Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe
Resource
win10v2004-20240508-en
General
-
Target
fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe
-
Size
741KB
-
MD5
537eb8efffe8d1e0f927d0dad1d6e799
-
SHA1
b05e25a73a915c7221302b8887047145042d8b5e
-
SHA256
fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092
-
SHA512
f20c9c932bdeeba201351c7f15bdd4d6540f2d58bd312395c6c46863971fa10194b78e922250c2131b16a7e904a730abbdb01393a816970ab9d88acb5bc7e399
-
SSDEEP
12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1FL:lIt4kt0Kd6F6CNzYhUiEWEYcwD
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1912 explorer.exe 4432 spoolsv.exe 4272 svchost.exe 220 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 1912 explorer.exe 4432 spoolsv.exe 4272 svchost.exe 220 spoolsv.exe 4272 svchost.exe 1912 explorer.exe 4272 svchost.exe 1912 explorer.exe 4272 svchost.exe 1912 explorer.exe 4272 svchost.exe 1912 explorer.exe 4272 svchost.exe 1912 explorer.exe 4272 svchost.exe 1912 explorer.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4272 svchost.exe 1912 explorer.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 4432 spoolsv.exe 4432 spoolsv.exe 4432 spoolsv.exe 4272 svchost.exe 4272 svchost.exe 4272 svchost.exe 220 spoolsv.exe 220 spoolsv.exe 220 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3776 wrote to memory of 1912 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 80 PID 3776 wrote to memory of 1912 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 80 PID 3776 wrote to memory of 1912 3776 fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe 80 PID 1912 wrote to memory of 4432 1912 explorer.exe 81 PID 1912 wrote to memory of 4432 1912 explorer.exe 81 PID 1912 wrote to memory of 4432 1912 explorer.exe 81 PID 4432 wrote to memory of 4272 4432 spoolsv.exe 82 PID 4432 wrote to memory of 4272 4432 spoolsv.exe 82 PID 4432 wrote to memory of 4272 4432 spoolsv.exe 82 PID 4272 wrote to memory of 220 4272 svchost.exe 83 PID 4272 wrote to memory of 220 4272 svchost.exe 83 PID 4272 wrote to memory of 220 4272 svchost.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe"C:\Users\Admin\AppData\Local\Temp\fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:220
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
741KB
MD5455d0f02a1c75dc6f28d00f74d70be7b
SHA1889df61432d534f812c497dac5cb8951eedf90fc
SHA256113d37db9cefada6e929bb043ab1a840e2fbeda455b11b82ad013263116cdc3f
SHA512afcd1ed00e011e5a7cbadac5e135a873a013b804fd0b2404738e608cba490016248cb6332333b0dee3ff4dfdf7c524acd3327c55c72d1dbd487c529dd71cf801
-
Filesize
741KB
MD5d6ec3e592b3cea9c9d252c5e3a4bf179
SHA1349ba883b0da31b82332a594bc524fdc17fc26b8
SHA25628608d7437b954354d298383ed48b94c9bd89cfb5e2133e7eafd016f98df518e
SHA5126b253709dfc7704e945f3231414f72c204c3dbf11c0ae86f6f4c22a1750aa6911c9e47db44c4f0e4cf3e8c10dfe43a0f0966e181d9e70c965c2c41276a436d82
-
Filesize
741KB
MD55cb868ef658a0c8aaa8b155d33d77635
SHA1c684c563bd31074a3505b509c8856786acb8eb23
SHA2563dcc3dc214360286b5b12af15711e175b152f2fdc5a06e828abfd02f94a422ce
SHA512086750c0538e68125006472c227b40905ba297be80467b545c6e6db7cea1f3a572e95f2e73128d914ee9e951e945d90161cec29ccebbb075bc426a2629f68142