Analysis
-
max time kernel
154s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 03:52
Static task
static1
Behavioral task
behavioral1
Sample
ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe
Resource
win10v2004-20240226-en
General
-
Target
ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe
-
Size
3.6MB
-
MD5
4cc0ae9f491fbdf5382c58453eb0031f
-
SHA1
a96c616d576feac5e747ae9677992fe9b05956bf
-
SHA256
ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe
-
SHA512
d47e2dd836205afc7faf91304ed6ce3b3deda07ca7701d7bf8f9c79270f14bad5c54fef50046bab9cb1b63e0f325b7f17bf32f5ba83d733a5fce4cf134728a95
-
SSDEEP
98304:UdByXcdnlLwOrI5Vfeg91hZOhkRpsinjW:Udien+OrFuBR6cW
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4176 explorer.exe 3884 spoolsv.exe 2980 svchost.exe 1588 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs
pid Process 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 4176 explorer.exe 4176 explorer.exe 3884 spoolsv.exe 2980 svchost.exe 2980 svchost.exe 1588 spoolsv.exe 4176 explorer.exe 2980 svchost.exe 4176 explorer.exe 2980 svchost.exe 4176 explorer.exe 2980 svchost.exe 4176 explorer.exe 2980 svchost.exe 4176 explorer.exe 2980 svchost.exe 4176 explorer.exe 2980 svchost.exe 4176 explorer.exe 2980 svchost.exe 4176 explorer.exe 2980 svchost.exe 4176 explorer.exe 2980 svchost.exe 4176 explorer.exe 2980 svchost.exe 4176 explorer.exe 2980 svchost.exe 4176 explorer.exe 2980 svchost.exe 4176 explorer.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4176 explorer.exe 2980 svchost.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 4176 explorer.exe 4176 explorer.exe 4176 explorer.exe 3884 spoolsv.exe 3884 spoolsv.exe 3884 spoolsv.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 1588 spoolsv.exe 1588 spoolsv.exe 1588 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2916 wrote to memory of 4176 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 90 PID 2916 wrote to memory of 4176 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 90 PID 2916 wrote to memory of 4176 2916 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe 90 PID 4176 wrote to memory of 3884 4176 explorer.exe 91 PID 4176 wrote to memory of 3884 4176 explorer.exe 91 PID 4176 wrote to memory of 3884 4176 explorer.exe 91 PID 3884 wrote to memory of 2980 3884 spoolsv.exe 92 PID 3884 wrote to memory of 2980 3884 spoolsv.exe 92 PID 3884 wrote to memory of 2980 3884 spoolsv.exe 92 PID 2980 wrote to memory of 1588 2980 svchost.exe 93 PID 2980 wrote to memory of 1588 2980 svchost.exe 93 PID 2980 wrote to memory of 1588 2980 svchost.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe"C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1588
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4420 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:4924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5194ff42ed584744752f09c3ed0245f79
SHA126afd225a8155a18291df64e542b4ad259b0a56f
SHA256021e9179159e2519921894e3346a793272dd5e7c0ae82887ad888560a7462f79
SHA51247b9ddcb8e21bc90797f766229f643aa794101f31082e75fffe2a9565907e73a7eb7749940aed8a3477d339846a43bf5913d18d4abc3568f19895f3bbce72ccd
-
Filesize
3.6MB
MD56d8bf0877d099489750bf1925079a13f
SHA1e699c9a0afc597f270b0830236018739a7047eb7
SHA2566c0279c3f4f38627d1622db2c872205cc44964bf63833bf644a6c6b51ee3ac41
SHA5128940c2c5df4b67da0cf4357efe3ade25d559a82e6fe2c3649cf92b8d0fc379982742e460618df93c6e5e0e045443a541683d75d075f71f89d3d9b8894f49f4cd
-
Filesize
3.6MB
MD581b9788968750bd858d3380db3cc0fe9
SHA16866c4fe4b64720b83477eacc8595e39271248ee
SHA256f20b67c5ce865f3cd7e83e6b00a402ee2d1f058adf4bcd4e5bb4b5d687c84321
SHA5128e0fc12c145d2a9d11342c0a269049c988e71fea11b787546ddca3828847227ebd8587dbc6b4c8062b2a46848c0b85e382b7d8b1f2b6b894706ecdaead57a9fe