1975e84347e187b6dfecc3b35ae2a737036a71dbce2a3195a2bff2383f418e6d

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6c6100f9ee99a8d782b4b240ba20fa0N.exe
Size

206KB
MD5

e6c6100f9ee99a8d782b4b240ba20fa0
SHA1

5ee1001e95ed35662c9caf7f9d9275fcf26efb23
SHA256

1975e84347e187b6dfecc3b35ae2a737036a71dbce2a3195a2bff2383f418e6d
SHA512

7aa54a8005d4d3ad8e5feace00fd412a2d54808538c924a365e390c6a2ff7b937e62ce7784743ccc046a8430c76a2f1dd125f995f2966c87ba1859ff20297f49
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdMssssssssssssg:/VqoCl/YgjxEufVU0TbTyDDalbR

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3584	explorer.exe
4296	spoolsv.exe
3364	svchost.exe
1172	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	e6c6100f9ee99a8d782b4b240ba20fa0N.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3584	explorer.exe
3364	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe
3584	explorer.exe
3584	explorer.exe
4296	spoolsv.exe
4296	spoolsv.exe
3364	svchost.exe
3364	svchost.exe
1172	spoolsv.exe
1172	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 3584	712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe	84
PID 712 wrote to memory of 3584	712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe	84
PID 712 wrote to memory of 3584	712	e6c6100f9ee99a8d782b4b240ba20fa0N.exe	84
PID 3584 wrote to memory of 4296	3584	explorer.exe	86
PID 3584 wrote to memory of 4296	3584	explorer.exe	86
PID 3584 wrote to memory of 4296	3584	explorer.exe	86
PID 4296 wrote to memory of 3364	4296	spoolsv.exe	87
PID 4296 wrote to memory of 3364	4296	spoolsv.exe	87
PID 4296 wrote to memory of 3364	4296	spoolsv.exe	87
PID 3364 wrote to memory of 1172	3364	svchost.exe	88
PID 3364 wrote to memory of 1172	3364	svchost.exe	88
PID 3364 wrote to memory of 1172	3364	svchost.exe	88

C:\Users\Admin\AppData\Local\Temp\e6c6100f9ee99a8d782b4b240ba20fa0N.exe
"C:\Users\Admin\AppData\Local\Temp\e6c6100f9ee99a8d782b4b240ba20fa0N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:712
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3584
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3364
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
d75144a89ddc44059bc9f15cc0a12c65

SHA1
43075f8a07efb433f5ec33a754cddcae723d7342

SHA256
4bda52d897107ae2d65481a043ff9bd1d724113328fb4cb39db6ae9a7f4cc629

SHA512
67ec1d0011a1390c0ae54815baa9f24edc180ab392b7740bbc73f495febd5952aaadd8e7c0cd27c719101c7a28739bfe1ea5f3c8ecd55db86bf37acdbb425f21

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
d4335f3812e70f7337cdcd86cd2e96f4

SHA1
16793e6424931f57762ccb86222be71e8e2b3336

SHA256
0cf01efdd31603f9e7e19d380778409b43f5c0b289e22d056310f6488a9b5b63

SHA512
f5054d6fb20495a3cd944cad4c016ca56a3907e22bb31f0e4588b984a2218ef147d4215dbb3687ce4ca5dbbcc2f376e1a96eec637acfb32d8eea326c489decc0

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
206KB

MD5
8cb601dd54fac1dd7ec817e4159dcbb2

SHA1
c2870f3053c6b803a84563b34ed9344ca26ca01f

SHA256
16fb59ee4b6ce022f17b27e23fab7438ccfe7330315e7c6cc16ef1686f6b14ca

SHA512
bee357e08e329dd823e7069ae55aff0ea267d91571ece05170cf3cc96b1aa505f9f5cfd0281b18561cfdfadca5f2702679856b7ca099615ef0ba9bf4ea6d99a8

Download Submit
memory/712-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/712-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3364-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3584-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4296-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download