bb74ebf51e508fd1c2639175f81970dcbc1d7244245d15adb7f5d4cb1534d62e

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c60dc3588a378da3b6849a3da4b1a480N.exe
Size

206KB
MD5

c60dc3588a378da3b6849a3da4b1a480
SHA1

7efe96310b1d19c3fc0bf3b19713f079ec20aaba
SHA256

bb74ebf51e508fd1c2639175f81970dcbc1d7244245d15adb7f5d4cb1534d62e
SHA512

917f1e2e05e4325e88ce3c0f65c425fc2b06487d0b8c22d76ce6a8a4af96214c0959edcf58726fdefe5b3a62fa1dc5d5e533f1f0ed59119f16f9c32cee5c7b9d
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdbrrrrrrrrrrrrR:/VqoCl/YgjxEufVU0TbTyDDalb1

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2672	explorer.exe
2788	spoolsv.exe
1932	svchost.exe
2920	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
2672	explorer.exe
2672	explorer.exe
2788	spoolsv.exe
2788	spoolsv.exe
1932	svchost.exe
1932	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	c60dc3588a378da3b6849a3da4b1a480N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c60dc3588a378da3b6849a3da4b1a480N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
2228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
1932	svchost.exe
1932	svchost.exe
2672	explorer.exe
1932	svchost.exe
2672	explorer.exe
1932	svchost.exe
2672	explorer.exe
1932	svchost.exe
2672	explorer.exe
1932	svchost.exe
2672	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2672	explorer.exe
1932	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
3028	c60dc3588a378da3b6849a3da4b1a480N.exe
2672	explorer.exe
2672	explorer.exe
2788	spoolsv.exe
2788	spoolsv.exe
1932	svchost.exe
1932	svchost.exe
2920	spoolsv.exe
2920	spoolsv.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2672	3028	c60dc3588a378da3b6849a3da4b1a480N.exe	30
PID 3028 wrote to memory of 2672	3028	c60dc3588a378da3b6849a3da4b1a480N.exe	30
PID 3028 wrote to memory of 2672	3028	c60dc3588a378da3b6849a3da4b1a480N.exe	30
PID 3028 wrote to memory of 2672	3028	c60dc3588a378da3b6849a3da4b1a480N.exe	30
PID 2672 wrote to memory of 2788	2672	explorer.exe	31
PID 2672 wrote to memory of 2788	2672	explorer.exe	31
PID 2672 wrote to memory of 2788	2672	explorer.exe	31
PID 2672 wrote to memory of 2788	2672	explorer.exe	31
PID 2788 wrote to memory of 1932	2788	spoolsv.exe	32
PID 2788 wrote to memory of 1932	2788	spoolsv.exe	32
PID 2788 wrote to memory of 1932	2788	spoolsv.exe	32
PID 2788 wrote to memory of 1932	2788	spoolsv.exe	32
PID 1932 wrote to memory of 2920	1932	svchost.exe	33
PID 1932 wrote to memory of 2920	1932	svchost.exe	33
PID 1932 wrote to memory of 2920	1932	svchost.exe	33
PID 1932 wrote to memory of 2920	1932	svchost.exe	33
PID 2672 wrote to memory of 2800	2672	explorer.exe	34
PID 2672 wrote to memory of 2800	2672	explorer.exe	34
PID 2672 wrote to memory of 2800	2672	explorer.exe	34
PID 2672 wrote to memory of 2800	2672	explorer.exe	34
PID 1932 wrote to memory of 2652	1932	svchost.exe	35
PID 1932 wrote to memory of 2652	1932	svchost.exe	35
PID 1932 wrote to memory of 2652	1932	svchost.exe	35
PID 1932 wrote to memory of 2652	1932	svchost.exe	35
PID 1932 wrote to memory of 2228	1932	svchost.exe	39
PID 1932 wrote to memory of 2228	1932	svchost.exe	39
PID 1932 wrote to memory of 2228	1932	svchost.exe	39
PID 1932 wrote to memory of 2228	1932	svchost.exe	39

C:\Users\Admin\AppData\Local\Temp\c60dc3588a378da3b6849a3da4b1a480N.exe
"C:\Users\Admin\AppData\Local\Temp\c60dc3588a378da3b6849a3da4b1a480N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2672
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1932
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2920
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:56 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2652
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:57 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2228
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
be3f9045b77b4df1acb3914b0828c666

SHA1
a2a807464d33c033f43a116cf8bfec552e07fce2

SHA256
c65a442f8e57909ac991f3ee133fb1ec218d2b640a653d22700db36e3c8ac563

SHA512
725a05a80a7e8332f5d8c87d2e1c6abc6081a376771f19299cf316e1c19e5de7fc96e9f5b271f838bbfb995769ee9693e6801fdf94f05b3cb4f233483520728e

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
b2bed64acedf67068c386d48fa840926

SHA1
d1395affed1d10f3ea748d19095da5608bdffc99

SHA256
65b6498aca63c1da88163a0f61408018979abcabc06c88e584134816a64c4672

SHA512
84524f01042708716195ec360e83e2318780a1a75270af548c4fae22c09a6677f51b5914131275fdc9d35fabb4f6297c58974798fbe0046d897cf24c220758e4

Download Submit
\Windows\Resources\svchost.exe

Filesize
206KB

MD5
b663aa3be278c07a3ae43fc0b82b2370

SHA1
1d6eb22b9fea98d1e5eccbe36096b180e216e31a

SHA256
b147be1e80c85dd1bf1307219c185ebf87b53f683ad5015a97ca7edac297515f

SHA512
40effe96e9b2b3e5c0c8c0755251e7031ec8f3c81c119e2b66d19ac6e9cb7174dbd28db43eb492538537141b139eae1f23959f0e4cb99e51c20e23971f24ed42

Download Submit
memory/1932-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-25-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2672-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-50-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download