62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 23:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
Size

206KB
MD5

0c5c17d5be1d56e6a8065c25d48114ac
SHA1

fb770d89071eac58a073f3491ec2cef6b69b45be
SHA256

62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa
SHA512

9ddb62a3f12654adee3e657f6febb9ce69bcc535e908b263d87200b48ec516089eb61fd8b001f33a8d18c94f7bf41cfc618feb7d20e237f3f2d01639a24192e0
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJds:/VqoCl/YgjxEufVU0TbTyDDalbs

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2548	explorer.exe
4832	spoolsv.exe
4252	svchost.exe
4740	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2548	explorer.exe
4252	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
2548	explorer.exe
2548	explorer.exe
4832	spoolsv.exe
4832	spoolsv.exe
4252	svchost.exe
4252	svchost.exe
4740	spoolsv.exe
4740	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2548	2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe	85
PID 2704 wrote to memory of 2548	2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe	85
PID 2704 wrote to memory of 2548	2704	62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe	85
PID 2548 wrote to memory of 4832	2548	explorer.exe	86
PID 2548 wrote to memory of 4832	2548	explorer.exe	86
PID 2548 wrote to memory of 4832	2548	explorer.exe	86
PID 4832 wrote to memory of 4252	4832	spoolsv.exe	87
PID 4832 wrote to memory of 4252	4832	spoolsv.exe	87
PID 4832 wrote to memory of 4252	4832	spoolsv.exe	87
PID 4252 wrote to memory of 4740	4252	svchost.exe	88
PID 4252 wrote to memory of 4740	4252	svchost.exe	88
PID 4252 wrote to memory of 4740	4252	svchost.exe	88

C:\Users\Admin\AppData\Local\Temp\62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe
"C:\Users\Admin\AppData\Local\Temp\62c81967ea9ab5abf275e90e7ab92783684781f01e3057a7f90811b70d8991fa.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2548
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4252
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
f6e12e6d6af782aa0737f59a122aca52

SHA1
54d3eae15891413ded80b786a96eba70720a8e38

SHA256
d4ec839a28fbe66a6806c5b615f8df249ec239bbbbf6705f7889187eeaf5cb17

SHA512
27a49fd93b49989074fbf5362b9109131c59e3afb2943ec3a111849008c34e8b51fb746edd6adb8bb23b8372ad406d11d213e8a72a9284db715c2de47e65a7d3

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
4a293744d0459bec38e2a55c95decaaa

SHA1
e02ffdf9d6d42e61297523598eed2485597e9008

SHA256
ed8e3e9d9ae1ada3936a85c8e2239658904f0f706a4dcec1bd240a9609193633

SHA512
f30ee115493a931b582aaeb1f95e12da4cfadc121cce3d68f46d62e7c3dbd37945b636f99cb5d9c87956e5b987ffcbe3bbcab9be14784db9c040aaf4b3b96c88

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
206KB

MD5
f683e231784cdb189a115b40aa0d8bbf

SHA1
12b532cd8d2d2247b6562b432346ed91e8af17d8

SHA256
664c67d82d7afd868ea450fd4672923c2664b0cb5195cd324e135c51f841f7bf

SHA512
30b29317eaf06d8524534b442a89cee3eeb849e5d3b3f5c4a72d7f5b53d55c9b045326714a95154b934206de879c043d565d006a78df7429cf24593976a33f38

Download Submit
memory/2548-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4252-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download