6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
Size

3.6MB
MD5

6145e3ebc882746fb2414ccad1ed4ed9
SHA1

20471c3b4120cc056dda6a7a4a1a8a2c4209d2d0
SHA256

6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede
SHA512

5ddf6d066d2ca1e8a2134f04ecf2a987f07344dab615d66713b3cb9dee0fad8f0f27cc4fad2e71deace1615a04ae4b3126a8cafca5aed5430742101debea1151
SSDEEP

98304:JdByXcdnlLwOrI5Vfeg91hZOhkRpsinjx:Jdien+OrFuBR6cx

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4356	explorer.exe
1608	spoolsv.exe
3652	svchost.exe
3144	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs

pid	Process
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
4356	explorer.exe
4356	explorer.exe
1608	spoolsv.exe
3652	svchost.exe
3652	svchost.exe
3144	spoolsv.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
4356	explorer.exe
3652	svchost.exe
4356	explorer.exe
3652	svchost.exe
4356	explorer.exe
3652	svchost.exe
4356	explorer.exe
3652	svchost.exe
4356	explorer.exe
3652	svchost.exe
4356	explorer.exe
3652	svchost.exe
4356	explorer.exe
3652	svchost.exe
4356	explorer.exe
3652	svchost.exe
4356	explorer.exe
3652	svchost.exe
4356	explorer.exe
3652	svchost.exe
4356	explorer.exe
3652	svchost.exe
4356	explorer.exe
3652	svchost.exe
4356	explorer.exe
3652	svchost.exe
4356	explorer.exe
3652	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4356	explorer.exe
3652	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
1608	spoolsv.exe
1608	spoolsv.exe
1608	spoolsv.exe
3652	svchost.exe
3652	svchost.exe
3652	svchost.exe
3144	spoolsv.exe
3144	spoolsv.exe
3144	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 4356	1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe	91
PID 1448 wrote to memory of 4356	1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe	91
PID 1448 wrote to memory of 4356	1448	6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe	91
PID 4356 wrote to memory of 1608	4356	explorer.exe	93
PID 4356 wrote to memory of 1608	4356	explorer.exe	93
PID 4356 wrote to memory of 1608	4356	explorer.exe	93
PID 1608 wrote to memory of 3652	1608	spoolsv.exe	95
PID 1608 wrote to memory of 3652	1608	spoolsv.exe	95
PID 1608 wrote to memory of 3652	1608	spoolsv.exe	95
PID 3652 wrote to memory of 3144	3652	svchost.exe	97
PID 3652 wrote to memory of 3144	3652	svchost.exe	97
PID 3652 wrote to memory of 3144	3652	svchost.exe	97

C:\Users\Admin\AppData\Local\Temp\6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe
"C:\Users\Admin\AppData\Local\Temp\6e2eb9481bbca637c22725ab53fd7005ad011c55ce02d804f812da6790a9bede.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4356
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3652
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3652 /prefetch:8
1⤵
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
3.6MB

MD5
933c6c8834a853f60bec2496786460a3

SHA1
3c63e772908ed624146017cb528b625ec8357023

SHA256
6061dccc77eb4fa9966bdaffc0fd984bd83cceda34d4fa6f6842becee1de447e

SHA512
af07fab6ecbc13c6312436aa42f7045930ed8aa35b3e5dbbfc6b5891a3d87f045f27c60e8d3a7c0a9fb463bd55683718ab5ebbec0e57e5acd007c74dc2312c59

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
3.6MB

MD5
c2c5982ce694b86cad3a576270c6a565

SHA1
2223c838d28e3985fca7757376c7ebdd56556548

SHA256
8b81e972fd7987caa8a1bef4568341e18a9948babb49037b1bedb6859475cb40

SHA512
9c4b37150047646a58860b2beaa76e5f2933e39b3caa3ad81f9332aa4af2a6b2f219d76f6d6c6afd2f4f2c42a8896a8643d1f689f733adb68c9023af4a84e26d

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
3.6MB

MD5
ee6f7839459a1e29eb42ccfc08a4bbfc

SHA1
ceb55c5873b11268256e6926b8e3ac38f1c12f92

SHA256
91318436f98e35308411e66ee56e4126eac7221fc923c5575861434e5449dfd8

SHA512
0302bffd5d674422af06b775b979d611f6c14f247d864ede4839ed934c758b88e2860f503dbbcbcb9783e1e8d3e8e5f66a6d8ce2a4e49e6589024459e950a5d1

Download Submit
memory/1448-0-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/1448-2-0x0000000077AA3000-0x0000000077AA4000-memory.dmp

Filesize
4KB

Download
memory/1448-1-0x0000000077AA2000-0x0000000077AA3000-memory.dmp

Filesize
4KB

Download
memory/1448-41-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/1608-40-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3144-32-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3144-37-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-45-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-67-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-43-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-65-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-69-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-63-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-47-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-49-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-55-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-61-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-51-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-53-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-59-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3652-57-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-48-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-56-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-54-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-58-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-52-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-60-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-50-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-62-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-46-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-44-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-66-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-42-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-68-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4356-11-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download