1975e84347e187b6dfecc3b35ae2a737036a71dbce2a3195a2bff2383f418e6d

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6c6100f9ee99a8d782b4b240ba20fa0N.exe
Size

206KB
MD5

e6c6100f9ee99a8d782b4b240ba20fa0
SHA1

5ee1001e95ed35662c9caf7f9d9275fcf26efb23
SHA256

1975e84347e187b6dfecc3b35ae2a737036a71dbce2a3195a2bff2383f418e6d
SHA512

7aa54a8005d4d3ad8e5feace00fd412a2d54808538c924a365e390c6a2ff7b937e62ce7784743ccc046a8430c76a2f1dd125f995f2966c87ba1859ff20297f49
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdMssssssssssssg:/VqoCl/YgjxEufVU0TbTyDDalbR

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2408	explorer.exe
2784	spoolsv.exe
2752	svchost.exe
2596	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
2408	explorer.exe
2408	explorer.exe
2784	spoolsv.exe
2784	spoolsv.exe
2752	svchost.exe
2752	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	e6c6100f9ee99a8d782b4b240ba20fa0N.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2676	schtasks.exe
1452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2408	explorer.exe
2752	svchost.exe
2408	explorer.exe
2408	explorer.exe
2752	svchost.exe
2752	svchost.exe
2408	explorer.exe
2408	explorer.exe
2752	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2752	svchost.exe
2408	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
2408	explorer.exe
2408	explorer.exe
2784	spoolsv.exe
2784	spoolsv.exe
2752	svchost.exe
2752	svchost.exe
2596	spoolsv.exe
2596	spoolsv.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2408	628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe	31
PID 628 wrote to memory of 2408	628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe	31
PID 628 wrote to memory of 2408	628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe	31
PID 628 wrote to memory of 2408	628	e6c6100f9ee99a8d782b4b240ba20fa0N.exe	31
PID 2408 wrote to memory of 2784	2408	explorer.exe	32
PID 2408 wrote to memory of 2784	2408	explorer.exe	32
PID 2408 wrote to memory of 2784	2408	explorer.exe	32
PID 2408 wrote to memory of 2784	2408	explorer.exe	32
PID 2784 wrote to memory of 2752	2784	spoolsv.exe	33
PID 2784 wrote to memory of 2752	2784	spoolsv.exe	33
PID 2784 wrote to memory of 2752	2784	spoolsv.exe	33
PID 2784 wrote to memory of 2752	2784	spoolsv.exe	33
PID 2752 wrote to memory of 2596	2752	svchost.exe	34
PID 2752 wrote to memory of 2596	2752	svchost.exe	34
PID 2752 wrote to memory of 2596	2752	svchost.exe	34
PID 2752 wrote to memory of 2596	2752	svchost.exe	34
PID 2408 wrote to memory of 2548	2408	explorer.exe	35
PID 2408 wrote to memory of 2548	2408	explorer.exe	35
PID 2408 wrote to memory of 2548	2408	explorer.exe	35
PID 2408 wrote to memory of 2548	2408	explorer.exe	35
PID 2752 wrote to memory of 2676	2752	svchost.exe	36
PID 2752 wrote to memory of 2676	2752	svchost.exe	36
PID 2752 wrote to memory of 2676	2752	svchost.exe	36
PID 2752 wrote to memory of 2676	2752	svchost.exe	36
PID 2752 wrote to memory of 1452	2752	svchost.exe	39
PID 2752 wrote to memory of 1452	2752	svchost.exe	39
PID 2752 wrote to memory of 1452	2752	svchost.exe	39
PID 2752 wrote to memory of 1452	2752	svchost.exe	39

C:\Users\Admin\AppData\Local\Temp\e6c6100f9ee99a8d782b4b240ba20fa0N.exe
"C:\Users\Admin\AppData\Local\Temp\e6c6100f9ee99a8d782b4b240ba20fa0N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2408
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2752
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2596
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:49 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2676
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:50 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1452
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
eed49994307db535713d103948d2489f

SHA1
66c2723969aad676178d1f493b33016cb94566ea

SHA256
daa61f7f13e8500e80a440d52e343abcf645d935bc850386dcba8949daa00beb

SHA512
83f6c0fa1625ca47c87b9bbcf031a8e14ba9c344568bc5333dc6923e867e81e3370c331140670572ec7ac729346be6d24162a0138656058fa78b0d40ec11185d

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
eead61cd89ddb34ef03e673579857111

SHA1
87519da141477ec9ecedca45271e5e1cf20a1f3e

SHA256
9f1481affe536c97330f0d97317e0bfb62a2ff1a648df1cb87a2a03240f595e5

SHA512
ee1a0b6db7e5ac8df49d0ed801ada0f72cd0a4ed669b823fd97b7c39637e5b9e85bc175b83f09a174b7fe24dc1a73362bbeb715cdf53a859031b21e03237362c

Download Submit
\Windows\Resources\svchost.exe

Filesize
206KB

MD5
1b14a1f67e92d415a2381da7a9567d3d

SHA1
a527c3de2f81d2f350e069479b151d1968a0adc4

SHA256
a9f438cf550142c8dabf1a024b984559050c6ef8868fef050b3a65e60b6e1958

SHA512
d40461b988698ab18a79ff2e58894a227393218acbf665483657ddcfd9313145a100981c0768c92ef0f37f3832e59e798a25ad96c010213de9f35a001e0a5836

Download Submit
memory/628-13-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/628-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/628-14-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/628-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-27-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2408-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-58-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2596-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2784-37-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2784-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download