Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/09/2024, 20:05
Behavioral task
behavioral1
Sample
24e16a2c305931b49153dc5d418c2bc0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
24e16a2c305931b49153dc5d418c2bc0N.exe
Resource
win10v2004-20240802-en
General
-
Target
24e16a2c305931b49153dc5d418c2bc0N.exe
-
Size
2.5MB
-
MD5
24e16a2c305931b49153dc5d418c2bc0
-
SHA1
25680ed74739a088902d502789175b9516b968aa
-
SHA256
a5e81fe157143ee1e807d13bd4cce2c7c7f9b2b9a340ce3fc7bf0ced66acf4a8
-
SHA512
6aa5094619a804ef3bf22868ce67e37fccb245af0f07e7adf9366489f156282edcad09ea11cb70cc17b479fd0f67464f9a808a7a902c7d8e24613cdb4939d60f
-
SSDEEP
49152:PxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxZ:Pxx9NUFkQx753uWuCyyxZ
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 24e16a2c305931b49153dc5d418c2bc0N.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 24e16a2c305931b49153dc5d418c2bc0N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 24e16a2c305931b49153dc5d418c2bc0N.exe -
Executes dropped EXE 4 IoCs
pid Process 3096 explorer.exe 1856 spoolsv.exe 4808 svchost.exe 1668 spoolsv.exe -
resource yara_rule behavioral2/memory/4436-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3096-10-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/files/0x0008000000023489-9.dat themida behavioral2/files/0x000800000002348b-15.dat themida behavioral2/memory/1856-19-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/files/0x000800000002348d-26.dat themida behavioral2/memory/4808-28-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1668-33-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1668-38-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4436-41-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1856-42-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3096-43-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4808-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3096-45-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3096-55-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4808-56-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3096-57-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 24e16a2c305931b49153dc5d418c2bc0N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 3096 explorer.exe 1856 spoolsv.exe 4808 svchost.exe 1668 spoolsv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 24e16a2c305931b49153dc5d418c2bc0N.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24e16a2c305931b49153dc5d418c2bc0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe 3096 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3096 explorer.exe 4808 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 3096 explorer.exe 3096 explorer.exe 1856 spoolsv.exe 1856 spoolsv.exe 4808 svchost.exe 4808 svchost.exe 1668 spoolsv.exe 1668 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4436 wrote to memory of 3096 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 88 PID 4436 wrote to memory of 3096 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 88 PID 4436 wrote to memory of 3096 4436 24e16a2c305931b49153dc5d418c2bc0N.exe 88 PID 3096 wrote to memory of 1856 3096 explorer.exe 89 PID 3096 wrote to memory of 1856 3096 explorer.exe 89 PID 3096 wrote to memory of 1856 3096 explorer.exe 89 PID 1856 wrote to memory of 4808 1856 spoolsv.exe 90 PID 1856 wrote to memory of 4808 1856 spoolsv.exe 90 PID 1856 wrote to memory of 4808 1856 spoolsv.exe 90 PID 4808 wrote to memory of 1668 4808 svchost.exe 92 PID 4808 wrote to memory of 1668 4808 svchost.exe 92 PID 4808 wrote to memory of 1668 4808 svchost.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\24e16a2c305931b49153dc5d418c2bc0N.exe"C:\Users\Admin\AppData\Local\Temp\24e16a2c305931b49153dc5d418c2bc0N.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD57f5966aac8040b928ffcdce3fba3267c
SHA1225ab1b6e895c64193af4c53f16a4d2f3e2789c0
SHA256122545689065def293b0481ef623a621d45dba0eda8b055c10e3c4d368c34181
SHA512ebefba7e5a747d26db4f9afcf5a34b086f0f531d0cac563a1d29f24ec3ed0cad9a6c7516a215acd4df4de2031b6c28e81b0f0c7177c4a2e6b9dfe57bcd2265ad
-
Filesize
2.5MB
MD513be2ac424e775e70c797a34526db023
SHA1705bcf435f305c747951ecc85caaa0987b1bbf30
SHA256a0cf3d87425219a1dbb1de8e6977b0d7d5196658f5d3562d3eade223fed4c5f8
SHA512656999fc06b09479e2fe5e1fe46aa4a06e2727c506c6e5b0b6156e5daef34a6ea43ae409458fd17e40a12bf20fc5d882d5f7d571f5a8eb015b7f4e03aa2a3741
-
Filesize
2.5MB
MD5699e1341a262dd9e97a0290e067cc0f6
SHA1d198157a5d3a357e06f9b906ecb5f813f34a0539
SHA256eabe02e86d86698dd13a0722c3526af413da95949d5700be2c903379feceb4fc
SHA512ce22f7576340376d0adf804fe98cbcb883976ae63ad61f51b7fc5c85ffaee343c4606df3645bcab81d7754fc2c905caa188182735200b10e04d883c48d4f2f01