

9e5e283241c7fe19428fd7d7576f0eb52e534abe
SHA256

f8c846285569aac1973ed33b5753496ac15b8703b37dfc4a22e6d67fe08ad10e
SHA512

835f8c06b50cb6f3b03f7e32d9a68b03586e2bce5b18ffe120177e66055591b0e7e0049d58aad2ed6c9e4f02c9f22fe84f9d3100be595f4399f23485cfd5e4aa
SSDEEP

1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbgWyn:XVqoCl/YgjxEufVU0TbTyDDalVq

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3616	explorer.exe
4440	spoolsv.exe
5076	svchost.exe
3416	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
5008	spoolsv.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3616	explorer.exe
5076	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
5008	spoolsv.exe
5008	spoolsv.exe
3616	explorer.exe
3616	explorer.exe
4440	spoolsv.exe
4440	spoolsv.exe
5076	svchost.exe
5076	svchost.exe
3416	spoolsv.exe
3416	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 3616	5008	spoolsv.exe	79
PID 5008 wrote to memory of 3616	5008	spoolsv.exe	79
PID 5008 wrote to memory of 3616	5008	spoolsv.exe	79
PID 3616 wrote to memory of 4440	3616	explorer.exe	80
PID 3616 wrote to memory of 4440	3616	explorer.exe	80
PID 3616 wrote to memory of 4440	3616	explorer.exe	80
PID 4440 wrote to memory of 5076	4440	spoolsv.exe	82
PID 4440 wrote to memory of 5076	4440	spoolsv.exe	82
PID 4440 wrote to memory of 5076	4440	spoolsv.exe	82
PID 5076 wrote to memory of 3416	5076	svchost.exe	83
PID 5076 wrote to memory of 3416	5076	svchost.exe	83
PID 5076 wrote to memory of 3416	5076	svchost.exe	83

C:\Users\Admin\AppData\Local\Temp\spoolsv.exe
"C:\Users\Admin\AppData\Local\Temp\spoolsv.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3616
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5076
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
1d31e0e6e93c90d4c0992bd05ceb77b3

SHA1
d353e727aa97e1d64856c153b32033245f8ae91e

SHA256
41486c77e27dc716d8a3c66f4435cfdd53c5d58aeaaeddc60580cf385b55cd5b

SHA512
6b2e001c36ca926c4eeb7a591081c16a8b48c7215ce0030cce3e2ccf43e55c541570511c7f73dd2b4969687ea17a1bc2f8b5fe33d224bd210bfae1275d16d92f

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
3084f75d3795c323c91e002e83548f97

SHA1
e66256e589d1bbb6d05329f7f66321f102951424

SHA256
8f8fff6e13126524e2bb377bffb6ea9a899fccf230e73c438b883ea2487e16c2

SHA512
d7b75119369c8c1aa2e64d9ad28c121d4b211e814b78b1f840a60316994bd9a0755575eb8968c9bd01bbf5c1315b4f84e7c9eabb8df710a92c62566c7bd5aeb0

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
3984b7ca451ab92a192c0f49870eb437

SHA1
2960caa25268e3a700fc7b3df6972d39e941b163

SHA256
8939dfd4bcf1c73835aa39c35c7a628cd5322077331a1163b53181b70c7ee46f

SHA512
cc28a9c0fbca4c756487651fe9dfd9c7faffce72f3fcf025123ccb9b8f3d1a47b188f310a7c8225dbbe9d593b515557585c631e80332f02b4378a1f2c381f434

Download Submit
memory/3416-30-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3416-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4440-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5008-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5008-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5076-27-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download