c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459

Analysis

max time kernel
150s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 03:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
Size

135KB
MD5

a28069762c6919fdc788c858bfb72c4f
SHA1

24b384d2327ca62287be533b6608abcc040c1c05
SHA256

c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459
SHA512

7cfe0274f2b5487d1a396d593436e17e7ac5e73ed8289b2b4599f99323f3380868ae9bec193e98924ee9573a4d7deb104270bedad1435927903ad45ccadc28fa
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVhnWuIb:UVqoCl/YgjxEufVU0TbTyDDalrrA

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1448	explorer.exe
2996	spoolsv.exe
2988	svchost.exe
1280	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe
1448	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1448	explorer.exe
2988	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
1448	explorer.exe
1448	explorer.exe
2996	spoolsv.exe
2996	spoolsv.exe
2988	svchost.exe
2988	svchost.exe
1280	spoolsv.exe
1280	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1448	1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe	82
PID 1632 wrote to memory of 1448	1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe	82
PID 1632 wrote to memory of 1448	1632	c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe	82
PID 1448 wrote to memory of 2996	1448	explorer.exe	83
PID 1448 wrote to memory of 2996	1448	explorer.exe	83
PID 1448 wrote to memory of 2996	1448	explorer.exe	83
PID 2996 wrote to memory of 2988	2996	spoolsv.exe	85
PID 2996 wrote to memory of 2988	2996	spoolsv.exe	85
PID 2996 wrote to memory of 2988	2996	spoolsv.exe	85
PID 2988 wrote to memory of 1280	2988	svchost.exe	86
PID 2988 wrote to memory of 1280	2988	svchost.exe	86
PID 2988 wrote to memory of 1280	2988	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe
"C:\Users\Admin\AppData\Local\Temp\c216f2f3c3c44fc8f90cffdd760ed16b6af0b108a6d6ba852dc2b51fbc9c0459.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1448
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2988
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
23387d666c0f7e423562b387ffdc3d59

SHA1
c8585ae571a97eaf436c1b94f291e38978157507

SHA256
4c7611ed72aa9d0912548c3002c989ff0dc384b7db8f3221291e0d3bc9a70d9b

SHA512
647baa4f267ad9d210481928d6acabe45a9ba1a3b780bd4c21051a6a1218df0a78b96c48480ea48c2abee1d68ccf68ed6279c2cc393a840a4fc33953d14cfc67

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
3a7ad1fb2303a7d31fe778af51b0a529

SHA1
a6381c74b586a12af25f4e730f33f9cb85c5502a

SHA256
788795c11c64a74d0b78d7e32f3716908f16ecdde2ce140e2a7ed35382ee5a7e

SHA512
6e738b71483d8ce876e8641d739a65ee4cd2f0c97194d0b9882fe6e3bbec4de082e8e6f836ec65ff63edb11ea341ab538292f12636ceee29dd5bc720448d1007

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
409b6438806c16c5f17ab88810ec1615

SHA1
b34dd1fcd8344857176926391734769ddce98eb1

SHA256
bb412d8329d58111aa1115a0027af265d309d6744fa7e3166e396bcf67926695

SHA512
a2d649fdd8a12be6a7ee8911057684849266969747de823399e0cf360c5030797e7ab3ef02c58dd237e6a85598b9b3bccdc41f0115576efeaab4c2f3841ad902

Download Submit
memory/1280-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1632-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1632-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2996-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download