Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:17
Static task
static1
Behavioral task
behavioral1
Sample
8cc042c84aa3b910a6a8af2b9e5d64b0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8cc042c84aa3b910a6a8af2b9e5d64b0N.exe
Resource
win10v2004-20240802-en
General
-
Target
8cc042c84aa3b910a6a8af2b9e5d64b0N.exe
-
Size
206KB
-
MD5
8cc042c84aa3b910a6a8af2b9e5d64b0
-
SHA1
6d98cad862ff6eae9ae6fcbe50dd0f4ba4d19159
-
SHA256
eb872a057436f78449d2eb3149fa07ec7278ccd1797e5038a734966a2f4f430c
-
SHA512
eab97c8c9c623ca7c5b65fec64e18f654a27a4d1656b2ece6249a749ff736f14ea9215148fedda76358dbcb47c8d02f0ed1b0cd0dbd44d50a320a96c8be2e989
-
SSDEEP
1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdi:/VqoCl/YgjxEufVU0TbTyDDalbi
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3056 explorer.exe 4776 spoolsv.exe 2132 svchost.exe 1716 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3056 explorer.exe 2132 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 3056 explorer.exe 3056 explorer.exe 4776 spoolsv.exe 4776 spoolsv.exe 2132 svchost.exe 2132 svchost.exe 1716 spoolsv.exe 1716 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2672 wrote to memory of 3056 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 84 PID 2672 wrote to memory of 3056 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 84 PID 2672 wrote to memory of 3056 2672 8cc042c84aa3b910a6a8af2b9e5d64b0N.exe 84 PID 3056 wrote to memory of 4776 3056 explorer.exe 85 PID 3056 wrote to memory of 4776 3056 explorer.exe 85 PID 3056 wrote to memory of 4776 3056 explorer.exe 85 PID 4776 wrote to memory of 2132 4776 spoolsv.exe 86 PID 4776 wrote to memory of 2132 4776 spoolsv.exe 86 PID 4776 wrote to memory of 2132 4776 spoolsv.exe 86 PID 2132 wrote to memory of 1716 2132 svchost.exe 87 PID 2132 wrote to memory of 1716 2132 svchost.exe 87 PID 2132 wrote to memory of 1716 2132 svchost.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cc042c84aa3b910a6a8af2b9e5d64b0N.exe"C:\Users\Admin\AppData\Local\Temp\8cc042c84aa3b910a6a8af2b9e5d64b0N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1716
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD55468c5e5ccf6a653b2d69565a2ef909c
SHA123def32346e86eeb0a747a105d53e31edfc01a8e
SHA25655886492daafbaa35aee2e69269d75fc8695967b714889e3f75d3138c3cb488d
SHA512c198d66e1cc8ec620f9f6a7d0aae5b68cad32d282c4973a0cbdccbce068b75b9254d2db489b2da45a2fea06de02cd114b5877ef4e00d5ee49d048de374f34a4d
-
Filesize
206KB
MD58991892937e4399848be22a7c171cb84
SHA1d1b1942431ec897a13b5229a6243422b695a8a9e
SHA25670f1a58a7d376d93c16e035d2433fa47afeb8c2370b622004fc51fb7c96e8498
SHA512714c8699f92002996f112f7daa2a910c4cd175c75524c967c25373d48f4844d6b3532b7a39e29d2f89c22eb646f5a57753da14c0b99ec36f77a9e8ed4d26adbd
-
Filesize
206KB
MD504cf5421b29ccb4b99ce9dd269fed599
SHA1b8fdf3113599d1d7ce30c57339af89a1f4c5d442
SHA2563df377947f0e63019b2cdf95d0803988ceda8d79dd934ddfd74a6d25f3fc9b39
SHA512c62703d4a8bdda5dfb23b9c7df5e9679b5eb4acf9426ec00aeca21357e37856eb7616fbf051527c2dda95e444fe2f2d8f24eb1893f7b6c500c321b4463c0ebfa