ac14d042c3ccd1d6098433bd54e37e275d53194c40e0594892e9676faa6ce25c

Analysis

max time kernel
120s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66c08694a84314b53bacde050af39730N.exe
Size

206KB
MD5

66c08694a84314b53bacde050af39730
SHA1

ad6e2c01041589df7b6375634e4e155505e05eca
SHA256

ac14d042c3ccd1d6098433bd54e37e275d53194c40e0594892e9676faa6ce25c
SHA512

a4d72e608400709a1628481c9093acfbeb2555cc210435f6770d624c5d624e09286185c7bd3f2942463b117a3f05984410c283d1c8164a8f598ef9878950f1bd
SSDEEP

3072:/VqoCl/YgjxEufVU0TbTyDDalblsssssssssssssssssssssssssssssssssssst:/sLqdufVUNDaJ

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2336	explorer.exe
2924	spoolsv.exe
2892	svchost.exe
2844	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2336	explorer.exe
2336	explorer.exe
2924	spoolsv.exe
2924	spoolsv.exe
2892	svchost.exe
2892	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	66c08694a84314b53bacde050af39730N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66c08694a84314b53bacde050af39730N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2796	schtasks.exe
1152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2336	explorer.exe
2336	explorer.exe
2892	svchost.exe
2892	svchost.exe
2336	explorer.exe
2336	explorer.exe
2892	svchost.exe
2336	explorer.exe
2892	svchost.exe
2336	explorer.exe
2892	svchost.exe
2336	explorer.exe
2892	svchost.exe
2336	explorer.exe
2892	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2892	svchost.exe
2336	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2372	66c08694a84314b53bacde050af39730N.exe
2372	66c08694a84314b53bacde050af39730N.exe
2336	explorer.exe
2336	explorer.exe
2924	spoolsv.exe
2924	spoolsv.exe
2892	svchost.exe
2892	svchost.exe
2844	spoolsv.exe
2844	spoolsv.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2336	2372	66c08694a84314b53bacde050af39730N.exe	29
PID 2372 wrote to memory of 2336	2372	66c08694a84314b53bacde050af39730N.exe	29
PID 2372 wrote to memory of 2336	2372	66c08694a84314b53bacde050af39730N.exe	29
PID 2372 wrote to memory of 2336	2372	66c08694a84314b53bacde050af39730N.exe	29
PID 2336 wrote to memory of 2924	2336	explorer.exe	30
PID 2336 wrote to memory of 2924	2336	explorer.exe	30
PID 2336 wrote to memory of 2924	2336	explorer.exe	30
PID 2336 wrote to memory of 2924	2336	explorer.exe	30
PID 2924 wrote to memory of 2892	2924	spoolsv.exe	31
PID 2924 wrote to memory of 2892	2924	spoolsv.exe	31
PID 2924 wrote to memory of 2892	2924	spoolsv.exe	31
PID 2924 wrote to memory of 2892	2924	spoolsv.exe	31
PID 2892 wrote to memory of 2844	2892	svchost.exe	32
PID 2892 wrote to memory of 2844	2892	svchost.exe	32
PID 2892 wrote to memory of 2844	2892	svchost.exe	32
PID 2892 wrote to memory of 2844	2892	svchost.exe	32
PID 2336 wrote to memory of 2708	2336	explorer.exe	33
PID 2336 wrote to memory of 2708	2336	explorer.exe	33
PID 2336 wrote to memory of 2708	2336	explorer.exe	33
PID 2336 wrote to memory of 2708	2336	explorer.exe	33
PID 2892 wrote to memory of 2796	2892	svchost.exe	34
PID 2892 wrote to memory of 2796	2892	svchost.exe	34
PID 2892 wrote to memory of 2796	2892	svchost.exe	34
PID 2892 wrote to memory of 2796	2892	svchost.exe	34
PID 2892 wrote to memory of 1152	2892	svchost.exe	37
PID 2892 wrote to memory of 1152	2892	svchost.exe	37
PID 2892 wrote to memory of 1152	2892	svchost.exe	37
PID 2892 wrote to memory of 1152	2892	svchost.exe	37

C:\Users\Admin\AppData\Local\Temp\66c08694a84314b53bacde050af39730N.exe
"C:\Users\Admin\AppData\Local\Temp\66c08694a84314b53bacde050af39730N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2336
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2892
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2844
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:05 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2796
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:06 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1152
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
6c9c735624e6707917406a0a9c4b115e

SHA1
aaed2393ee9a37848b078f51b50ae45544236ce3

SHA256
cd9f895880c5aaf18340ea5f7aa8a50bb95b79a7dc8f681ad5d85a46fe5c2414

SHA512
64b9ebd138a9af3386b4d3d7b367182be6a1800a1338fc2fb8a84d695455834b2edc532d0a49f84e20388bb9d6daacca2edcf93e9b5b9f6d41d3e63367453546

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
aab2e1b0297cd1df76963cdc16df3b67

SHA1
19a98c13091392e47a87edd3851d3ef595baeb43

SHA256
89de35f685ec55a69e0686d80ee66437dc7000055386aa4948386bdfd644feb7

SHA512
4a0a6fc79bc52b26bb1ca26ab1739222aa2406121d1f1a8e30146b5a0f9b70a460a9f3c4fdce797c8f7288eaf781bd4fe91874bc9fb3bc821a65ea11c24dc3a7

Download Submit
\Windows\Resources\svchost.exe

Filesize
206KB

MD5
1e7b88354308bec505cc9705da11f128

SHA1
d1d828ae121e5393bb5a0998e1a1e3cfc9252579

SHA256
f37ec57e603108a8d362bc42071c9f6c7abebfa7db8161bbd91e09ad19c6dc84

SHA512
22f838866156aff92789a20bb4dbde855ff3146d2ec930ec5150734e0860d3afd9797ceb75d8be6800e92c7e2deb4bdf798148bd194d1c8ad9832b707967b42e

Download Submit
memory/2336-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2336-28-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2336-59-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2336-58-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2372-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-13-0x0000000000320000-0x000000000034F000-memory.dmp

Filesize
188KB

Download
memory/2372-12-0x0000000000320000-0x000000000034F000-memory.dmp

Filesize
188KB

Download
memory/2372-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-49-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2892-50-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2892-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-61-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2924-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download