6fb7c04ca4faa826c5c11a9eb65d6c6bb57795a7489a2b7603172f12a3842606

Analysis

max time kernel
120s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 16:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

393646550bfdd0780cf11170e7301390N.exe
Size

2.6MB
MD5

393646550bfdd0780cf11170e7301390
SHA1

95072f969635ba6d27b7be55a4f8b00b265f5928
SHA256

6fb7c04ca4faa826c5c11a9eb65d6c6bb57795a7489a2b7603172f12a3842606
SHA512

9f7018b331cabc5fb2f86348c88235fec68ae6e13336e8a7613ad51a6fc9872e62a19670765dbf4469768192714aaf8a570abb5ac6918ff4235f852e230e62c0
SSDEEP

49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/U:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/U

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
5020	explorer.exe
2724	spoolsv.exe
1464	svchost.exe
1944	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 31 IoCs

pid	Process
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
5020	explorer.exe
2724	spoolsv.exe
1464	svchost.exe
1944	spoolsv.exe
1944	spoolsv.exe
5020	explorer.exe
1464	svchost.exe
5020	explorer.exe
1464	svchost.exe
5020	explorer.exe
1464	svchost.exe
5020	explorer.exe
1464	svchost.exe
5020	explorer.exe
1464	svchost.exe
5020	explorer.exe
1464	svchost.exe
5020	explorer.exe
1464	svchost.exe
5020	explorer.exe
1464	svchost.exe
5020	explorer.exe
1464	svchost.exe
5020	explorer.exe
1464	svchost.exe
5020	explorer.exe
1464	svchost.exe
5020	explorer.exe
1464	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	393646550bfdd0780cf11170e7301390N.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	393646550bfdd0780cf11170e7301390N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5020	explorer.exe
1464	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
1864	393646550bfdd0780cf11170e7301390N.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
2724	spoolsv.exe
2724	spoolsv.exe
2724	spoolsv.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1944	spoolsv.exe
1944	spoolsv.exe
1944	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 5020	1864	393646550bfdd0780cf11170e7301390N.exe	85
PID 1864 wrote to memory of 5020	1864	393646550bfdd0780cf11170e7301390N.exe	85
PID 1864 wrote to memory of 5020	1864	393646550bfdd0780cf11170e7301390N.exe	85
PID 5020 wrote to memory of 2724	5020	explorer.exe	86
PID 5020 wrote to memory of 2724	5020	explorer.exe	86
PID 5020 wrote to memory of 2724	5020	explorer.exe	86
PID 2724 wrote to memory of 1464	2724	spoolsv.exe	88
PID 2724 wrote to memory of 1464	2724	spoolsv.exe	88
PID 2724 wrote to memory of 1464	2724	spoolsv.exe	88
PID 1464 wrote to memory of 1944	1464	svchost.exe	89
PID 1464 wrote to memory of 1944	1464	svchost.exe	89
PID 1464 wrote to memory of 1944	1464	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\393646550bfdd0780cf11170e7301390N.exe
"C:\Users\Admin\AppData\Local\Temp\393646550bfdd0780cf11170e7301390N.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5020
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1464
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
a08fa653a7822a05fdd244081de22980

SHA1
4099d84f424ed8fdd92819d21ee41190d8ab12dd

SHA256
90b4aa2a8a6ba5bda58639859d4fd155703bc870e468cbec8051df8608a0fa63

SHA512
996cdaa42539d027ef8c9398a63e3c678899439696fdef3ae5bf7bd32eecdbd1506b5753e18b0247a41e05f286dec2af4bbcdabc91b12ee36e3252fef6ab31d8

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
aba4507a0d4a0189852529120ca98c47

SHA1
c46dcdc6a0ca30505fda3c42cb6bbdaa43d0eefe

SHA256
d72dc3899c28c4dc42ae3b011c2333eaf009f481c849b2ce9fcf4d308326f7f0

SHA512
c3f6dbb93298dffb8e6398a11e0e67b2bfe0e9b79adc9de0d1fe8dd6882a93ec2669471101f4f91122b234222cb512f4f27c714585f4c39808bf86014fe5e57a

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
e2cdfe5c088b4096bb8fda2e6cbd1871

SHA1
aac2472ab188306b3b53a4ffae8bf1ac7fb1c6ff

SHA256
1c39aae11a4205c5be8b4db7de09a6ab2e97ad3b7aaa380bb979567495dcbea7

SHA512
e88286623b6e2a96ce84d2eba353ded074fedbdc7b3a92070bc37e576aacb5f104cadd182ffb65e92fce3cdf2a33fb49a791f4945871943ce4ee185b5e01e717

Download Submit
memory/1464-63-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1464-55-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1464-67-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1464-53-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1464-59-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1464-51-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1464-61-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1464-48-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1464-65-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1864-0-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1864-43-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1864-44-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1864-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1944-39-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1944-34-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-42-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-41-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2724-21-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2724-20-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5020-46-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/5020-54-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5020-56-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5020-58-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5020-52-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5020-60-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5020-50-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5020-62-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5020-45-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5020-64-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5020-11-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/5020-66-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5020-10-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download