Malware Analysis Report

2025-01-06 11:48

Sample ID 240603-ee82maac8t
Target ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe
SHA256 ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe

Threat Level: Known bad

The file ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 03:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 03:52

Reported

2024-06-03 03:54

Platform

win7-20240508-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe \??\c:\windows\resources\themes\explorer.exe
PID 1792 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe \??\c:\windows\resources\themes\explorer.exe
PID 1792 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe \??\c:\windows\resources\themes\explorer.exe
PID 1792 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe \??\c:\windows\resources\themes\explorer.exe
PID 1276 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1276 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1276 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1276 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2644 wrote to memory of 2672 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2644 wrote to memory of 2672 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2644 wrote to memory of 2672 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2644 wrote to memory of 2672 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2672 wrote to memory of 2568 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2672 wrote to memory of 2568 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2672 wrote to memory of 2568 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2672 wrote to memory of 2568 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1276 wrote to memory of 2588 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1276 wrote to memory of 2588 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1276 wrote to memory of 2588 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1276 wrote to memory of 2588 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2672 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1620 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1620 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1620 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1620 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1532 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1532 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1532 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1532 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe

"C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:54 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:55 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:56 /f

Network

N/A

Files

memory/1792-0-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1792-3-0x00000000776E0000-0x00000000776E1000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 9349c7373904a0828f8e75f26c7b3aff
SHA1 320ca3efcf47dd3bb235e00288003864c8bb8fab
SHA256 be68e8069ba1c545086f448f9e6b858296ba3a669d455f4380205d572ce2f3eb
SHA512 c1be2c276c82ff3969a89db8d623bfd93b4a3c558a6909ca4dfe469374c51fb165e3f84670ffd606c32fe5defecaec7c0e74ea42313898bf9274bbdf4a1d84aa

memory/1276-11-0x0000000000400000-0x0000000000784000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 bf3626aca5cb1dfa96615abeda94dea8
SHA1 ecd29ba5de46082dbec1cb91f9e45fd898148717
SHA256 427361dc65a40f09ae09ae835c523e420d65c08b0fd3717183573137708c48c5
SHA512 dc75d32765f04fd954f637d5a803dce24b221dbc66fb473384d60050d6cfd7122f7af1c7f50750ae5377a110a4b6b6610f739bdae42b49004385363c62340cdf

memory/2644-24-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-21-0x0000000003AB0000-0x0000000003E34000-memory.dmp

\Windows\Resources\svchost.exe

MD5 91778df29b255f658a097af6efd61cdc
SHA1 2bc471fd3b4c085ce83a5fcc45da8f50dd3e1589
SHA256 e45099cb410dc5e3ed290e96aeaf6366493dafdd678ab6d88725339805ac5306
SHA512 3f4030de1e40d3b5fd5a79b32fb33a186287465bdb2710ff35b95ce2b070dcd7b06cc3c2cc31425ab086d7a517dde93d9215e8b882a5b2d739bd94651368ee8e

memory/2644-34-0x0000000003930000-0x0000000003CB4000-memory.dmp

memory/2672-35-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-42-0x0000000003800000-0x0000000003B84000-memory.dmp

memory/2568-43-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2568-48-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2644-50-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1792-52-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-53-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-54-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-55-0x0000000003AB0000-0x0000000003E34000-memory.dmp

memory/1276-56-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-57-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-58-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-59-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-60-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-62-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-63-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-64-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-65-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-66-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-67-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-68-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-69-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-70-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-71-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-72-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-73-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-75-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-76-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-77-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-78-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-79-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1276-80-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2672-81-0x0000000000400000-0x0000000000784000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 03:52

Reported

2024-06-03 03:55

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe \??\c:\windows\resources\themes\explorer.exe
PID 2916 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe \??\c:\windows\resources\themes\explorer.exe
PID 2916 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe \??\c:\windows\resources\themes\explorer.exe
PID 4176 wrote to memory of 3884 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4176 wrote to memory of 3884 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4176 wrote to memory of 3884 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3884 wrote to memory of 2980 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3884 wrote to memory of 2980 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3884 wrote to memory of 2980 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2980 wrote to memory of 1588 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2980 wrote to memory of 1588 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2980 wrote to memory of 1588 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe

"C:\Users\Admin\AppData\Local\Temp\ccb25053ffe7d2cae635531053b0545d93403d3194960066ed1a695fd517affe.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4420 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp

Files

memory/2916-0-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2916-1-0x0000000077832000-0x0000000077833000-memory.dmp

memory/2916-2-0x0000000077833000-0x0000000077834000-memory.dmp

memory/2916-5-0x0000000000400000-0x0000000000784000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 194ff42ed584744752f09c3ed0245f79
SHA1 26afd225a8155a18291df64e542b4ad259b0a56f
SHA256 021e9179159e2519921894e3346a793272dd5e7c0ae82887ad888560a7462f79
SHA512 47b9ddcb8e21bc90797f766229f643aa794101f31082e75fffe2a9565907e73a7eb7749940aed8a3477d339846a43bf5913d18d4abc3568f19895f3bbce72ccd

C:\Windows\Resources\spoolsv.exe

MD5 6d8bf0877d099489750bf1925079a13f
SHA1 e699c9a0afc597f270b0830236018739a7047eb7
SHA256 6c0279c3f4f38627d1622db2c872205cc44964bf63833bf644a6c6b51ee3ac41
SHA512 8940c2c5df4b67da0cf4357efe3ade25d559a82e6fe2c3649cf92b8d0fc379982742e460618df93c6e5e0e045443a541683d75d075f71f89d3d9b8894f49f4cd

memory/3884-21-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2916-20-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2916-27-0x0000000000400000-0x0000000000784000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 81b9788968750bd858d3380db3cc0fe9
SHA1 6866c4fe4b64720b83477eacc8595e39271248ee
SHA256 f20b67c5ce865f3cd7e83e6b00a402ee2d1f058adf4bcd4e5bb4b5d687c84321
SHA512 8e0fc12c145d2a9d11342c0a269049c988e71fea11b787546ddca3828847227ebd8587dbc6b4c8062b2a46848c0b85e382b7d8b1f2b6b894706ecdaead57a9fe

memory/1588-35-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1588-39-0x0000000000400000-0x0000000000784000-memory.dmp

memory/3884-42-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2916-41-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4176-43-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2980-44-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4176-45-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4176-46-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2980-47-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2980-49-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4176-50-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2980-51-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4176-52-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2980-53-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4176-54-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2980-55-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4176-56-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2980-57-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4176-58-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2980-59-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4176-60-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2980-61-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4176-62-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2980-63-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2980-65-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4176-66-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2980-67-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4176-68-0x0000000000400000-0x0000000000784000-memory.dmp