f7f938bb5f31aa6bd0356fc7af470fff4a662debcd18d57910745e6bc579cbd5

Analysis

max time kernel
120s
max time network
15s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 11:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d4faf1d33c2f11d18713ed71609eab10N.exe
Size

741KB
MD5

d4faf1d33c2f11d18713ed71609eab10
SHA1

162fae55964e97f995e8f7040b37a3430cd844ec
SHA256

f7f938bb5f31aa6bd0356fc7af470fff4a662debcd18d57910745e6bc579cbd5
SHA512

24eae2c9b2c5332d68f84406386fb11731eada01587ba89aca8c8d0aa05c7f955fd9199d8b86a8091fa7078ad6b19fd49914556e987f83a53ae97fdc4ac0323d
SSDEEP

12288:ltTuhKN45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1F2:lIw4kt0Kd6F6CNzYhUiEWEYcwO

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2824	explorer.exe
2872	spoolsv.exe
2764	svchost.exe
2812	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2824	explorer.exe
2872	spoolsv.exe
2764	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

pid	Process
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2824	explorer.exe
2872	spoolsv.exe
2764	svchost.exe
2812	spoolsv.exe
2824	explorer.exe
2764	svchost.exe
2824	explorer.exe
2764	svchost.exe
2824	explorer.exe
2764	svchost.exe
2824	explorer.exe
2764	svchost.exe
2824	explorer.exe
2764	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	d4faf1d33c2f11d18713ed71609eab10N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4faf1d33c2f11d18713ed71609eab10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2632	schtasks.exe
2924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2872	spoolsv.exe
2872	spoolsv.exe
2872	spoolsv.exe
2872	spoolsv.exe
2872	spoolsv.exe
2872	spoolsv.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2824	explorer.exe
2764	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2548	d4faf1d33c2f11d18713ed71609eab10N.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2872	spoolsv.exe
2872	spoolsv.exe
2872	spoolsv.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2812	spoolsv.exe
2812	spoolsv.exe
2812	spoolsv.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2824	2548	d4faf1d33c2f11d18713ed71609eab10N.exe	29
PID 2548 wrote to memory of 2824	2548	d4faf1d33c2f11d18713ed71609eab10N.exe	29
PID 2548 wrote to memory of 2824	2548	d4faf1d33c2f11d18713ed71609eab10N.exe	29
PID 2548 wrote to memory of 2824	2548	d4faf1d33c2f11d18713ed71609eab10N.exe	29
PID 2824 wrote to memory of 2872	2824	explorer.exe	30
PID 2824 wrote to memory of 2872	2824	explorer.exe	30
PID 2824 wrote to memory of 2872	2824	explorer.exe	30
PID 2824 wrote to memory of 2872	2824	explorer.exe	30
PID 2872 wrote to memory of 2764	2872	spoolsv.exe	31
PID 2872 wrote to memory of 2764	2872	spoolsv.exe	31
PID 2872 wrote to memory of 2764	2872	spoolsv.exe	31
PID 2872 wrote to memory of 2764	2872	spoolsv.exe	31
PID 2764 wrote to memory of 2812	2764	svchost.exe	32
PID 2764 wrote to memory of 2812	2764	svchost.exe	32
PID 2764 wrote to memory of 2812	2764	svchost.exe	32
PID 2764 wrote to memory of 2812	2764	svchost.exe	32
PID 2824 wrote to memory of 2676	2824	explorer.exe	33
PID 2824 wrote to memory of 2676	2824	explorer.exe	33
PID 2824 wrote to memory of 2676	2824	explorer.exe	33
PID 2824 wrote to memory of 2676	2824	explorer.exe	33
PID 2764 wrote to memory of 2632	2764	svchost.exe	34
PID 2764 wrote to memory of 2632	2764	svchost.exe	34
PID 2764 wrote to memory of 2632	2764	svchost.exe	34
PID 2764 wrote to memory of 2632	2764	svchost.exe	34
PID 2764 wrote to memory of 2924	2764	svchost.exe	37
PID 2764 wrote to memory of 2924	2764	svchost.exe	37
PID 2764 wrote to memory of 2924	2764	svchost.exe	37
PID 2764 wrote to memory of 2924	2764	svchost.exe	37

C:\Users\Admin\AppData\Local\Temp\d4faf1d33c2f11d18713ed71609eab10N.exe
"C:\Users\Admin\AppData\Local\Temp\d4faf1d33c2f11d18713ed71609eab10N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2824
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2764
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2812
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 11:28 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2632
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 11:29 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2924
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
741KB

MD5
25c6225e0c43e82049d2b7419b7e4dff

SHA1
52fb0c886856f4b457d1e78b8aabad2c6df6a30d

SHA256
dc6117912aa92ea97b32ee6d83f06abd91990b79677b3e7159ca1406a9b9cdaf

SHA512
58e1b624bb853b026a0e960b99f9adfe2be16a7113779b86bb3fd30fe276557ed63fc8552228ab3648cb00b78ba84aa9e06aecadda6f160631dc548e807290b7

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
741KB

MD5
8ab46bb4608054616931a8ecd47d2a6b

SHA1
5ab7b4bbf4e0da075715f875120dacc19b1d43fb

SHA256
9f4ce0aac0b4c0ea1e6d84902cd5d37e145b1835b49c727aa48ab16cf42da973

SHA512
f7d53c7a32c85ed97c62deb05471ba8ad62baa36f84c9fd346cf42f05cb86651853154e1a5389fe55c1577fd1c818e4a163c0c2944456564cfe8aba4ebfbc115

Download Submit
\Windows\Resources\svchost.exe

Filesize
741KB

MD5
ee50e111570abfae33afbb45ec12df41

SHA1
df48a065dfd86a85fb2747cfddeddfd2aa45fdd0

SHA256
b1c3a79bcf52bf5d1dc9ab452b15afe076ee703a369cba60e197b43850307bb1

SHA512
650605a440fd593106f604cd4ecf9ce9f409205c353b9f92193a38c74d036af38286daeedabb0b85a365cc42010ae0e63a315dd38f93701d84186591a104214d

Download Submit
memory/2548-51-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2548-53-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2548-9-0x0000000003940000-0x0000000003CB2000-memory.dmp

Filesize
3.4MB

Download
memory/2548-0-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2548-49-0x0000000003940000-0x0000000003CB2000-memory.dmp

Filesize
3.4MB

Download
memory/2548-48-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2764-40-0x0000000003960000-0x0000000003CD2000-memory.dmp

Filesize
3.4MB

Download
memory/2764-71-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2764-33-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2764-75-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2764-65-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2764-77-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2764-55-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2764-57-0x0000000003960000-0x0000000003CD2000-memory.dmp

Filesize
3.4MB

Download
memory/2764-59-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2812-46-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2812-41-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2824-50-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2824-64-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2824-62-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2824-66-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2824-68-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2824-11-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2872-47-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2872-32-0x0000000003710000-0x0000000003A82000-memory.dmp

Filesize
3.4MB

Download