7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
Size

135KB
MD5

58152863ee670eca3dbf9a2430759bc4
SHA1

20d0c59274bf766666b701327a2c8aea8b4f26d6
SHA256

7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc
SHA512

1da8ee454dcdda81f11453ff29215f9a393a4744b43e1af24c0ae4fef4447a6cf8bf8d54f4f1404657c001b8aa7831e0d5b264e61bd76ac64e4ff43bf14a8fcc
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVBu:UVqoCl/YgjxEufVU0TbTyDDal7u

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2264	explorer.exe
3036	spoolsv.exe
2224	svchost.exe
2928	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2264	explorer.exe
3036	spoolsv.exe
2224	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2160	schtasks.exe
1172	schtasks.exe
1856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2264	explorer.exe
2224	svchost.exe
2264	explorer.exe
2224	svchost.exe
2264	explorer.exe
2264	explorer.exe
2224	svchost.exe
2224	svchost.exe
2264	explorer.exe
2224	svchost.exe
2264	explorer.exe
2264	explorer.exe
2224	svchost.exe
2224	svchost.exe
2264	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2224	svchost.exe
2264	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
2264	explorer.exe
2264	explorer.exe
3036	spoolsv.exe
3036	spoolsv.exe
2224	svchost.exe
2224	svchost.exe
2928	spoolsv.exe
2928	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2264	2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe	30
PID 2516 wrote to memory of 2264	2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe	30
PID 2516 wrote to memory of 2264	2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe	30
PID 2516 wrote to memory of 2264	2516	7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe	30
PID 2264 wrote to memory of 3036	2264	explorer.exe	31
PID 2264 wrote to memory of 3036	2264	explorer.exe	31
PID 2264 wrote to memory of 3036	2264	explorer.exe	31
PID 2264 wrote to memory of 3036	2264	explorer.exe	31
PID 3036 wrote to memory of 2224	3036	spoolsv.exe	32
PID 3036 wrote to memory of 2224	3036	spoolsv.exe	32
PID 3036 wrote to memory of 2224	3036	spoolsv.exe	32
PID 3036 wrote to memory of 2224	3036	spoolsv.exe	32
PID 2224 wrote to memory of 2928	2224	svchost.exe	33
PID 2224 wrote to memory of 2928	2224	svchost.exe	33
PID 2224 wrote to memory of 2928	2224	svchost.exe	33
PID 2224 wrote to memory of 2928	2224	svchost.exe	33
PID 2264 wrote to memory of 2796	2264	explorer.exe	34
PID 2264 wrote to memory of 2796	2264	explorer.exe	34
PID 2264 wrote to memory of 2796	2264	explorer.exe	34
PID 2264 wrote to memory of 2796	2264	explorer.exe	34
PID 2224 wrote to memory of 2160	2224	svchost.exe	35
PID 2224 wrote to memory of 2160	2224	svchost.exe	35
PID 2224 wrote to memory of 2160	2224	svchost.exe	35
PID 2224 wrote to memory of 2160	2224	svchost.exe	35
PID 2224 wrote to memory of 1172	2224	svchost.exe	39
PID 2224 wrote to memory of 1172	2224	svchost.exe	39
PID 2224 wrote to memory of 1172	2224	svchost.exe	39
PID 2224 wrote to memory of 1172	2224	svchost.exe	39
PID 2224 wrote to memory of 1856	2224	svchost.exe	41
PID 2224 wrote to memory of 1856	2224	svchost.exe	41
PID 2224 wrote to memory of 1856	2224	svchost.exe	41
PID 2224 wrote to memory of 1856	2224	svchost.exe	41

C:\Users\Admin\AppData\Local\Temp\7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
"C:\Users\Admin\AppData\Local\Temp\7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2264
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2224
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2928
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:49 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2160
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:50 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1172
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:51 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1856
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
a1638c9ff519b2633da7641d1aec478e

SHA1
4e8a5ff530cca92de2fb652043166c93be7e8715

SHA256
19f727ab0bd87cb2ece8c667541cf26b320b146afb477a46712ed25b310e95b7

SHA512
cc884c0038892593d91fd300c5134cf0eedabe6e8961a6cd6edffb502230f0203ed86212feca9621ae42ed14bcb6643f5fcfe3d40fa07909738fd3081f400e19

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
2b02a4ba40c59499f713570f11f523d7

SHA1
b75166ac1f9e50b6704630b0315432cc5d65d671

SHA256
cc7b7af8bcaa31a4dd780f944e053d16d27e7488ca2f9837b4351edbe01ed8bb

SHA512
6cd9718b332dff29bf2b4bc087b7a59fb402918b2ec8a38414371019b64daf2223d261196f2df6ab6aed8be403e115450deddb4026284651e9053b0280d66939

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
433f7b32707543c8ebd198bb82b58cc1

SHA1
bb530b7b169654936c45f44e904ed5a7830a46ea

SHA256
cf8e8126ea4ad98825f72c8e867f1d4abd16367b15c7c30b9316beffce63091c

SHA512
3c90133920dc874aec4f70d0c8c2ed89bd09abf5d98c337fc91e44ed7375438ea54b6ca4d60ae385e85feec55bf159fbf1111395522e294dbaf6b37deb958439

Download Submit
memory/2224-37-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/2224-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2264-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2516-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2516-8-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2516-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2928-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3036-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download