8a955e0b4361eec707faec25ad2e965560a1b415401a58c9d4c21ad911f6785f

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a955e0b4361eec707faec25ad2e965560a1b415401a58c9d4c21ad911f6785f.exe
Size

126KB
MD5

a3d1165face475b5fc9f3313966070ff
SHA1

74f5ab92f4946fc68c00f44eef3dc0c71644215b
SHA256

8a955e0b4361eec707faec25ad2e965560a1b415401a58c9d4c21ad911f6785f
SHA512

7d4c067c78fb5299ab56e3cdbf9c2c97a1b482d242f4ad5f38da2f4809bf85b30c2b0d21950e73cf9d8612f7b2af7b421c9e20ee2078504f29512ed4a367bf44
SSDEEP

1536:PoXJ1oTKUbX/sw/LLRJjVY8Vxg5WDvOAAIZcIvvsswHFsXl5:PoLoeqEeLLDBxAWSgcIvu6Xl5

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
4780	explorer.exe
5008	spoolsv.exe
3272	svchost.exe
4416	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	8a955e0b4361eec707faec25ad2e965560a1b415401a58c9d4c21ad911f6785f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3968	8a955e0b4361eec707faec25ad2e965560a1b415401a58c9d4c21ad911f6785f.exe
3968	8a955e0b4361eec707faec25ad2e965560a1b415401a58c9d4c21ad911f6785f.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
3272	svchost.exe
3272	svchost.exe
3272	svchost.exe
3272	svchost.exe
4780	explorer.exe
4780	explorer.exe
3272	svchost.exe
3272	svchost.exe
4780	explorer.exe
4780	explorer.exe
3272	svchost.exe
3272	svchost.exe
4780	explorer.exe
4780	explorer.exe
3272	svchost.exe
3272	svchost.exe
4780	explorer.exe
4780	explorer.exe
3272	svchost.exe
3272	svchost.exe
4780	explorer.exe
4780	explorer.exe
3272	svchost.exe
3272	svchost.exe
4780	explorer.exe
4780	explorer.exe
3272	svchost.exe
3272	svchost.exe
4780	explorer.exe
4780	explorer.exe
3272	svchost.exe
3272	svchost.exe
4780	explorer.exe
4780	explorer.exe
3272	svchost.exe
3272	svchost.exe
4780	explorer.exe
4780	explorer.exe
3272	svchost.exe
3272	svchost.exe
4780	explorer.exe
4780	explorer.exe
3272	svchost.exe
3272	svchost.exe
4780	explorer.exe
4780	explorer.exe
3272	svchost.exe
3272	svchost.exe
4780	explorer.exe
4780	explorer.exe
3272	svchost.exe
3272	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4780	explorer.exe
3272	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3968	8a955e0b4361eec707faec25ad2e965560a1b415401a58c9d4c21ad911f6785f.exe
3968	8a955e0b4361eec707faec25ad2e965560a1b415401a58c9d4c21ad911f6785f.exe
4780	explorer.exe
4780	explorer.exe
5008	spoolsv.exe
5008	spoolsv.exe
3272	svchost.exe
3272	svchost.exe
4416	spoolsv.exe
4416	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4780	3968	8a955e0b4361eec707faec25ad2e965560a1b415401a58c9d4c21ad911f6785f.exe	90
PID 3968 wrote to memory of 4780	3968	8a955e0b4361eec707faec25ad2e965560a1b415401a58c9d4c21ad911f6785f.exe	90
PID 3968 wrote to memory of 4780	3968	8a955e0b4361eec707faec25ad2e965560a1b415401a58c9d4c21ad911f6785f.exe	90
PID 4780 wrote to memory of 5008	4780	explorer.exe	91
PID 4780 wrote to memory of 5008	4780	explorer.exe	91
PID 4780 wrote to memory of 5008	4780	explorer.exe	91
PID 5008 wrote to memory of 3272	5008	spoolsv.exe	92
PID 5008 wrote to memory of 3272	5008	spoolsv.exe	92
PID 5008 wrote to memory of 3272	5008	spoolsv.exe	92
PID 3272 wrote to memory of 4416	3272	svchost.exe	93
PID 3272 wrote to memory of 4416	3272	svchost.exe	93
PID 3272 wrote to memory of 4416	3272	svchost.exe	93

C:\Users\Admin\AppData\Local\Temp\8a955e0b4361eec707faec25ad2e965560a1b415401a58c9d4c21ad911f6785f.exe
"C:\Users\Admin\AppData\Local\Temp\8a955e0b4361eec707faec25ad2e965560a1b415401a58c9d4c21ad911f6785f.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3968
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4780
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3272
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
126KB

MD5
f9583b5c4b9f6eeb2d89400afef62a9a

SHA1
fbed298f98327808c7ec9898e5f21e314eac8367

SHA256
04bab843f61fdec9e3a6b6ef7a11823b0eb7e02d81f2c073785843de260566a4

SHA512
94a777880d5fbe4b536fda9b1d1627c574f502ec9094e77b7b22381ccc9fd210dcc0334c1e65d8fdffcd61d7e154112fe2e7f82b6153c9809a911b572891a8ad

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
126KB

MD5
e7ad1a92b4618fe9e58deeb56df30a6e

SHA1
1f5b0b77f63ae1463cbabbca85b08d651f6823de

SHA256
c0abe1114853d863640bea4c2beca222b2b8a220bd8a2d62b46692e6f3287828

SHA512
84ab96744dfc3194a64ca2aa40504b98ef5d1aecf7f456d024b65c84d00621dc9e98b68ca48d10015882d08a57633104b4c5f5072249fd647704873f4c106612

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
126KB

MD5
a58cc185ac97a992cf09df6e6a971ae6

SHA1
00867730473060827ef9ca35ce0c002ea7fd1649

SHA256
537f7179d82697ec814238e65f420ebd65a46bb7207b615e04c70a3ab744b6f2

SHA512
fd9295d9560a31c923b9191eed3008d1ce969c508db68151fb2e200039ec8609b3c5fbaedda5d26d8dd0a75cc2317e43978e34b10a3d41641549b03843cdf019

Download Submit