c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c

Analysis

max time kernel
84s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
Size

741KB
MD5

9c119f7c587b2f0a3dcc004835cc1f2d
SHA1

a51180e0e088cf2e9d7817fad22b3013148ae051
SHA256

c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c
SHA512

f85e7d96db173812b8ad9e34a8228dfdeff2610b9fa7b87052ffaabf741fd21dcce46dd469b7541ec4fa73f1ea34272e6b7a197aee9be6206cd5583f204f0789
SSDEEP

12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1F388888888K:lIt4kt0Kd6F6CNzYhUiEWEYcwP88888z

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2280	explorer.exe
2908	spoolsv.exe
2328	svchost.exe
2844	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2280	explorer.exe
2908	spoolsv.exe
2328	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2280	explorer.exe
2908	spoolsv.exe
2328	svchost.exe
2844	spoolsv.exe
2280	explorer.exe
2328	svchost.exe
2280	explorer.exe
2328	svchost.exe
2280	explorer.exe
2328	svchost.exe
2280	explorer.exe
2328	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2624	schtasks.exe
304	schtasks.exe
1184	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2280	explorer.exe
2328	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2844	spoolsv.exe
2844	spoolsv.exe
2844	spoolsv.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2280	2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe	30
PID 2552 wrote to memory of 2280	2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe	30
PID 2552 wrote to memory of 2280	2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe	30
PID 2552 wrote to memory of 2280	2552	c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe	30
PID 2280 wrote to memory of 2908	2280	explorer.exe	31
PID 2280 wrote to memory of 2908	2280	explorer.exe	31
PID 2280 wrote to memory of 2908	2280	explorer.exe	31
PID 2280 wrote to memory of 2908	2280	explorer.exe	31
PID 2908 wrote to memory of 2328	2908	spoolsv.exe	32
PID 2908 wrote to memory of 2328	2908	spoolsv.exe	32
PID 2908 wrote to memory of 2328	2908	spoolsv.exe	32
PID 2908 wrote to memory of 2328	2908	spoolsv.exe	32
PID 2328 wrote to memory of 2844	2328	svchost.exe	33
PID 2328 wrote to memory of 2844	2328	svchost.exe	33
PID 2328 wrote to memory of 2844	2328	svchost.exe	33
PID 2328 wrote to memory of 2844	2328	svchost.exe	33
PID 2280 wrote to memory of 2920	2280	explorer.exe	34
PID 2280 wrote to memory of 2920	2280	explorer.exe	34
PID 2280 wrote to memory of 2920	2280	explorer.exe	34
PID 2280 wrote to memory of 2920	2280	explorer.exe	34
PID 2328 wrote to memory of 2624	2328	svchost.exe	35
PID 2328 wrote to memory of 2624	2328	svchost.exe	35
PID 2328 wrote to memory of 2624	2328	svchost.exe	35
PID 2328 wrote to memory of 2624	2328	svchost.exe	35
PID 2328 wrote to memory of 304	2328	svchost.exe	39
PID 2328 wrote to memory of 304	2328	svchost.exe	39
PID 2328 wrote to memory of 304	2328	svchost.exe	39
PID 2328 wrote to memory of 304	2328	svchost.exe	39

C:\Users\Admin\AppData\Local\Temp\c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe
"C:\Users\Admin\AppData\Local\Temp\c367c25212dcad569631aded689e2c6fb67f1a853a73ac13eb33aa9e36ef5e4c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2280
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2328
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2844
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:35 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2624
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:36 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:304
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:37 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1184
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
741KB

MD5
925b1049a2bb5925b8a885a807f55a9a

SHA1
b37faa1094c2656f43f34e13d18623b563eb749d

SHA256
46e987c135aeeb1140bbd58acd05c3033ccceb5cd79ff38f7e474fb955cfbb14

SHA512
c5e642aa767cbb50ebc40b53bd7d613e88be1b01b7ada3c6a6ab46dca5e55b79f08d4de6685e6187264a414c6a3a358e993b15be0081d47dfc440ff903c02fb0

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
741KB

MD5
94a6ed3a8749ecafd95d06cf1336b7d4

SHA1
e9fd7e234833e7270be66bd5ff16b15b5c58e6a9

SHA256
73f0e64a7a2f2ed70f21a4b4c498ba533ce23640708c05606a88c9fe8d31b5e7

SHA512
2a7ece4e0c1555f5c354084717c95dbf9f9037281ac533b36f1b5c249b60f1c58ebeeef0a032455810f67cfa3f60ae6839bfe490c513b060ab45bdb755ae7621

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
742KB

MD5
88e4e2b34bd0678e5ebb49e69eb920b8

SHA1
91d85c1c7b3702a1ff5e9422dfa11a9e98b4ad98

SHA256
5a44e04452032b5c5ee0a00aa66a9d6106fabc7aac0c8fcd2051f9421870cb6d

SHA512
83e4b9403c25b7cca6fa77de18b8d024ec169d9bd44e22d35458a773ac3aae9c8c46790e842fdba22f261455778e8ac2d249638381e197dc1b56341e94454fbe

Download Submit
memory/2280-65-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2280-53-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2280-79-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2280-22-0x0000000003DD0000-0x0000000004142000-memory.dmp

Filesize
3.4MB

Download
memory/2280-75-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2280-67-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2280-11-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2328-55-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2328-62-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2328-82-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2328-78-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2328-42-0x0000000003950000-0x0000000003CC2000-memory.dmp

Filesize
3.4MB

Download
memory/2328-54-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2328-76-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2328-56-0x0000000003950000-0x0000000003CC2000-memory.dmp

Filesize
3.4MB

Download
memory/2328-60-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2328-70-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2328-64-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2328-35-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2328-68-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2552-0-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2552-10-0x0000000003CA0000-0x0000000004012000-memory.dmp

Filesize
3.4MB

Download
memory/2552-51-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2844-47-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2908-33-0x0000000003B40000-0x0000000003EB2000-memory.dmp

Filesize
3.4MB

Download
memory/2908-23-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2908-49-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download