8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
Size

741KB
MD5

ee3bd9dc7ac6feb087730c22374966d6
SHA1

5bf8a12317824bd84e7f5b2b37704ba61a2608ac
SHA256

8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192
SHA512

4ff97feeb35e055680df9c9576b06b3dd5c426140a74c05abb57d303de76145df85c3cef3660fdad12efb5a59e3ebfe9a555edcd4a14d89aaeeea72e5600123a
SSDEEP

12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1FZ:lIt4kt0Kd6F6CNzYhUiEWEYcwh

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3540	explorer.exe
2588	spoolsv.exe
552	svchost.exe
4452	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3540	explorer.exe
2588	spoolsv.exe
552	svchost.exe
4452	spoolsv.exe
3540	explorer.exe
552	svchost.exe
3540	explorer.exe
552	svchost.exe
3540	explorer.exe
552	svchost.exe
3540	explorer.exe
552	svchost.exe
3540	explorer.exe
552	svchost.exe
3540	explorer.exe
552	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3540	explorer.exe
552	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
2588	spoolsv.exe
2588	spoolsv.exe
2588	spoolsv.exe
552	svchost.exe
552	svchost.exe
552	svchost.exe
4452	spoolsv.exe
4452	spoolsv.exe
4452	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 3540	3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe	88
PID 3276 wrote to memory of 3540	3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe	88
PID 3276 wrote to memory of 3540	3276	8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe	88
PID 3540 wrote to memory of 2588	3540	explorer.exe	89
PID 3540 wrote to memory of 2588	3540	explorer.exe	89
PID 3540 wrote to memory of 2588	3540	explorer.exe	89
PID 2588 wrote to memory of 552	2588	spoolsv.exe	90
PID 2588 wrote to memory of 552	2588	spoolsv.exe	90
PID 2588 wrote to memory of 552	2588	spoolsv.exe	90
PID 552 wrote to memory of 4452	552	svchost.exe	91
PID 552 wrote to memory of 4452	552	svchost.exe	91
PID 552 wrote to memory of 4452	552	svchost.exe	91

C:\Users\Admin\AppData\Local\Temp\8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe
"C:\Users\Admin\AppData\Local\Temp\8321baeba68ac10e41e11010c95b13f9fb4c1420bf80b9629b65bcd223f52192.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3276
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3540
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:552
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4172,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
1⤵
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
742KB

MD5
cdf808762d7fed65b3d6d6a14bab3703

SHA1
a4055a6cde081a1c79cc81a42bbe9cc1841e8b1b

SHA256
1abf6a74a8ff0cfc12a5b0d908b3c419b52e5105f637838b9515c35fe8a15a7d

SHA512
f7e0b9b5eefe75faefbea4430d2203e8180c3179cc4f4c701faeccf4ee0065826808203db0f998c1dc26dae70820b0bb9cdfc0e72c97aaa6661047381520a3f0

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
741KB

MD5
7e63ccf31e735d4a865b73c0db5faef2

SHA1
508fd78598fe098e4df107b5a3257290ce96037a

SHA256
4d66d8f70d0891e7c164a462dfe91650f09cad84bcc1931c68c4468bc964b641

SHA512
7003f3ab45ecd71b891e29eee9f939b4ba77da1aeb78a44ba7e0773997065ac1bbd5fe53d2a8d4ceacbfa4f173cc0c6402a464a8fb234ee4b266229acfc95f8c

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
741KB

MD5
09a3bf14e9840574d029d47b8ca2df36

SHA1
945b12217ea88506b78a0aec017289bd3a183817

SHA256
340d1afa7e2bcbe29d60234fc36f7276db3b1b6deeb91d31f376761a60f394bf

SHA512
5c7f06776cb9ccd34a4b719483995fcc978d1fdc8ba5849247b9a4cb441b35115b02cf8c3ab4b245ffcfcc2730989a52cbb6543335a9b263830792112537144c

Download Submit
memory/552-50-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/552-44-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/552-40-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2588-17-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2588-37-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3276-38-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3276-0-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3540-39-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3540-43-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3540-45-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3540-47-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3540-51-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3540-53-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3540-57-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3540-61-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/4452-35-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/4452-30-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download