Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 03:52
Static task
static1
Behavioral task
behavioral1
Sample
ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe
Resource
win10v2004-20240226-en
General
-
Target
ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe
-
Size
3.6MB
-
MD5
4cc0ae9f491fbdf5382c58453eb0031f
-
SHA1
a96c616d576feac5e747ae9677992fe9b05956bf
-
SHA256
ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe
-
SHA512
d47e2dd836205afc7faf91304ed6ce3b3deda07ca7701d7bf8f9c79270f14bad5c54fef50046bab9cb1b63e0f325b7f17bf32f5ba83d733a5fce4cf134728a95
-
SSDEEP
98304:UdByXcdnlLwOrI5Vfeg91hZOhkRpsinjW:Udien+OrFuBR6cW
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 1276 explorer.exe 2644 spoolsv.exe 2672 svchost.exe 2568 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1276 explorer.exe 2644 spoolsv.exe 2672 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs
pid Process 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1276 explorer.exe 1276 explorer.exe 2644 spoolsv.exe 2672 svchost.exe 2568 spoolsv.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2548 schtasks.exe 1620 schtasks.exe 1532 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 2672 svchost.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 2672 svchost.exe 2672 svchost.exe 1276 explorer.exe 1276 explorer.exe 2672 svchost.exe 1276 explorer.exe 2672 svchost.exe 2672 svchost.exe 1276 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2672 svchost.exe 1276 explorer.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 2644 spoolsv.exe 2644 spoolsv.exe 2644 spoolsv.exe 2672 svchost.exe 2672 svchost.exe 2672 svchost.exe 2568 spoolsv.exe 2568 spoolsv.exe 2568 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1792 wrote to memory of 1276 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 28 PID 1792 wrote to memory of 1276 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 28 PID 1792 wrote to memory of 1276 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 28 PID 1792 wrote to memory of 1276 1792 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 28 PID 1276 wrote to memory of 2644 1276 explorer.exe 29 PID 1276 wrote to memory of 2644 1276 explorer.exe 29 PID 1276 wrote to memory of 2644 1276 explorer.exe 29 PID 1276 wrote to memory of 2644 1276 explorer.exe 29 PID 2644 wrote to memory of 2672 2644 spoolsv.exe 30 PID 2644 wrote to memory of 2672 2644 spoolsv.exe 30 PID 2644 wrote to memory of 2672 2644 spoolsv.exe 30 PID 2644 wrote to memory of 2672 2644 spoolsv.exe 30 PID 2672 wrote to memory of 2568 2672 svchost.exe 31 PID 2672 wrote to memory of 2568 2672 svchost.exe 31 PID 2672 wrote to memory of 2568 2672 svchost.exe 31 PID 2672 wrote to memory of 2568 2672 svchost.exe 31 PID 1276 wrote to memory of 2588 1276 explorer.exe 32 PID 1276 wrote to memory of 2588 1276 explorer.exe 32 PID 1276 wrote to memory of 2588 1276 explorer.exe 32 PID 1276 wrote to memory of 2588 1276 explorer.exe 32 PID 2672 wrote to memory of 2548 2672 svchost.exe 33 PID 2672 wrote to memory of 2548 2672 svchost.exe 33 PID 2672 wrote to memory of 2548 2672 svchost.exe 33 PID 2672 wrote to memory of 2548 2672 svchost.exe 33 PID 2672 wrote to memory of 1620 2672 svchost.exe 38 PID 2672 wrote to memory of 1620 2672 svchost.exe 38 PID 2672 wrote to memory of 1620 2672 svchost.exe 38 PID 2672 wrote to memory of 1620 2672 svchost.exe 38 PID 2672 wrote to memory of 1532 2672 svchost.exe 40 PID 2672 wrote to memory of 1532 2672 svchost.exe 40 PID 2672 wrote to memory of 1532 2672 svchost.exe 40 PID 2672 wrote to memory of 1532 2672 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe"C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2568
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:54 /f5⤵
- Creates scheduled task(s)
PID:2548
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:55 /f5⤵
- Creates scheduled task(s)
PID:1620
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:56 /f5⤵
- Creates scheduled task(s)
PID:1532
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5bf3626aca5cb1dfa96615abeda94dea8
SHA1ecd29ba5de46082dbec1cb91f9e45fd898148717
SHA256427361dc65a40f09ae09ae835c523e420d65c08b0fd3717183573137708c48c5
SHA512dc75d32765f04fd954f637d5a803dce24b221dbc66fb473384d60050d6cfd7122f7af1c7f50750ae5377a110a4b6b6610f739bdae42b49004385363c62340cdf
-
Filesize
3.6MB
MD59349c7373904a0828f8e75f26c7b3aff
SHA1320ca3efcf47dd3bb235e00288003864c8bb8fab
SHA256be68e8069ba1c545086f448f9e6b858296ba3a669d455f4380205d572ce2f3eb
SHA512c1be2c276c82ff3969a89db8d623bfd93b4a3c558a6909ca4dfe469374c51fb165e3f84670ffd606c32fe5defecaec7c0e74ea42313898bf9274bbdf4a1d84aa
-
Filesize
3.6MB
MD591778df29b255f658a097af6efd61cdc
SHA12bc471fd3b4c085ce83a5fcc45da8f50dd3e1589
SHA256e45099cb410dc5e3ed290e96aeaf6366493dafdd678ab6d88725339805ac5306
SHA5123f4030de1e40d3b5fd5a79b32fb33a186287465bdb2710ff35b95ce2b070dcd7b06cc3c2cc31425ab086d7a517dde93d9215e8b882a5b2d739bd94651368ee8e