1be157cb50aad7c7701f0452c1cee83af1f92829ac626e269eb48bdb366dc2cf

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22c5225bf67acd487a752c4a3a96a00N.exe
Size

135KB
MD5

e22c5225bf67acd487a752c4a3a96a00
SHA1

98bcfae35beb6f257d5ca8d7e3ee1904249032fc
SHA256

1be157cb50aad7c7701f0452c1cee83af1f92829ac626e269eb48bdb366dc2cf
SHA512

ff6528e60c978b4fba34b69f14a366b216eaf8c5e210b9d7651071538daf935256f97c23cf9ab4b3e23dc3369679fc23a3e2f60df3b9b235173f06edb13fd1e3
SSDEEP

1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbgft:XVqoCl/YgjxEufVU0TbTyDDalkt

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3612	explorer.exe
1120	spoolsv.exe
384	svchost.exe
4208	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	e22c5225bf67acd487a752c4a3a96a00N.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e22c5225bf67acd487a752c4a3a96a00N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe
3612	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3612	explorer.exe
384	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3528	e22c5225bf67acd487a752c4a3a96a00N.exe
3612	explorer.exe
3612	explorer.exe
1120	spoolsv.exe
1120	spoolsv.exe
384	svchost.exe
384	svchost.exe
4208	spoolsv.exe
4208	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 3612	3528	e22c5225bf67acd487a752c4a3a96a00N.exe	86
PID 3528 wrote to memory of 3612	3528	e22c5225bf67acd487a752c4a3a96a00N.exe	86
PID 3528 wrote to memory of 3612	3528	e22c5225bf67acd487a752c4a3a96a00N.exe	86
PID 3612 wrote to memory of 1120	3612	explorer.exe	87
PID 3612 wrote to memory of 1120	3612	explorer.exe	87
PID 3612 wrote to memory of 1120	3612	explorer.exe	87
PID 1120 wrote to memory of 384	1120	spoolsv.exe	88
PID 1120 wrote to memory of 384	1120	spoolsv.exe	88
PID 1120 wrote to memory of 384	1120	spoolsv.exe	88
PID 384 wrote to memory of 4208	384	svchost.exe	89
PID 384 wrote to memory of 4208	384	svchost.exe	89
PID 384 wrote to memory of 4208	384	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\e22c5225bf67acd487a752c4a3a96a00N.exe
"C:\Users\Admin\AppData\Local\Temp\e22c5225bf67acd487a752c4a3a96a00N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3612
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:384
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
de5b0cb1a5cf6e2dc09eef93cde784ef

SHA1
6d5e52bff1f04fb6ebea279f1b84a17b9caf6601

SHA256
f1163211dca727644cd9b55bdc43b326ae6e9f87ae033a91a20c50a6b6283999

SHA512
8c71aef19b4a2063071215f2b77b495c8e9c4df8c511e42af538bb3e33fa3145b23803ad9f1b26534b9f14810dbc52cf8f61bb0a93d457983e914ea8bec53f49

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
4c4ea4fcaea8e4760d1d497d94cd834f

SHA1
9536667ed3e5856e3eeb7a18c8e338d63bebdc70

SHA256
e40d5e159096762b443e882c0e06289ec053b8aa717dbce731714358e83b52ec

SHA512
28c46a7736894132b94b6a24c49134d9fb3c004a2e1789ae3c30241bb9a87f14bcc50963b7e6d70e1e1449df4c41708b7f9d42457cc3b2380258a68fe00732b5

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
b924d609bcb26c04521077fae0231f22

SHA1
391bb5726c34d94ff76c8deb2884f6ad817f2f25

SHA256
67339b76ac61d1a2109b43810ae527444a03a319681fd3f011286bb4e0802161

SHA512
292e0d9635076cfc0aef77159550d1ff12ca909a382101150bb83298e2e82834f1160be1f820190e4592d66b6cc961a9985c107b52b895ee48d02fc7f3923a84

Download Submit
memory/384-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1120-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3528-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3528-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3612-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4208-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download