Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2024 07:09
Behavioral task
behavioral1
Sample
b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe
Resource
win10v2004-20240508-en
General
-
Target
b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe
-
Size
2.5MB
-
MD5
63ca0c5ebebb808b1f6c75fb1912616c
-
SHA1
78ee18e27107f8bde55e8f3b8e8d4da563e52b66
-
SHA256
b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee
-
SHA512
e8e2be4ddca4c3e07f8f3b82bf2a8c75db18243254f5306d3fe74d5cb4b47d7a26888d8c63b9fba1f28ca64888e278b8a40d98a58bdcd1eb79a9c8451fc99e82
-
SSDEEP
49152:hxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxH:hxx9NUFkQx753uWuCyyxH
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Detects executables packed with Themida 17 IoCs
Processes:
resource yara_rule behavioral2/memory/1976-0-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida C:\Windows\Resources\Themes\explorer.exe INDICATOR_EXE_Packed_Themida behavioral2/memory/1396-10-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida C:\Windows\Resources\spoolsv.exe INDICATOR_EXE_Packed_Themida behavioral2/memory/372-19-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida C:\Windows\Resources\svchost.exe INDICATOR_EXE_Packed_Themida behavioral2/memory/4296-28-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/1132-33-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/1132-37-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/372-39-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/1976-41-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/1396-42-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/4296-43-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/1396-44-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/4296-47-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/4296-51-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/1396-56-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exeb32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 1396 explorer.exe 372 spoolsv.exe 4296 svchost.exe 1132 spoolsv.exe -
Processes:
resource yara_rule behavioral2/memory/1976-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\Themes\explorer.exe themida behavioral2/memory/1396-10-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral2/memory/372-19-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\svchost.exe themida behavioral2/memory/4296-28-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1132-33-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1132-37-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/372-39-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1976-41-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1396-42-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4296-43-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1396-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4296-47-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4296-51-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1396-56-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Processes:
b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1396 explorer.exe 372 spoolsv.exe 4296 svchost.exe 1132 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exeexplorer.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\resources\themes\explorer.exe b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exeexplorer.exepid process 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe 1396 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1396 explorer.exe 4296 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe 1396 explorer.exe 1396 explorer.exe 372 spoolsv.exe 372 spoolsv.exe 4296 svchost.exe 4296 svchost.exe 1132 spoolsv.exe 1132 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1976 wrote to memory of 1396 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe explorer.exe PID 1976 wrote to memory of 1396 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe explorer.exe PID 1976 wrote to memory of 1396 1976 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe explorer.exe PID 1396 wrote to memory of 372 1396 explorer.exe spoolsv.exe PID 1396 wrote to memory of 372 1396 explorer.exe spoolsv.exe PID 1396 wrote to memory of 372 1396 explorer.exe spoolsv.exe PID 372 wrote to memory of 4296 372 spoolsv.exe svchost.exe PID 372 wrote to memory of 4296 372 spoolsv.exe svchost.exe PID 372 wrote to memory of 4296 372 spoolsv.exe svchost.exe PID 4296 wrote to memory of 1132 4296 svchost.exe spoolsv.exe PID 4296 wrote to memory of 1132 4296 svchost.exe spoolsv.exe PID 4296 wrote to memory of 1132 4296 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe"C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1132
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5fd583de1d7a1f183ec2e67762726000e
SHA1b8b86524c244d7618be1332a0ff884ae13645d40
SHA25665ffa68e274aae8ae88206f9f8f6f53071247284e204eacd8c04a56de395c251
SHA5127e846ccdb412dae24c722aae2228985321f29d7ecf6e63815adf56a013d658c4c1dc7339a147175bf71eadc4e6adc886fd1cec8a059c3b1caeb8997d83dbca87
-
Filesize
2.5MB
MD572f4b2b6a90b66ac4026fa76532c3da4
SHA179e10294c6a0b3a9c6a7bb62f3968f781279ba9f
SHA2565cfa8884af006765bace66813902726c76433c30dc1b33b8028e61f50939cc89
SHA5123e911bafdcf486c85818caf62504bd16db9a390e4aa09379ea3bb1d5a41eb0f61b66ee3d0739c1598df1705e2b29ee5530a28b1586838f2f6d93bd660e95b204
-
Filesize
2.5MB
MD5ac971bd91a9b9de47588572d8dfd2e4c
SHA1a933d9cd61c7846c201eeecaa110e33fd39abf68
SHA256f5c5fb06d996703b41a1857f45ed02d4059ca1f7e80625e81a23377a6c23e3ac
SHA51273184ad94016a65a7320b9fae66d777980a9f5c888ab8830b5bbc0004262f991ddf88b92f11f7e488c4c3d00ea499fe4f48668d01acc9651a6cd92bc45fc08f6