Analysis
-
max time kernel
120s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
66c08694a84314b53bacde050af39730N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
66c08694a84314b53bacde050af39730N.exe
Resource
win10v2004-20240802-en
General
-
Target
66c08694a84314b53bacde050af39730N.exe
-
Size
206KB
-
MD5
66c08694a84314b53bacde050af39730
-
SHA1
ad6e2c01041589df7b6375634e4e155505e05eca
-
SHA256
ac14d042c3ccd1d6098433bd54e37e275d53194c40e0594892e9676faa6ce25c
-
SHA512
a4d72e608400709a1628481c9093acfbeb2555cc210435f6770d624c5d624e09286185c7bd3f2942463b117a3f05984410c283d1c8164a8f598ef9878950f1bd
-
SSDEEP
3072:/VqoCl/YgjxEufVU0TbTyDDalblsssssssssssssssssssssssssssssssssssst:/sLqdufVUNDaJ
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2336 explorer.exe 2924 spoolsv.exe 2892 svchost.exe 2844 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2336 explorer.exe 2336 explorer.exe 2924 spoolsv.exe 2924 spoolsv.exe 2892 svchost.exe 2892 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 66c08694a84314b53bacde050af39730N.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66c08694a84314b53bacde050af39730N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2796 schtasks.exe 1152 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2336 explorer.exe 2336 explorer.exe 2892 svchost.exe 2892 svchost.exe 2336 explorer.exe 2336 explorer.exe 2892 svchost.exe 2336 explorer.exe 2892 svchost.exe 2336 explorer.exe 2892 svchost.exe 2336 explorer.exe 2892 svchost.exe 2336 explorer.exe 2892 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2892 svchost.exe 2336 explorer.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2372 66c08694a84314b53bacde050af39730N.exe 2372 66c08694a84314b53bacde050af39730N.exe 2336 explorer.exe 2336 explorer.exe 2924 spoolsv.exe 2924 spoolsv.exe 2892 svchost.exe 2892 svchost.exe 2844 spoolsv.exe 2844 spoolsv.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2336 2372 66c08694a84314b53bacde050af39730N.exe 29 PID 2372 wrote to memory of 2336 2372 66c08694a84314b53bacde050af39730N.exe 29 PID 2372 wrote to memory of 2336 2372 66c08694a84314b53bacde050af39730N.exe 29 PID 2372 wrote to memory of 2336 2372 66c08694a84314b53bacde050af39730N.exe 29 PID 2336 wrote to memory of 2924 2336 explorer.exe 30 PID 2336 wrote to memory of 2924 2336 explorer.exe 30 PID 2336 wrote to memory of 2924 2336 explorer.exe 30 PID 2336 wrote to memory of 2924 2336 explorer.exe 30 PID 2924 wrote to memory of 2892 2924 spoolsv.exe 31 PID 2924 wrote to memory of 2892 2924 spoolsv.exe 31 PID 2924 wrote to memory of 2892 2924 spoolsv.exe 31 PID 2924 wrote to memory of 2892 2924 spoolsv.exe 31 PID 2892 wrote to memory of 2844 2892 svchost.exe 32 PID 2892 wrote to memory of 2844 2892 svchost.exe 32 PID 2892 wrote to memory of 2844 2892 svchost.exe 32 PID 2892 wrote to memory of 2844 2892 svchost.exe 32 PID 2336 wrote to memory of 2708 2336 explorer.exe 33 PID 2336 wrote to memory of 2708 2336 explorer.exe 33 PID 2336 wrote to memory of 2708 2336 explorer.exe 33 PID 2336 wrote to memory of 2708 2336 explorer.exe 33 PID 2892 wrote to memory of 2796 2892 svchost.exe 34 PID 2892 wrote to memory of 2796 2892 svchost.exe 34 PID 2892 wrote to memory of 2796 2892 svchost.exe 34 PID 2892 wrote to memory of 2796 2892 svchost.exe 34 PID 2892 wrote to memory of 1152 2892 svchost.exe 37 PID 2892 wrote to memory of 1152 2892 svchost.exe 37 PID 2892 wrote to memory of 1152 2892 svchost.exe 37 PID 2892 wrote to memory of 1152 2892 svchost.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\66c08694a84314b53bacde050af39730N.exe"C:\Users\Admin\AppData\Local\Temp\66c08694a84314b53bacde050af39730N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:05 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2796
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:06 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1152
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2708
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD56c9c735624e6707917406a0a9c4b115e
SHA1aaed2393ee9a37848b078f51b50ae45544236ce3
SHA256cd9f895880c5aaf18340ea5f7aa8a50bb95b79a7dc8f681ad5d85a46fe5c2414
SHA51264b9ebd138a9af3386b4d3d7b367182be6a1800a1338fc2fb8a84d695455834b2edc532d0a49f84e20388bb9d6daacca2edcf93e9b5b9f6d41d3e63367453546
-
Filesize
206KB
MD5aab2e1b0297cd1df76963cdc16df3b67
SHA119a98c13091392e47a87edd3851d3ef595baeb43
SHA25689de35f685ec55a69e0686d80ee66437dc7000055386aa4948386bdfd644feb7
SHA5124a0a6fc79bc52b26bb1ca26ab1739222aa2406121d1f1a8e30146b5a0f9b70a460a9f3c4fdce797c8f7288eaf781bd4fe91874bc9fb3bc821a65ea11c24dc3a7
-
Filesize
206KB
MD51e7b88354308bec505cc9705da11f128
SHA1d1d828ae121e5393bb5a0998e1a1e3cfc9252579
SHA256f37ec57e603108a8d362bc42071c9f6c7abebfa7db8161bbd91e09ad19c6dc84
SHA51222f838866156aff92789a20bb4dbde855ff3146d2ec930ec5150734e0860d3afd9797ceb75d8be6800e92c7e2deb4bdf798148bd194d1c8ad9832b707967b42e