8fb8fc52c817c3ffb2ddcf0f5403043ac1b67cb71d94b490780efc556f48705e

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eddb2d0acc04aeecfae2ac83a79dde60N.exe
Size

43KB
MD5

eddb2d0acc04aeecfae2ac83a79dde60
SHA1

dab5bf729209a79b7b7d88903bf51facef53012e
SHA256

8fb8fc52c817c3ffb2ddcf0f5403043ac1b67cb71d94b490780efc556f48705e
SHA512

50fdf7907b01bb4c6a005e5528529125516ed2498c7d19f401a3388adf72a41b366669c0507124398812cd8a76fef1f7a05a42812c145f2bbb56b1748161f315
SSDEEP

768:pB3Yvnl5pzqsgKnXpkoHS6KZIFhf8HuKWJI3HG+VVVpvl+:zIvl5dKYXGB2IuPJI/l+

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
644	explorer.exe
1896	spoolsv.exe
4404	svchost.exe
3768	spoolsv.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2112-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/files/0x0008000000023623-7.dat	upx
behavioral2/files/0x0008000000023625-13.dat	upx
behavioral2/files/0x0008000000023627-23.dat	upx
behavioral2/memory/3768-33-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/1896-34-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/2112-36-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/644-37-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4404-38-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/644-49-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	eddb2d0acc04aeecfae2ac83a79dde60N.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eddb2d0acc04aeecfae2ac83a79dde60N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe
644	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
644	explorer.exe
4404	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe
644	explorer.exe
644	explorer.exe
1896	spoolsv.exe
1896	spoolsv.exe
4404	svchost.exe
4404	svchost.exe
3768	spoolsv.exe
3768	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 644	2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe	93
PID 2112 wrote to memory of 644	2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe	93
PID 2112 wrote to memory of 644	2112	eddb2d0acc04aeecfae2ac83a79dde60N.exe	93
PID 644 wrote to memory of 1896	644	explorer.exe	94
PID 644 wrote to memory of 1896	644	explorer.exe	94
PID 644 wrote to memory of 1896	644	explorer.exe	94
PID 1896 wrote to memory of 4404	1896	spoolsv.exe	95
PID 1896 wrote to memory of 4404	1896	spoolsv.exe	95
PID 1896 wrote to memory of 4404	1896	spoolsv.exe	95
PID 4404 wrote to memory of 3768	4404	svchost.exe	96
PID 4404 wrote to memory of 3768	4404	svchost.exe	96
PID 4404 wrote to memory of 3768	4404	svchost.exe	96

C:\Users\Admin\AppData\Local\Temp\eddb2d0acc04aeecfae2ac83a79dde60N.exe
"C:\Users\Admin\AppData\Local\Temp\eddb2d0acc04aeecfae2ac83a79dde60N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:644
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4404
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:8
1⤵
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
43KB

MD5
94dad7c0ecd7b9f47787dc3a652d8527

SHA1
dd30e6bac52910cca1472f58593f14b346b7d1d0

SHA256
5015ad83cb53efea2895d45fe8278adca33447c6836a71d9ca24e817bd74390f

SHA512
9a5aad78ee18dc524fb0deb504b9ff4bfdb5f97e82306a6442f0da07be6cfc50f5a749d8a8e3f226a6c3e1d31f28946d3fc7db275cb8355cb5690f0605e4271a

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
43KB

MD5
c5a15d7e71130e9bf3aafcca277b227f

SHA1
0f1862fa53b472a39423cd92dcdf36c2357b3ad5

SHA256
a7286f8e5e46d229472b984d4548db5eb12979fabd576640bd1b4e1566a262d9

SHA512
d096aa9a1328f40f4a6403f1240d82f3fa798d4449694e46d035992fecec5701613bb5a3e03633742bdaeb31526d399876e7bc1987db56ceded88878e5168d8c

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
43KB

MD5
7c344c2cb01963f89b946fe3ce4f6987

SHA1
3404137c1d883dd6c3f6eb12d4f8179f1f3d7324

SHA256
bc8f1e92701afc9e47b9bf215f59bbe0f36b0be7c89ed6e1856658fb1b3472d4

SHA512
a0a7f7127b6ac96026a363e1cbcb9f87f2f0f4d1aa886c2e2637b7c089a8bcb0779b2e17cb544aa731378b8afaeb9572d7fefc0171203990fe1d770648713fc9

Download Submit
memory/644-37-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/644-49-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1896-34-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2112-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2112-36-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3768-33-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4404-38-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download