c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262

Analysis

max time kernel
150s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
Size

741KB
MD5

d0eae3535b6b0e9aa5acd3c4fcb248b3
SHA1

0343d67db96fb60246becbcabb615b82a78ca91d
SHA256

c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262
SHA512

a81b37b96d0e2e3345e22db90a5deeee845af3a970ef9075d625de9b7bf06c0951550369515c8c5af8c006957946b8cc1e0186c8eac13609782e944dedccb2a9
SSDEEP

12288:ltTuh645I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1Ff:lIg4kt0Kd6F6CNzYhUiEWEYcw3

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
628	explorer.exe
3708	spoolsv.exe
2060	svchost.exe
2460	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
628	explorer.exe
3708	spoolsv.exe
2060	svchost.exe
2460	spoolsv.exe
628	explorer.exe
2060	svchost.exe
628	explorer.exe
2060	svchost.exe
628	explorer.exe
2060	svchost.exe
628	explorer.exe
2060	svchost.exe
628	explorer.exe
2060	svchost.exe
628	explorer.exe
2060	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
628	explorer.exe
2060	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
3708	spoolsv.exe
3708	spoolsv.exe
3708	spoolsv.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2460	spoolsv.exe
2460	spoolsv.exe
2460	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 628	856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe	85
PID 856 wrote to memory of 628	856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe	85
PID 856 wrote to memory of 628	856	c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe	85
PID 628 wrote to memory of 3708	628	explorer.exe	87
PID 628 wrote to memory of 3708	628	explorer.exe	87
PID 628 wrote to memory of 3708	628	explorer.exe	87
PID 3708 wrote to memory of 2060	3708	spoolsv.exe	88
PID 3708 wrote to memory of 2060	3708	spoolsv.exe	88
PID 3708 wrote to memory of 2060	3708	spoolsv.exe	88
PID 2060 wrote to memory of 2460	2060	svchost.exe	89
PID 2060 wrote to memory of 2460	2060	svchost.exe	89
PID 2060 wrote to memory of 2460	2060	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe
"C:\Users\Admin\AppData\Local\Temp\c3a96c90fde86766c39fd6589dc1b4e66b6af9ca9b052f279237f32801d6c262.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:628
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2060
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
741KB

MD5
7eeeef186cb13d9748dd223db8932522

SHA1
820e1aa2b8519ef7cf9bdf7336aa04557c308d54

SHA256
d32ad4244d529ab4215c39372ebddaf042867da6f305542ed6cc8935b6f993ef

SHA512
353227fe4a0aed00db26130b4e5348dd8c630e6683553663cb4ba7de83a2b356576179379e2f2c48d668d433006f5cea8952e14c47d3c3ce70cb06e20bb26bd5

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
741KB

MD5
847ce8e18f30025cf6d588e7d54cc98e

SHA1
a5908318ca6efd78d69957d3f8cc39e36a074bcb

SHA256
3c7ffd9e877d7489ddc8d6a408d47960b1eb7368c9ca1802ad278dd9445af6e8

SHA512
22263453fdfded6d1572970483eeb98b18f9e709f4a2656d4b5d53826ad89d0e01514611180497e3f9266af800d13b07b4ad98af4de362d85970250f5f2c0dc0

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
741KB

MD5
c5f68c490167dfee1f7d66b17c6b1baf

SHA1
fd1ca36b678ac7c5d172b1fed1e408994a8ba466

SHA256
7a2529ea7c3bbbfe9f6e09631d555b37b0ff4447d4e1bb4f4cf46f8fd58df1dd

SHA512
5ba703148f339a790e704590b5dde9ae6739e7d6708e57b9ed388da5cc3005eecb5b5cde9b5ec54000c271b3d8cc9aad326b987315ebd2ce41a7e602c7f56bcd

Download Submit
memory/628-59-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/628-9-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/628-67-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/628-47-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/628-55-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/628-39-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/628-41-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/628-51-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/856-38-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/856-0-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2060-56-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2060-46-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2060-44-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2060-52-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2060-54-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2060-40-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2060-58-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2060-60-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2060-62-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2060-66-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2460-35-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2460-30-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3708-37-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download