Malware Analysis Report

2024-11-16 10:49

Sample ID 240614-can5js1bpd
Target 9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0
SHA256 9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0

Threat Level: Known bad

The file 9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0 was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

Modifies visiblity of hidden/system files in Explorer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:52

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:52

Reported

2024-06-14 01:55

Platform

win7-20240611-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe \??\c:\windows\resources\themes\explorer.exe
PID 1808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe \??\c:\windows\resources\themes\explorer.exe
PID 1808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe \??\c:\windows\resources\themes\explorer.exe
PID 1808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe \??\c:\windows\resources\themes\explorer.exe
PID 1648 wrote to memory of 2120 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1648 wrote to memory of 2120 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1648 wrote to memory of 2120 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1648 wrote to memory of 2120 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2120 wrote to memory of 2632 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2120 wrote to memory of 2632 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2120 wrote to memory of 2632 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2120 wrote to memory of 2632 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2632 wrote to memory of 2656 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2632 wrote to memory of 2656 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2632 wrote to memory of 2656 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2632 wrote to memory of 2656 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1648 wrote to memory of 2648 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1648 wrote to memory of 2648 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1648 wrote to memory of 2648 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1648 wrote to memory of 2648 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2632 wrote to memory of 2492 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 2492 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 2492 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 2492 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 940 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 940 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 940 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 940 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 3044 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 3044 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 3044 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 3044 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe

"C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:54 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:55 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:56 /f

Network

N/A

Files

memory/1808-0-0x0000000000400000-0x0000000000422000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 59c594549c2ed5a879df0f6e60fde124
SHA1 89a41526e44b70a66bff54382841eb18ab12210c
SHA256 0ff324ee9b7c5f26ca322500844a77d80461562416f72b4efaa56d594756ad7b
SHA512 fa351cc2fc6d46e5cbd4115b9aad4c5ee6464e73c6b28a1bc72b0e443fd827d09da8d79cffc36c652e408e2087710c6fc9b6ce6814be0c794e1ee3a9f5460de5

memory/1808-12-0x00000000003D0000-0x00000000003F2000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 4b34156bb05786b1b1b520720c30697a
SHA1 9d56daec539aa838c545f642b385b0604cdbcb20
SHA256 f70d8639557efa0ba8a97e5ff7f945341129f802b24513bbaae980918b91708b
SHA512 44ec79a69d77cbc72ce5bc2acd9dad4ac32f054b9df025723d7779b7aa4080460a723ec9c30c949fd7cbe5ea2474fe04552c3baaf721e8ec65073becbf506acf

memory/1648-27-0x0000000000240000-0x0000000000262000-memory.dmp

memory/1648-23-0x0000000000240000-0x0000000000262000-memory.dmp

\Windows\Resources\svchost.exe

MD5 b263211febb34b9d070fdc91ed8214bb
SHA1 e9dd9db3b0acd0f0cd82c3df7a25967a14fde067
SHA256 63e82ef4dc132e48e4bce5303960428ac0e58b934eef29d48d89c37ea7bec7e2
SHA512 35d327880bf154620b603d0f4e5ca3d50a4a5659b7545f706cb58b9f6da6e6d97014255fa9786ad3eddffdb8e2fa0ac9e410dd591660ac74231fc73c01b9968c

memory/2656-53-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2120-55-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1808-57-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1648-58-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1648-59-0x0000000000240000-0x0000000000262000-memory.dmp

memory/2632-61-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1648-70-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:52

Reported

2024-06-14 01:55

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3756 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe \??\c:\windows\resources\themes\explorer.exe
PID 3756 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe \??\c:\windows\resources\themes\explorer.exe
PID 3756 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe \??\c:\windows\resources\themes\explorer.exe
PID 4120 wrote to memory of 2596 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4120 wrote to memory of 2596 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4120 wrote to memory of 2596 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2596 wrote to memory of 1656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2596 wrote to memory of 1656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2596 wrote to memory of 1656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1656 wrote to memory of 3024 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1656 wrote to memory of 3024 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1656 wrote to memory of 3024 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe

"C:\Users\Admin\AppData\Local\Temp\9ced60237e2f785a6c068a6a2a25b8c70f481f2faa7c8f82f41e66a6fea69de0.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Files

memory/3756-0-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 a54196a5f810c2d219feccafaae2f1ee
SHA1 208d5ba0263f1089c0973cad8f7c1eaa9f6753b7
SHA256 59a54efebff3a2951e1f9bde765ca5b7d45e53dc09e10e97e1fc95ab24350209
SHA512 26032cc372bca66944094c53ea94516d6dea7519e21faa2f4a5c1ac95204c25af7d4a2cee10e622cf588c209461a1560614d2a587f9ee3e45e7aecfbebcddb42

C:\Windows\Resources\spoolsv.exe

MD5 627e1597e306a089c1438dad80833244
SHA1 151c2cba6b30f3fc7d8989a9e9de4f4a3a7edefa
SHA256 27a0f2f4e16c341fa33b911c7538d570d7695d4f71d87942f9fb8b452a4351dd
SHA512 7eb0ef696c18d30f491941afbc86af0eea44f823d8032faa32cf08fb64e259d712ecf094096b0fcd34983ec1d6d70fc56560724db3b5c77d58bdf80b70474d31

C:\Windows\Resources\svchost.exe

MD5 f919796f299a8d728a40070deb9e94a0
SHA1 1c2ce20257875a23a5261320f696996510af797d
SHA256 894ef3a2ceeff5a4a5b79a127a3055dc3b2f69304481fc06b7406ae57ed1dc64
SHA512 8549744ade4cf38f06bbe02d4a588c5a3c99baef7ce0c0b38f86718c57bcd2eb9e7ec1aba37b72a4a9def69b85a3026208fe5b240b2e7f4d602a31491e2fa58d

memory/3024-29-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3024-34-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2596-36-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3756-37-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1656-39-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4120-38-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4120-48-0x0000000000400000-0x0000000000422000-memory.dmp