8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
Size

741KB
MD5

ee3bd9dc7ac6feb087730c22374966d6
SHA1

5bf8a12317824bd84e7f5b2b37704ba61a2608ac
SHA256

8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192
SHA512

4ff97feeb35e055680df9c9576b06b3dd5c426140a74c05abb57d303de76145df85c3cef3660fdad12efb5a59e3ebfe9a555edcd4a14d89aaeeea72e5600123a
SSDEEP

12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1FZ:lIt4kt0Kd6F6CNzYhUiEWEYcwh

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3044	explorer.exe
1620	spoolsv.exe
2616	svchost.exe
2060	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3044	explorer.exe
1620	spoolsv.exe
2616	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

pid	Process
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3044	explorer.exe
1620	spoolsv.exe
2616	svchost.exe
2060	spoolsv.exe
2616	svchost.exe
3044	explorer.exe
2616	svchost.exe
3044	explorer.exe
2616	svchost.exe
3044	explorer.exe
2616	svchost.exe
3044	explorer.exe
2616	svchost.exe
3044	explorer.exe
2616	svchost.exe
3044	explorer.exe
2616	svchost.exe
3044	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2428	schtasks.exe
1048	schtasks.exe
2220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
1620	spoolsv.exe
1620	spoolsv.exe
1620	spoolsv.exe
1620	spoolsv.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3044	explorer.exe
2616	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
1620	spoolsv.exe
1620	spoolsv.exe
1620	spoolsv.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2060	spoolsv.exe
2060	spoolsv.exe
2060	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 3044	348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe	28
PID 348 wrote to memory of 3044	348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe	28
PID 348 wrote to memory of 3044	348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe	28
PID 348 wrote to memory of 3044	348	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe	28
PID 3044 wrote to memory of 1620	3044	explorer.exe	29
PID 3044 wrote to memory of 1620	3044	explorer.exe	29
PID 3044 wrote to memory of 1620	3044	explorer.exe	29
PID 3044 wrote to memory of 1620	3044	explorer.exe	29
PID 1620 wrote to memory of 2616	1620	spoolsv.exe	30
PID 1620 wrote to memory of 2616	1620	spoolsv.exe	30
PID 1620 wrote to memory of 2616	1620	spoolsv.exe	30
PID 1620 wrote to memory of 2616	1620	spoolsv.exe	30
PID 2616 wrote to memory of 2060	2616	svchost.exe	31
PID 2616 wrote to memory of 2060	2616	svchost.exe	31
PID 2616 wrote to memory of 2060	2616	svchost.exe	31
PID 2616 wrote to memory of 2060	2616	svchost.exe	31
PID 3044 wrote to memory of 2512	3044	explorer.exe	32
PID 3044 wrote to memory of 2512	3044	explorer.exe	32
PID 3044 wrote to memory of 2512	3044	explorer.exe	32
PID 3044 wrote to memory of 2512	3044	explorer.exe	32
PID 2616 wrote to memory of 2428	2616	svchost.exe	33
PID 2616 wrote to memory of 2428	2616	svchost.exe	33
PID 2616 wrote to memory of 2428	2616	svchost.exe	33
PID 2616 wrote to memory of 2428	2616	svchost.exe	33
PID 2616 wrote to memory of 1048	2616	svchost.exe	38
PID 2616 wrote to memory of 1048	2616	svchost.exe	38
PID 2616 wrote to memory of 1048	2616	svchost.exe	38
PID 2616 wrote to memory of 1048	2616	svchost.exe	38
PID 2616 wrote to memory of 2220	2616	svchost.exe	40
PID 2616 wrote to memory of 2220	2616	svchost.exe	40
PID 2616 wrote to memory of 2220	2616	svchost.exe	40
PID 2616 wrote to memory of 2220	2616	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
"C:\Users\Admin\AppData\Local\Temp\8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:348
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3044
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2616
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2060
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:15 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2428
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:16 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1048
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:17 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2220
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
741KB

MD5
998c86a1fa8dafb111edee5ce941d730

SHA1
6ded146675cae423d4ff16c34fab3322b5662003

SHA256
9b73b8210d5bd12beb019625ba09a9d2c81e1773ec4c37a24f45906ac7d8feb6

SHA512
d51247bc39c40df49ee96591f8794c739657367e6883ac96f13fd7a9047ad3d38d84158c397baf6c533f8b46b0a21e1838d92aba03dd6fea3247dbcba1ea38f3

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
741KB

MD5
92b4d51ce378269d4f4fabdddbcb43a0

SHA1
92126f47f25313896c928e0dcf076291c693f29e

SHA256
8cbd3c0b6150fd6d871720cf247b63523a32ca5b0b16fdaef0e8fcbe77cf1882

SHA512
ddd576d4cd347a344d259716cf8910ecdb07cb06c0392910d65834d723185b20cc0cb50aafe7bc10a3fee2ca9439c76702e06be18b6cfb084ef96e646c84711d

Download Submit
\Windows\Resources\svchost.exe

Filesize
741KB

MD5
dce3c44a853ac5eb3bc538bfdc1ef97b

SHA1
31037316c440d0fd9f58d0a71c3afcb77398c435

SHA256
295a16099f4f1b290a21dbda53600a48d0a82bc17c0f5d25a056d7872ef7b8cd

SHA512
3148a9361536ab06b04246c65b43cf58e00594858502c049116005b17e9a536d67f628f4f698819cf1a0e719995d8bc810bab8dbf6f6cbec233ff2e65b37f424

Download Submit
memory/348-0-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/348-48-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/348-47-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1620-46-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2060-39-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2060-44-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2616-63-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2616-55-0x0000000003790000-0x0000000003B02000-memory.dmp

Filesize
3.4MB

Download
memory/2616-31-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2616-73-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2616-50-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2616-69-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2616-52-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2616-37-0x0000000003790000-0x0000000003B02000-memory.dmp

Filesize
3.4MB

Download
memory/3044-62-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3044-58-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3044-60-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3044-53-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3044-10-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3044-64-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3044-68-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3044-51-0x0000000003CF0000-0x0000000004062000-memory.dmp

Filesize
3.4MB

Download
memory/3044-70-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3044-49-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3044-74-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3044-76-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3044-78-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download