cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
Size

206KB
MD5

7ad64fafa9a842691e93bb37bc90adf4
SHA1

93bf1c87e6714140ee6ccea4b026280a6c960e1a
SHA256

cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768
SHA512

b8d8ed24a2e600a16ff78c575c998d0a969396d57733448cfbae78684b35f68bb5d58e45c67ca4555871021adc12afeee762a8eabc0b9d84964131834157a540
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdA:/VqoCl/YgjxEufVU0TbTyDDalbA

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2376	explorer.exe
2920	spoolsv.exe
2500	svchost.exe
2900	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2376	explorer.exe
2376	explorer.exe
2920	spoolsv.exe
2920	spoolsv.exe
2500	svchost.exe
2500	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2972	schtasks.exe
2452	schtasks.exe
2280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2500	svchost.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2500	svchost.exe
2500	svchost.exe
2376	explorer.exe
2500	svchost.exe
2376	explorer.exe
2500	svchost.exe
2376	explorer.exe
2500	svchost.exe
2376	explorer.exe
2500	svchost.exe
2376	explorer.exe
2500	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2376	explorer.exe
2500	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
2376	explorer.exe
2376	explorer.exe
2920	spoolsv.exe
2920	spoolsv.exe
2500	svchost.exe
2500	svchost.exe
2900	spoolsv.exe
2900	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2376	2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe	30
PID 2112 wrote to memory of 2376	2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe	30
PID 2112 wrote to memory of 2376	2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe	30
PID 2112 wrote to memory of 2376	2112	cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe	30
PID 2376 wrote to memory of 2920	2376	explorer.exe	31
PID 2376 wrote to memory of 2920	2376	explorer.exe	31
PID 2376 wrote to memory of 2920	2376	explorer.exe	31
PID 2376 wrote to memory of 2920	2376	explorer.exe	31
PID 2920 wrote to memory of 2500	2920	spoolsv.exe	32
PID 2920 wrote to memory of 2500	2920	spoolsv.exe	32
PID 2920 wrote to memory of 2500	2920	spoolsv.exe	32
PID 2920 wrote to memory of 2500	2920	spoolsv.exe	32
PID 2500 wrote to memory of 2900	2500	svchost.exe	33
PID 2500 wrote to memory of 2900	2500	svchost.exe	33
PID 2500 wrote to memory of 2900	2500	svchost.exe	33
PID 2500 wrote to memory of 2900	2500	svchost.exe	33
PID 2376 wrote to memory of 2908	2376	explorer.exe	34
PID 2376 wrote to memory of 2908	2376	explorer.exe	34
PID 2376 wrote to memory of 2908	2376	explorer.exe	34
PID 2376 wrote to memory of 2908	2376	explorer.exe	34
PID 2500 wrote to memory of 2972	2500	svchost.exe	35
PID 2500 wrote to memory of 2972	2500	svchost.exe	35
PID 2500 wrote to memory of 2972	2500	svchost.exe	35
PID 2500 wrote to memory of 2972	2500	svchost.exe	35
PID 2500 wrote to memory of 2452	2500	svchost.exe	39
PID 2500 wrote to memory of 2452	2500	svchost.exe	39
PID 2500 wrote to memory of 2452	2500	svchost.exe	39
PID 2500 wrote to memory of 2452	2500	svchost.exe	39
PID 2500 wrote to memory of 2280	2500	svchost.exe	41
PID 2500 wrote to memory of 2280	2500	svchost.exe	41
PID 2500 wrote to memory of 2280	2500	svchost.exe	41
PID 2500 wrote to memory of 2280	2500	svchost.exe	41

C:\Users\Admin\AppData\Local\Temp\cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe
"C:\Users\Admin\AppData\Local\Temp\cad88a4457a8a3e203a4aeb0b1f837c48cff7a458b9e8f6b3ec22d1f16fcc768.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2376
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2500
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2900
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:33 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2972
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:34 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2452
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:35 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2280
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
8f6047c6e1b7262e897e70e2c74359ad

SHA1
6baa4bd156a927af05796356242d3bc1004d4bd8

SHA256
e44d3c7b9730c658a8f7d5eb334a515e61f5ea5c0c83d5f264c7ad84f0fb4c7d

SHA512
f172a516931b0c33beaa223afb6f9be87fdd6ffb3f2a59d4cfcc6877edd8af7c6f52f979a5ebc5b04c1e00ffcbc8f70f6878693c535eb7845f6fcfcbf9a749f5

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
2e5c3b526f95ce291ef7b1159327605c

SHA1
6759fb8614a7edf8630c306ac0fe998df33f4188

SHA256
6838b8f3d07a3495184569b78a2c9244fd51d0aea104100ee6b8ffa098e3fe12

SHA512
4eba8e0463552b188bbe5773efff78beaebdb41202337d7683c2ed98b33dbe6a65edbb69f99b9192636db40267788c55d72a2801bfe2cd5833df1d4cd12d5c25

Download Submit
\Windows\Resources\svchost.exe

Filesize
206KB

MD5
4966fa541a637fd0378227943dc73205

SHA1
8ed191bbc4e3f9dc2a768b8dadffc5ab3f428369

SHA256
373a3e2f5448d4774e3d7eed0848e1f8ab558ff97989fdd104dce02f8435e032

SHA512
ef0767934b5b576cc7c0e6fbd44ed3494b3d03316d4de2798c4e798c5f27287bb40bf44a4d1c307e22ff2617a70901097f7b2f6a28ecbea5ead1572d0a5f2f3f

Download Submit
memory/2112-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2112-12-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2112-13-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2112-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-57-0x0000000000320000-0x000000000034F000-memory.dmp

Filesize
188KB

Download
memory/2900-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-41-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/2920-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download