Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 05:37
Static task
static1
Behavioral task
behavioral1
Sample
fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe
Resource
win10v2004-20240508-en
General
-
Target
fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe
-
Size
135KB
-
MD5
3ea610f47ece05b75bf6a2c8c5f3c139
-
SHA1
ea62733ed4d07515eb401e02d9325f920e0f69f0
-
SHA256
fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466
-
SHA512
7a9d3d81c1e58c297610e3d5f866c8955c88a44a2130ce26c2b8a7cbda9ed352c24585fb4ea55aa0d450f0be0d9da4c1b91c38c74fa973bb82c27ea5d0032291
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVIh:UVqoCl/YgjxEufVU0TbTyDDaleh
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2216 explorer.exe 2744 spoolsv.exe 320 svchost.exe 1556 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2216 explorer.exe 2744 spoolsv.exe 320 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2572 schtasks.exe 2040 schtasks.exe 2292 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 320 svchost.exe 320 svchost.exe 2216 explorer.exe 320 svchost.exe 2216 explorer.exe 320 svchost.exe 2216 explorer.exe 320 svchost.exe 2216 explorer.exe 320 svchost.exe 2216 explorer.exe 320 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2216 explorer.exe 320 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2216 explorer.exe 2216 explorer.exe 2744 spoolsv.exe 2744 spoolsv.exe 320 svchost.exe 320 svchost.exe 1556 spoolsv.exe 1556 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1632 wrote to memory of 2216 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 28 PID 1632 wrote to memory of 2216 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 28 PID 1632 wrote to memory of 2216 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 28 PID 1632 wrote to memory of 2216 1632 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 28 PID 2216 wrote to memory of 2744 2216 explorer.exe 29 PID 2216 wrote to memory of 2744 2216 explorer.exe 29 PID 2216 wrote to memory of 2744 2216 explorer.exe 29 PID 2216 wrote to memory of 2744 2216 explorer.exe 29 PID 2744 wrote to memory of 320 2744 spoolsv.exe 30 PID 2744 wrote to memory of 320 2744 spoolsv.exe 30 PID 2744 wrote to memory of 320 2744 spoolsv.exe 30 PID 2744 wrote to memory of 320 2744 spoolsv.exe 30 PID 320 wrote to memory of 1556 320 svchost.exe 31 PID 320 wrote to memory of 1556 320 svchost.exe 31 PID 320 wrote to memory of 1556 320 svchost.exe 31 PID 320 wrote to memory of 1556 320 svchost.exe 31 PID 2216 wrote to memory of 2708 2216 explorer.exe 32 PID 2216 wrote to memory of 2708 2216 explorer.exe 32 PID 2216 wrote to memory of 2708 2216 explorer.exe 32 PID 2216 wrote to memory of 2708 2216 explorer.exe 32 PID 320 wrote to memory of 2572 320 svchost.exe 33 PID 320 wrote to memory of 2572 320 svchost.exe 33 PID 320 wrote to memory of 2572 320 svchost.exe 33 PID 320 wrote to memory of 2572 320 svchost.exe 33 PID 320 wrote to memory of 2040 320 svchost.exe 38 PID 320 wrote to memory of 2040 320 svchost.exe 38 PID 320 wrote to memory of 2040 320 svchost.exe 38 PID 320 wrote to memory of 2040 320 svchost.exe 38 PID 320 wrote to memory of 2292 320 svchost.exe 40 PID 320 wrote to memory of 2292 320 svchost.exe 40 PID 320 wrote to memory of 2292 320 svchost.exe 40 PID 320 wrote to memory of 2292 320 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe"C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1556
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:39 /f5⤵
- Creates scheduled task(s)
PID:2572
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:40 /f5⤵
- Creates scheduled task(s)
PID:2040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:41 /f5⤵
- Creates scheduled task(s)
PID:2292
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2708
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5a56470d0f1a0e8f0e0255281122c4d1a
SHA19bef35270ba4c1b50f11ed52a76341c0718c69ed
SHA2565acceba11b105121b5415a8f69bf523f40f3be21ede92d2f72131547d047224d
SHA5127f8bbf142a12f913ff02d2252fd4c598a5a50f3bf56f820c2247b32febd8d181dec36a4310cc9278e3d1dd53a26f493aa829f20365e155dd637b4018023a8023
-
Filesize
135KB
MD5366eb529390c9ab0b9a30a6dec9bf89a
SHA1dd69f237c5b45fd1be90dfe9fc058e48cc638da1
SHA256da7e0d810eb115efc5688a817e139b7d2f4467de27ec0530e8e8dff1515f9985
SHA512307b2902fd0dc507500b04ecf1f5c1bc0723eeedcd805d46a0960b0f9114f1a8819d9e09b96cf56e832889604e2ea6fc5da636c554489ae4f947333f08203f01
-
Filesize
135KB
MD5fb9529b2c4a8e49e31d33f76c5129a06
SHA18c00e0d7f2ed1e24dcf2adcdcfe2646452fc3a5f
SHA25657b6bd55cd4444eb5c41e92d41901b8b5c472c7988aca13af8c75cb5f7cfc7d1
SHA5122b5070ca21c4a1d4fbe7843fecb233991fc217c6d238fda624ffd6bcb4c39c9e327eb2a9306eb62e5347cc7b2a0a2cabd41906f75fb903073a9df390e4e85668