6cfbc35636edc4b6f29c017d38c3861a64165c3a6d78e348c53cae22ee19db08

Analysis

max time kernel
120s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d037518b72d14dbe71f18bb38e868190N.exe
Size

135KB
MD5

d037518b72d14dbe71f18bb38e868190
SHA1

e2b297a82c978a3b18b0ce33239123fc14e354c6
SHA256

6cfbc35636edc4b6f29c017d38c3861a64165c3a6d78e348c53cae22ee19db08
SHA512

bae1850e51c8d40a7a5fab271327c3049e8fb724818f58e04d20d32b0b0eb00a18051e95c51260dceb736b5666af7489c8d5544795bf9ac6eac587197b6d734a
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV+nRRRRRRRRRRRRf:UVqoCl/YgjxEufVU0TbTyDDal0P

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3648	explorer.exe
3236	spoolsv.exe
4992	svchost.exe
3932	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	d037518b72d14dbe71f18bb38e868190N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d037518b72d14dbe71f18bb38e868190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3648	explorer.exe
4992	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4560	d037518b72d14dbe71f18bb38e868190N.exe
4560	d037518b72d14dbe71f18bb38e868190N.exe
3648	explorer.exe
3648	explorer.exe
3236	spoolsv.exe
3236	spoolsv.exe
4992	svchost.exe
4992	svchost.exe
3932	spoolsv.exe
3932	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 3648	4560	d037518b72d14dbe71f18bb38e868190N.exe	84
PID 4560 wrote to memory of 3648	4560	d037518b72d14dbe71f18bb38e868190N.exe	84
PID 4560 wrote to memory of 3648	4560	d037518b72d14dbe71f18bb38e868190N.exe	84
PID 3648 wrote to memory of 3236	3648	explorer.exe	86
PID 3648 wrote to memory of 3236	3648	explorer.exe	86
PID 3648 wrote to memory of 3236	3648	explorer.exe	86
PID 3236 wrote to memory of 4992	3236	spoolsv.exe	87
PID 3236 wrote to memory of 4992	3236	spoolsv.exe	87
PID 3236 wrote to memory of 4992	3236	spoolsv.exe	87
PID 4992 wrote to memory of 3932	4992	svchost.exe	89
PID 4992 wrote to memory of 3932	4992	svchost.exe	89
PID 4992 wrote to memory of 3932	4992	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\d037518b72d14dbe71f18bb38e868190N.exe
"C:\Users\Admin\AppData\Local\Temp\d037518b72d14dbe71f18bb38e868190N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3648
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4992
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
72cdad7697dc89b20153d2e9b1989048

SHA1
16a1ab9568fa5895a8c88340ae6d405e2d0b1a89

SHA256
c867792a0bd4608002dd4fd15e29fe4d22d17c133215153d30a08e691297f3cd

SHA512
77df99f6b0ae005cf758c77731367477e27ab7225a62f8b4949a684230998d309d74a4f673ae09537fb47226942dc2009c06f4fab365fa7a7c0efbd19a023cdb

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
9c268779fc41bbcacfdb92ee85a66c3e

SHA1
5439a39ba73a25542f2dac64809ddcdbc120c747

SHA256
1d66699f0822b6f066281b46b571ee5c161899d5905d4e191c914911843f8f86

SHA512
eecff807bbcaecf6d6b3c046a60697e0bfdd731bbc38761b10c0e93dc32b960a42085c210e4b9724cf546c090bb20ce2f01cc74877c0db542dc2f28a9b5246ca

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
7ee46c908fd246e85c5b8e97f82085a1

SHA1
db0d470a0eb458d79e09d2eab78b5b6fbdcad5a4

SHA256
09a1e2e6070411f89c84eab3a9156bbd77aed11a58596e00af31dd9da8480b1a

SHA512
22f9baf24951d42c9aa212a07ee8ce9c92a158f8fc86c8b76b68f41cc8ef26fb4a8643898fe677ba05d6fb5d08367673aa119db3449973241850f0c06d07a58d

Download Submit
memory/3236-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3648-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3932-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4560-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4560-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4992-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download