e7239cf4c1ad58e01b43ad7b208b8e5023ddb84ca774cf2e7ad9fbb421cf6384

Analysis

max time kernel
120s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

476882ab641cf3f57e914868b7f5d500N.exe
Size

207KB
MD5

476882ab641cf3f57e914868b7f5d500
SHA1

2ca2bbc515f0d23440d2ae0b445fbc95af7b90b5
SHA256

e7239cf4c1ad58e01b43ad7b208b8e5023ddb84ca774cf2e7ad9fbb421cf6384
SHA512

902a8ad2905574fe5e75f1a4666175eef635f912c6878aa02a8d5b0869b98fba0d4d07b8fe6b1c97d074371458e1186486f60d9ec2a0fa50f740bafa61f75145
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdo:/VqoCl/YgjxEufVU0TbTyDDalbo

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
5100	explorer.exe
3968	spoolsv.exe
3992	svchost.exe
1412	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	476882ab641cf3f57e914868b7f5d500N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	476882ab641cf3f57e914868b7f5d500N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5100	explorer.exe
3992	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3044	476882ab641cf3f57e914868b7f5d500N.exe
3044	476882ab641cf3f57e914868b7f5d500N.exe
5100	explorer.exe
5100	explorer.exe
3968	spoolsv.exe
3968	spoolsv.exe
3992	svchost.exe
3992	svchost.exe
1412	spoolsv.exe
1412	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 5100	3044	476882ab641cf3f57e914868b7f5d500N.exe	84
PID 3044 wrote to memory of 5100	3044	476882ab641cf3f57e914868b7f5d500N.exe	84
PID 3044 wrote to memory of 5100	3044	476882ab641cf3f57e914868b7f5d500N.exe	84
PID 5100 wrote to memory of 3968	5100	explorer.exe	85
PID 5100 wrote to memory of 3968	5100	explorer.exe	85
PID 5100 wrote to memory of 3968	5100	explorer.exe	85
PID 3968 wrote to memory of 3992	3968	spoolsv.exe	86
PID 3968 wrote to memory of 3992	3968	spoolsv.exe	86
PID 3968 wrote to memory of 3992	3968	spoolsv.exe	86
PID 3992 wrote to memory of 1412	3992	svchost.exe	87
PID 3992 wrote to memory of 1412	3992	svchost.exe	87
PID 3992 wrote to memory of 1412	3992	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\476882ab641cf3f57e914868b7f5d500N.exe
"C:\Users\Admin\AppData\Local\Temp\476882ab641cf3f57e914868b7f5d500N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5100
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3992
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
3e66fd953b05cc0fe69c199251b6a766

SHA1
a349e1716d3c08207749fb409e3d89a45f40166e

SHA256
2b3b7d2e0d60c6cd05156f67e8ce87a51fdbe435f4f73dbb7aa0cb4084fc1207

SHA512
3157db4e3d0cd095f6ab232a37289212f9421ec7166007f27d0c14addb6ef4e33eb77323cea3795f7ba4dc681cf772c9044307f8b279410677a4fff07d75f905

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
207KB

MD5
9ddda843d965a7398e2f9a4bb7c69c06

SHA1
80b2f17e7b655a8d2f0548e517308734c88ddec2

SHA256
3826fdaf355f930cae9c118a5170ea5de7dbe1e85ca80da4296d1946776b141a

SHA512
e8e94e154e53b114d5f907776955ab3b608a18e11a772a0889fffa27346dc81f1e70e49fb5993a184f20a192a0a6bf73c5bb0eea204953814c8ea7664575f0ef

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
206KB

MD5
462696a27c9631f9089048d19fd4657d

SHA1
2519abbfdb26d4f54f914eff2269cd59f70d6185

SHA256
de878479a48c05d1bae30e5f61d0e09eba6c6e1536d741cb2a690b8413467e06

SHA512
eb4df748929975cbc34a26e36330743b9b0a1ccc23bc9e43ab82cced313ffdf6bdd6bdcc9bfa20a76a4862d9e904d813961e8043714b567c2c41b730067f0d0c

Download Submit
memory/1412-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3992-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download