Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 18:28
Static task
static1
Behavioral task
behavioral1
Sample
41b435088fb40d730f8a028eedc9dba0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
41b435088fb40d730f8a028eedc9dba0N.exe
Resource
win10v2004-20240802-en
General
-
Target
41b435088fb40d730f8a028eedc9dba0N.exe
-
Size
130KB
-
MD5
41b435088fb40d730f8a028eedc9dba0
-
SHA1
87523a4d93a39fad8da1fc3e6a4a9555cd3b0c37
-
SHA256
8c891e189e032e6cc3696d5e75be8514017f37a26eb4d0d245c95a69cabe4732
-
SHA512
6273044b976196e54988bbf8cb65778c8d4d24ddd0e601ddff4911e6c1432b4dccfc68737ec3873ee5ff54a530b181ac1d1a63beddd558d6ca268422997a668a
-
SSDEEP
1536:qfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdG:qVqoCl/YgjxEufVU0TbTyDDalbG
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4448 explorer.exe 2288 spoolsv.exe 2772 svchost.exe 1552 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 41b435088fb40d730f8a028eedc9dba0N.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 41b435088fb40d730f8a028eedc9dba0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe 4448 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4448 explorer.exe 2772 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3472 41b435088fb40d730f8a028eedc9dba0N.exe 3472 41b435088fb40d730f8a028eedc9dba0N.exe 4448 explorer.exe 4448 explorer.exe 2288 spoolsv.exe 2288 spoolsv.exe 2772 svchost.exe 2772 svchost.exe 1552 spoolsv.exe 1552 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3472 wrote to memory of 4448 3472 41b435088fb40d730f8a028eedc9dba0N.exe 86 PID 3472 wrote to memory of 4448 3472 41b435088fb40d730f8a028eedc9dba0N.exe 86 PID 3472 wrote to memory of 4448 3472 41b435088fb40d730f8a028eedc9dba0N.exe 86 PID 4448 wrote to memory of 2288 4448 explorer.exe 87 PID 4448 wrote to memory of 2288 4448 explorer.exe 87 PID 4448 wrote to memory of 2288 4448 explorer.exe 87 PID 2288 wrote to memory of 2772 2288 spoolsv.exe 88 PID 2288 wrote to memory of 2772 2288 spoolsv.exe 88 PID 2288 wrote to memory of 2772 2288 spoolsv.exe 88 PID 2772 wrote to memory of 1552 2772 svchost.exe 90 PID 2772 wrote to memory of 1552 2772 svchost.exe 90 PID 2772 wrote to memory of 1552 2772 svchost.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\41b435088fb40d730f8a028eedc9dba0N.exe"C:\Users\Admin\AppData\Local\Temp\41b435088fb40d730f8a028eedc9dba0N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1552
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130KB
MD52f3b0af8b81eef82fffec617743dc2ae
SHA1215f55729ff21f76db15312ce68131abb61a60a1
SHA256c4880d2bbc058bbc602005c9facf6ab92b3ef829ae4bbf5b73bebb9c9b787197
SHA5126208b73fc12f617a4943e6ca7dd13ba8ba35b9636b444a9323e7d27a9827ae25ccb44025332bf8f1890828c9c7d6bc9ec79fd172316550b7e04d9e7a8fb8713f
-
Filesize
130KB
MD50babaa57030ea1d4d6c5347fca28a6ee
SHA14c78bd6ee9946e7c0a859ef9edb956c9c2312ada
SHA256818f46831413378695a47eb94598810f3ca407defcf252290aea0b3ab57abee9
SHA512341e973622a857a84fec9f290410d203e0475770d93b3a323acbc9dc06a07b35207728870ff55565fb3f59eceeb60899c52ffdd08e458a7ab24804758a4272cd
-
Filesize
130KB
MD5b7981bef710e04e1f152953f9e3096ad
SHA16f6106ac62549ba2978871afaeb8e8662190161c
SHA256ec3fa35757801f77426116d22eaa0a7abfc06505c6ee885237cca2fbbee47739
SHA512e0b9409e61977e9d8c6f5e39cadd5fbd9e6a80a7401e04735419716b06b0694f93c78b549e2a1bb8ceb4d33c68da890d082cde27ee8c84b725e6b7fca875c21d