62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
Size

3.6MB
MD5

7dbbec6df3ed420c7ade36b50d9fd3d8
SHA1

e7c08bf3a79343dfb7fda05414535c6a8ef20c42
SHA256

62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099
SHA512

56dcf4f10414c6d57a1bca6ea484b3355e8f77f06d9090a32649c3a1ec00768c79469f326662afb1f842d70f2cd4fb1e066cc5eabf0febc45a2bcac0afbc9810
SSDEEP

98304:ddByXcdnlLwOrI5Vfeg91hZOhkRpsinjx:ddien+OrFuBR6cx

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2104	explorer.exe
2152	spoolsv.exe
2148	svchost.exe
4308	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs

pid	Process
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
2104	explorer.exe
2152	spoolsv.exe
2148	svchost.exe
4308	spoolsv.exe
4308	spoolsv.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe
2104	explorer.exe
2148	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2104	explorer.exe
2148	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2152	spoolsv.exe
2152	spoolsv.exe
2152	spoolsv.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
4308	spoolsv.exe
4308	spoolsv.exe
4308	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 2104	4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe	86
PID 4068 wrote to memory of 2104	4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe	86
PID 4068 wrote to memory of 2104	4068	62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe	86
PID 2104 wrote to memory of 2152	2104	explorer.exe	87
PID 2104 wrote to memory of 2152	2104	explorer.exe	87
PID 2104 wrote to memory of 2152	2104	explorer.exe	87
PID 2152 wrote to memory of 2148	2152	spoolsv.exe	89
PID 2152 wrote to memory of 2148	2152	spoolsv.exe	89
PID 2152 wrote to memory of 2148	2152	spoolsv.exe	89
PID 2148 wrote to memory of 4308	2148	svchost.exe	90
PID 2148 wrote to memory of 4308	2148	svchost.exe	90
PID 2148 wrote to memory of 4308	2148	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe
"C:\Users\Admin\AppData\Local\Temp\62a4a46ce86d6cb82ca3b5c2d854cd1c70f6b58517d28f970fc3aa77205a4099.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2104
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2148
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
3.6MB

MD5
1ca63d8c2239b1ef7cf72443a024b581

SHA1
8474ca7a0c99ff10160ee9487b7d920c99740e3a

SHA256
dcd1dd47e20973b0d6d629225bb5b5fe17e2e29d26f49e49049444d15e6d7140

SHA512
c87d11634cf5fedbc0503e7a602f78d656e32189514d1835a0ae93149f84a9eff24ba7caf41f10023ca36daa9100eb8d30d922e78c7612ea5de0d536bdb2eade

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
3.6MB

MD5
c10f27c77200c8b26c8cce8c4dc16c51

SHA1
03df52d6263dbe177cd76e284378f462a98644a9

SHA256
6023a64188ac7d0e47c05d08fd282e2253573fffd8ce93457ac0424ce5c8c62a

SHA512
86c797be0ed83f533c28246b66222b7b45d7b695a692aa73697649d04225c43c309fb3379f6330b89494065de2cea59fd7679b55b2d5317f439ab5dfb138dce1

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
3.6MB

MD5
7ee8e2e562e6001f73d334d03f58d37e

SHA1
c36b95483d3a085b3dd8b4adfcafde33ba4bb239

SHA256
22c1a3f13040b4f33bc5f074f3fec66295336b4bef2eb8e447a8f2996284890a

SHA512
078fe7f2940f0710469bcf5b223506c9edebdb9663517570cb286575f7cc8eda48af62337a3a5f51e9904f4f381718f46a35efd3bfa1016fae7e01d152b6461c

Download Submit
memory/2104-61-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-49-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-69-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-67-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-65-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-63-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-59-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-57-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-41-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-42-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-55-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-45-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-53-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-47-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2104-51-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-43-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-60-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-48-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-70-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-46-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-68-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-52-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-56-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-27-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-58-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-66-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-50-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-64-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-62-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2148-54-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2152-39-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4068-0-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4068-40-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4068-1-0x0000000077122000-0x0000000077123000-memory.dmp

Filesize
4KB

Download
memory/4068-2-0x0000000077123000-0x0000000077124000-memory.dmp

Filesize
4KB

Download
memory/4308-32-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4308-38-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download