61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
Size

206KB
MD5

458edce3317d37eb25502dedaa033723
SHA1

0b31b9a5b318520a511fef9a25ee2577f22c4ca9
SHA256

61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e
SHA512

52e6fb4f5bd2f46a9c81357a1351dd2f28ac703121674074a15342dc306afb3d5a290f58f28ac30b241c75d8a1354ef2d4b99b23c80e00e41a64c10c6f9fbd63
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdI:/VqoCl/YgjxEufVU0TbTyDDalbI

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1156	explorer.exe
2168	spoolsv.exe
2300	svchost.exe
2856	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
1156	explorer.exe
1156	explorer.exe
2168	spoolsv.exe
2168	spoolsv.exe
2300	svchost.exe
2300	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2740	schtasks.exe
808	schtasks.exe
2508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
2300	svchost.exe
2300	svchost.exe
1156	explorer.exe
2300	svchost.exe
1156	explorer.exe
2300	svchost.exe
1156	explorer.exe
2300	svchost.exe
1156	explorer.exe
2300	svchost.exe
1156	explorer.exe
2300	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1156	explorer.exe
2300	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
1156	explorer.exe
1156	explorer.exe
2168	spoolsv.exe
2168	spoolsv.exe
2300	svchost.exe
2300	svchost.exe
2856	spoolsv.exe
2856	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 1156	648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe	30
PID 648 wrote to memory of 1156	648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe	30
PID 648 wrote to memory of 1156	648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe	30
PID 648 wrote to memory of 1156	648	61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe	30
PID 1156 wrote to memory of 2168	1156	explorer.exe	31
PID 1156 wrote to memory of 2168	1156	explorer.exe	31
PID 1156 wrote to memory of 2168	1156	explorer.exe	31
PID 1156 wrote to memory of 2168	1156	explorer.exe	31
PID 2168 wrote to memory of 2300	2168	spoolsv.exe	32
PID 2168 wrote to memory of 2300	2168	spoolsv.exe	32
PID 2168 wrote to memory of 2300	2168	spoolsv.exe	32
PID 2168 wrote to memory of 2300	2168	spoolsv.exe	32
PID 2300 wrote to memory of 2856	2300	svchost.exe	33
PID 2300 wrote to memory of 2856	2300	svchost.exe	33
PID 2300 wrote to memory of 2856	2300	svchost.exe	33
PID 2300 wrote to memory of 2856	2300	svchost.exe	33
PID 1156 wrote to memory of 2756	1156	explorer.exe	34
PID 1156 wrote to memory of 2756	1156	explorer.exe	34
PID 1156 wrote to memory of 2756	1156	explorer.exe	34
PID 1156 wrote to memory of 2756	1156	explorer.exe	34
PID 2300 wrote to memory of 2740	2300	svchost.exe	35
PID 2300 wrote to memory of 2740	2300	svchost.exe	35
PID 2300 wrote to memory of 2740	2300	svchost.exe	35
PID 2300 wrote to memory of 2740	2300	svchost.exe	35
PID 2300 wrote to memory of 808	2300	svchost.exe	39
PID 2300 wrote to memory of 808	2300	svchost.exe	39
PID 2300 wrote to memory of 808	2300	svchost.exe	39
PID 2300 wrote to memory of 808	2300	svchost.exe	39
PID 2300 wrote to memory of 2508	2300	svchost.exe	41
PID 2300 wrote to memory of 2508	2300	svchost.exe	41
PID 2300 wrote to memory of 2508	2300	svchost.exe	41
PID 2300 wrote to memory of 2508	2300	svchost.exe	41

C:\Users\Admin\AppData\Local\Temp\61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe
"C:\Users\Admin\AppData\Local\Temp\61727e3a7ee95d91f3d377f65b11582d05ca99859faf57cab67a24177662ca6e.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1156
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2300
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:29 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2740
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:30 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:808
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:31 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\svchost.exe

Filesize
206KB

MD5
2411ebe129651ca22d06ec2103e14c5c

SHA1
0d67949491ee79d3e4bc6378c94c9ef11157f82c

SHA256
d3aa52cc921d2f842e2b29f47880c1548f205d4ca2b8f08daef1e90cfb7e23ab

SHA512
8319c51dc85bc701b503176e9265846d793a737063f32cbd18a1eae81c338f4b60d99422035c4613cd2b6904a93a7eddcb28bcfe6521a689ab94f69901c9016f

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
7efcc1c4f3cdf28724a6513b19dd93fd

SHA1
bdfa1cf4316411cc80df460099291797dd7f8239

SHA256
7dd3b195967a416b698c599b03125f172c1fb85b38eddcce85eec0c91e9135fc

SHA512
15ac7567c47b693b5d691ca5bebecbeea6146c8817c6b72c15086ecba6d024fa0029677c592c897ca21b21a96913f056ee43aaeb2c290039473756dcf5cd587d

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
207KB

MD5
64fa6df596ffa3d0732ecb92ead04797

SHA1
d077af4293ec96258d0ac6029dcab6b562d82ad1

SHA256
54aeda82df294106400f08e6e9d3ba0af1df1812922aee4ad35948b671cffe2e

SHA512
a30e132b3efa36ac127640cc123c2062a9e3caca2e58033187daf6d05d16e52b34fb017b92702e9fd6a1db7a49f841eb78ae23bbf69b882b0d11524338977b6a

Download Submit
memory/648-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/648-13-0x00000000005A0000-0x00000000005CF000-memory.dmp

Filesize
188KB

Download
memory/648-12-0x00000000005A0000-0x00000000005CF000-memory.dmp

Filesize
188KB

Download
memory/648-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-41-0x00000000004F0000-0x000000000051F000-memory.dmp

Filesize
188KB

Download
memory/2168-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-51-0x0000000000240000-0x000000000026F000-memory.dmp

Filesize
188KB

Download
memory/2300-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download