6728579691845cd78ae57de1680e291fc58a46d88cfc40563755b92562b154b3

Analysis

max time kernel
118s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ed170485ca598ccc31781416a315710N.exe
Size

143KB
MD5

6ed170485ca598ccc31781416a315710
SHA1

30a23edde75f13b2ed791631ff52d6e2d2bdcf5a
SHA256

6728579691845cd78ae57de1680e291fc58a46d88cfc40563755b92562b154b3
SHA512

aa06fe153905a90784b1bf07c1eb19bf0f9360bbeaa19309b81a663769dedeff83590a93bd6003520d90d9fe8cb61e07d92712e7a4f37b62a3716e5188ce510c
SSDEEP

3072:3LVoDvPd+A4WhkhXDl+i1lApwH08TdTIIIIIIIIIIIIIIIIIIfIIIIyIIIITIIIe:ZopGGgbiwU8JC

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolox.exe"	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolox.exe"	spoolox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolox.exe"	spoolox.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6ed170485ca598ccc31781416a315710N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	spoolox.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6ed170485ca598ccc31781416a315710N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	spoolox.exe

Executes dropped EXE 2 IoCs

pid	Process
3448	spoolox.exe
3352	spoolox.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\spoolox.exe"	6ed170485ca598ccc31781416a315710N.exe

Drops file in Windows directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Windows\spoolox.exe	6ed170485ca598ccc31781416a315710N.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Crack.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Microsoft Office System Professional V2003 Crack.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Microsoft Office System Professional V2003 Crack.exe	spoolox.exe
File created	C:\Windows\spoolox.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Nero Burning ROM v6.0.0.19 Ultra Edition Crack.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Crack.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Sophos AntiVirus v3.74 Crack.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Keygen.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 Crack.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 Crack.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Keygen.exe	spoolox.exe
File created	C:\Windows\spoolox.exe	6ed170485ca598ccc31781416a315710N.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Crack.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Sophos AntiVirus v3.74 Crack.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Keygen.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Crack.exe	spoolox.exe
File created	C:\Windows\spoolox.exe	spoolox.exe
File opened for modification	C:\Windows\svchost.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Crack.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NHL 2004 Keygen.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Keygen.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\	spoolox.exe
File opened for modification	C:\Windows\svchost.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Nero Burning ROM v6.0.0.19 Ultra Edition Crack.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Keygen.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\	6ed170485ca598ccc31781416a315710N.exe
File created	C:\Windows\message.dat	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Crack.exe	spoolox.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NHL 2004 Keygen.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe	spoolox.exe
File created	C:\Windows\svchost.exe	6ed170485ca598ccc31781416a315710N.exe
File created	C:\Windows\message.htm	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Keygen.exe	spoolox.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe	spoolox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ed170485ca598ccc31781416a315710N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolox.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	spoolox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	spoolox.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 010000000000000011829fba12e7da01	spoolox.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	spoolox.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	spoolox.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	spoolox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "6"	spoolox.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	spoolox.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	spoolox.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	spoolox.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	spoolox.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	spoolox.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	spoolox.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3352	spoolox.exe
3352	spoolox.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 3448	3008	6ed170485ca598ccc31781416a315710N.exe	84
PID 3008 wrote to memory of 3448	3008	6ed170485ca598ccc31781416a315710N.exe	84
PID 3008 wrote to memory of 3448	3008	6ed170485ca598ccc31781416a315710N.exe	84

C:\Users\Admin\AppData\Local\Temp\6ed170485ca598ccc31781416a315710N.exe
"C:\Users\Admin\AppData\Local\Temp\6ed170485ca598ccc31781416a315710N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\spoolox.exe
  "C:\Windows\spoolox.exe" -xInstallOurNiceServicesYes
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3448

C:\Windows\spoolox.exe
C:\Windows\spoolox.exe -xStartOurNiceServicesYes
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\spoolox.exe

Filesize
143KB

MD5
6ed170485ca598ccc31781416a315710

SHA1
30a23edde75f13b2ed791631ff52d6e2d2bdcf5a

SHA256
6728579691845cd78ae57de1680e291fc58a46d88cfc40563755b92562b154b3

SHA512
aa06fe153905a90784b1bf07c1eb19bf0f9360bbeaa19309b81a663769dedeff83590a93bd6003520d90d9fe8cb61e07d92712e7a4f37b62a3716e5188ce510c

Download Submit
C:\Windows\svchost.exe

Filesize
143KB

MD5
9ea95d3538c87a00376f94bbe73139d2

SHA1
0d7a1bf904ba4ed0501f870b6c7d2cbe7db4ee84

SHA256
9b7460ea49aa6d90f1f2a01399918bd92e13c6cfc21ffe9d5e110e345f286f76

SHA512
042075162452e7ea547ec80603b95bcf6d8bbc6f96cdc14e42277f9d80dc01194d447d20b2e71a88df9bdaa089591b2726fe6bac3a745fefc95e88992ce488c3

Download Submit