Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 05:37
Static task
static1
Behavioral task
behavioral1
Sample
fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe
Resource
win10v2004-20240508-en
General
-
Target
fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe
-
Size
135KB
-
MD5
3ea610f47ece05b75bf6a2c8c5f3c139
-
SHA1
ea62733ed4d07515eb401e02d9325f920e0f69f0
-
SHA256
fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466
-
SHA512
7a9d3d81c1e58c297610e3d5f866c8955c88a44a2130ce26c2b8a7cbda9ed352c24585fb4ea55aa0d450f0be0d9da4c1b91c38c74fa973bb82c27ea5d0032291
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVIh:UVqoCl/YgjxEufVU0TbTyDDaleh
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4352 explorer.exe 704 spoolsv.exe 1056 svchost.exe 1828 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe 4352 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4352 explorer.exe 1056 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 4352 explorer.exe 4352 explorer.exe 704 spoolsv.exe 704 spoolsv.exe 1056 svchost.exe 1056 svchost.exe 1828 spoolsv.exe 1828 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2564 wrote to memory of 4352 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 85 PID 2564 wrote to memory of 4352 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 85 PID 2564 wrote to memory of 4352 2564 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe 85 PID 4352 wrote to memory of 704 4352 explorer.exe 86 PID 4352 wrote to memory of 704 4352 explorer.exe 86 PID 4352 wrote to memory of 704 4352 explorer.exe 86 PID 704 wrote to memory of 1056 704 spoolsv.exe 87 PID 704 wrote to memory of 1056 704 spoolsv.exe 87 PID 704 wrote to memory of 1056 704 spoolsv.exe 87 PID 1056 wrote to memory of 1828 1056 svchost.exe 88 PID 1056 wrote to memory of 1828 1056 svchost.exe 88 PID 1056 wrote to memory of 1828 1056 svchost.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe"C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:704 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1828
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5aa450174d15d16f084c41dfe59ea7b76
SHA1472fb1a3b6e2f908e8381c3495d3e8a7d34e7fdb
SHA2560ced3150fb1d9f9016b4c1c418553c3593bcbb4a7aa254e66b371ee0c241dfbf
SHA512a690210c64c58c36de0b0846129a2c5adebdedce561dff068514bdc68f4a25946730e658edf3c95a669259643b84bb5db8bf5355b1b0b02e1d4e219c7b19cfdf
-
Filesize
135KB
MD546bf70a8cca0bf61dfdb9563efa2c9bf
SHA155ac6716ec7ebe440aef4e315d5df766260d2e92
SHA2560e242ff479876d83b6fde31f9419a2b9de72a19b949f73cf18fad55cfcb131ff
SHA51299ec9e1cfd410a26ce4a056f7427a4b6680c88b6fdebcaf4794ae51cbaae5e126491846ddbb4e517ad307ef0e1b1ed881056b2662a5308269692e5223bef81aa
-
Filesize
135KB
MD55a98aa8e38cb61d9eed7767accf58229
SHA135f85ca01882c7ab8f62032226ba1dbe46be3f5f
SHA256b220400d30047511871f7f6c08574040fa5a4bdc1f7d318cba7017f7d0c18982
SHA512dea7c2cf0555442cfb60497edbd35c1f5449e7b0373bc822e3ab02f4226abb3b4c27bfdc027a687c9daeada8fd108285238a58ab05ff8a47ab285a5ffdb61ef6