aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a

Analysis

max time kernel
150s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
Size

741KB
MD5

296d46df103012c3bb0c64bd262b532e
SHA1

8409505d00f4356a257ada95e3991a0c828522f7
SHA256

aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a
SHA512

1145936f13795b1a549dda2d9f60ef84d131db71db59dbb04710db4cf6f2ee252c0559027b8d895fed0993ae5335e49701768f80e22cd979f507b8209b5aa72a
SSDEEP

12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1Fj:lIt4kt0Kd6F6CNzYhUiEWEYcwb

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
228	explorer.exe
3136	spoolsv.exe
1804	svchost.exe
1228	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
228	explorer.exe
3136	spoolsv.exe
1804	svchost.exe
1228	spoolsv.exe
228	explorer.exe
1804	svchost.exe
228	explorer.exe
1804	svchost.exe
228	explorer.exe
1804	svchost.exe
228	explorer.exe
1804	svchost.exe
228	explorer.exe
1804	svchost.exe
228	explorer.exe
1804	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
228	explorer.exe
1804	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
228	explorer.exe
228	explorer.exe
228	explorer.exe
3136	spoolsv.exe
3136	spoolsv.exe
3136	spoolsv.exe
1804	svchost.exe
1804	svchost.exe
1804	svchost.exe
1228	spoolsv.exe
1228	spoolsv.exe
1228	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 228	3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe	81
PID 3624 wrote to memory of 228	3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe	81
PID 3624 wrote to memory of 228	3624	aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe	81
PID 228 wrote to memory of 3136	228	explorer.exe	82
PID 228 wrote to memory of 3136	228	explorer.exe	82
PID 228 wrote to memory of 3136	228	explorer.exe	82
PID 3136 wrote to memory of 1804	3136	spoolsv.exe	83
PID 3136 wrote to memory of 1804	3136	spoolsv.exe	83
PID 3136 wrote to memory of 1804	3136	spoolsv.exe	83
PID 1804 wrote to memory of 1228	1804	svchost.exe	84
PID 1804 wrote to memory of 1228	1804	svchost.exe	84
PID 1804 wrote to memory of 1228	1804	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe
"C:\Users\Admin\AppData\Local\Temp\aaddcb0a5d7993bd1da7b9e5d999c72984ef571d5cd1269087e5fc6210c60a7a.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3624
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:228
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1804
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
741KB

MD5
cd78bfdf2bf6678bf518c43cbb424276

SHA1
d735fffdef758a6c80787af352db9ae6bf6f8b16

SHA256
71bd37fa79a53bf78a4213da521a0cf4bc6ac13d2ca1011c60e449406a9b4938

SHA512
f51eb67b44f14bf486d815ebeb0df4c77cc980c5835f65d23aab8f4cede15d3d13cd5029d2f134ca0b76d730837311fd1c334209e1f494f25dfbd50cbe002c58

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
741KB

MD5
f9b9cdc3d429fafd3a0204af503ab765

SHA1
eb7133e94bab9e2470fbddc5c469c92169ca19bd

SHA256
320840b275908973112f882cc5d2b2ce3fdfb8372db34243849a6aeec0d6577e

SHA512
02708342c21a7f74afa17497fdf6f551466e6431418216d1f4ccd080a45ba594818a92b6b7716c815cd161eae297ca877590b07a9a38eb3816d043b868958d64

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
741KB

MD5
43a413b6b69075d87e78116d50d214a4

SHA1
13d02e5fd4fa24e1fa508e9ec2d0b80f0a585160

SHA256
db1fa6b4efec2862907aa5e8e28ab8dbc6c597a3f2f2ccaa7826de56f006a21d

SHA512
fb514e45ede162f8664b59359b7cfb8377215733aaf99b687a363a5114becbe9ce3533c3509acb637fac6cd736fb21cbf3a86a0546c286d614b99dbfdb7a4353

Download Submit
memory/228-54-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/228-46-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/228-64-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/228-58-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/228-9-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/228-40-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/228-50-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1228-31-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1228-36-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1804-57-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1804-41-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1804-51-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1804-61-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1804-26-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3136-38-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3624-0-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3624-39-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download