d9d49566c237dcb267abf33f236f4b55809e1639f4327d3e9f8a310e40a07ec1

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

170a3aad0f5f53392bcd508297da03f0N.exe
Size

207KB
MD5

170a3aad0f5f53392bcd508297da03f0
SHA1

ddf979c7bcbc325e03aa452d2902e4c419d48904
SHA256

d9d49566c237dcb267abf33f236f4b55809e1639f4327d3e9f8a310e40a07ec1
SHA512

b24358bd0727214dab24509acabefa1d25724d253187bcc491b436dfdcadeeb15ab21681bfdc2a5bd2578c93500490cd82b7fec850c8e2849c13751538fff76e
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJd6:/VqoCl/YgjxEufVU0TbTyDDalb6

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3948	explorer.exe
4228	spoolsv.exe
2672	svchost.exe
3800	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	170a3aad0f5f53392bcd508297da03f0N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	170a3aad0f5f53392bcd508297da03f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe
3948	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3948	explorer.exe
2672	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4568	170a3aad0f5f53392bcd508297da03f0N.exe
4568	170a3aad0f5f53392bcd508297da03f0N.exe
3948	explorer.exe
3948	explorer.exe
4228	spoolsv.exe
4228	spoolsv.exe
2672	svchost.exe
2672	svchost.exe
3800	spoolsv.exe
3800	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 3948	4568	170a3aad0f5f53392bcd508297da03f0N.exe	84
PID 4568 wrote to memory of 3948	4568	170a3aad0f5f53392bcd508297da03f0N.exe	84
PID 4568 wrote to memory of 3948	4568	170a3aad0f5f53392bcd508297da03f0N.exe	84
PID 3948 wrote to memory of 4228	3948	explorer.exe	85
PID 3948 wrote to memory of 4228	3948	explorer.exe	85
PID 3948 wrote to memory of 4228	3948	explorer.exe	85
PID 4228 wrote to memory of 2672	4228	spoolsv.exe	86
PID 4228 wrote to memory of 2672	4228	spoolsv.exe	86
PID 4228 wrote to memory of 2672	4228	spoolsv.exe	86
PID 2672 wrote to memory of 3800	2672	svchost.exe	87
PID 2672 wrote to memory of 3800	2672	svchost.exe	87
PID 2672 wrote to memory of 3800	2672	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\170a3aad0f5f53392bcd508297da03f0N.exe
"C:\Users\Admin\AppData\Local\Temp\170a3aad0f5f53392bcd508297da03f0N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3948
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2672
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
290239364395b9463d9afbc9aa269409

SHA1
2c457e43f707a7547df022118a589c2746a29e62

SHA256
48b5189e9edc5162b84307515a241dad3f2ca0881efad86515b4b9c773706672

SHA512
f64eaa9bae0868471e217627ac9398d2e3a68f91b056fa3d1dfb7509ee93a953b8cf36e1c7d2c020ce8883c9e00528d8ac45d099032fb5d45cf89e3544917de1

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
206KB

MD5
34f8a2711a769e308ac1cf2010b3e381

SHA1
2baa84fc27d257f467b595b0264da48273a9e58d

SHA256
54202c0ad4ddeb89a39065f37734be0029496b3472597e58f1bc198c3a406d70

SHA512
d34503f18c2f03897722725e27b88671e513d1b9160331f3f7ad19c419fd90b07d47f16e7a12f93d4388e33535d8b6f78920a7e8b2dffa38e8755125439aa71f

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
206KB

MD5
e546875424affd6165515e32d00fd4a0

SHA1
c8954d60d09954704556e2e71c5e8eff5e837ef9

SHA256
ce6e869de2c0afa32e0ab71ff3c714f29cfa7d0902b34f6c7fc389396000e475

SHA512
c1551147b70231720cc81b7799f7998638a3086a25b34fc3867a269f84a04b9a8627eeac0e1ef6f670b80e04aae67b482ab75095659dc7106879dfa2f39b807d

Download Submit
memory/2672-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3800-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3800-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3948-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4228-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download