e08f7a1ca08be006714ea80e742224e946c77a559df2bb0d1a5d7ad30f956b11

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

285be898cbd1b6c3ef3f0dc8c2360080N.exe
Size

206KB
MD5

285be898cbd1b6c3ef3f0dc8c2360080
SHA1

22eaa02090b293c588a884ec91c0a2b13e73abdb
SHA256

e08f7a1ca08be006714ea80e742224e946c77a559df2bb0d1a5d7ad30f956b11
SHA512

8bf1f6935026c48dfc6d3a11800855395d2107992ef37df3abcbf63d03c874e9c8c8f0f8bf4ad315f1c4e7efe07a5f7ac6b6346d2aac8a05871e3dc7786f422c
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdZ:/VqoCl/YgjxEufVU0TbTyDDalbZ

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2168	explorer.exe
4732	spoolsv.exe
4076	svchost.exe
2512	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	285be898cbd1b6c3ef3f0dc8c2360080N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	285be898cbd1b6c3ef3f0dc8c2360080N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4076	svchost.exe
2168	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe
2168	explorer.exe
2168	explorer.exe
4732	spoolsv.exe
4732	spoolsv.exe
4076	svchost.exe
4076	svchost.exe
2512	spoolsv.exe
2512	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2168	2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe	84
PID 2904 wrote to memory of 2168	2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe	84
PID 2904 wrote to memory of 2168	2904	285be898cbd1b6c3ef3f0dc8c2360080N.exe	84
PID 2168 wrote to memory of 4732	2168	explorer.exe	85
PID 2168 wrote to memory of 4732	2168	explorer.exe	85
PID 2168 wrote to memory of 4732	2168	explorer.exe	85
PID 4732 wrote to memory of 4076	4732	spoolsv.exe	86
PID 4732 wrote to memory of 4076	4732	spoolsv.exe	86
PID 4732 wrote to memory of 4076	4732	spoolsv.exe	86
PID 4076 wrote to memory of 2512	4076	svchost.exe	87
PID 4076 wrote to memory of 2512	4076	svchost.exe	87
PID 4076 wrote to memory of 2512	4076	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\285be898cbd1b6c3ef3f0dc8c2360080N.exe
"C:\Users\Admin\AppData\Local\Temp\285be898cbd1b6c3ef3f0dc8c2360080N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2168
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4076
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
38e159c10a3c3fe160924c173b03097d

SHA1
66ef8489dec73afd7f9602ef264ec8a689a02fa4

SHA256
393a989c9959d8d7d3008e7482ce997d24a4ec29c23ee2c183bcc11ed57754b0

SHA512
d4ea8e5c9ffbaeff7daa80f8c33bf79868c772f08679f209dc355ccc0c09c44794e688e1eede8f750cdfdf0a581fe8b64ea5a3f0f257b67c7e6452f60885f230

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
e79e176d3c2417889c935549d278b271

SHA1
25efc83cbcb301a39bd02f5832e79b192454d826

SHA256
12512f7b176f0d3e6c80817bd40da9a70e6ac4719f861b45f6afe4d6272b0127

SHA512
71aa32a1e296005eeb79bafcbf3bf0e6669b29b63d8797d3e91d984d6ca2b563b91139d70619bda1972df8a9a87d29dec965d3f953d6c2ef1c8eaf5f2c249118

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
206KB

MD5
78dc4dd7be14158bb3b2edc17af3bf0e

SHA1
317c54799d951d8937c9e09e5720c1bc0b381b05

SHA256
1595d5e91cad17cfe6381522ef8dfb1e7971229167b6277a5ed5f69f037840a2

SHA512
1cb6fa4516d705c52a4c4c6006bf4a7f849caa8dadead98ef4b80b2678115db0e8f176593e49f7d3f5bca5fa0eb04c44f7d45eb0f68b55abb083eb5b5a261515

Download Submit
memory/2168-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4076-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download