Analysis
-
max time kernel
102s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
66c08694a84314b53bacde050af39730N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
66c08694a84314b53bacde050af39730N.exe
Resource
win10v2004-20240802-en
General
-
Target
66c08694a84314b53bacde050af39730N.exe
-
Size
206KB
-
MD5
66c08694a84314b53bacde050af39730
-
SHA1
ad6e2c01041589df7b6375634e4e155505e05eca
-
SHA256
ac14d042c3ccd1d6098433bd54e37e275d53194c40e0594892e9676faa6ce25c
-
SHA512
a4d72e608400709a1628481c9093acfbeb2555cc210435f6770d624c5d624e09286185c7bd3f2942463b117a3f05984410c283d1c8164a8f598ef9878950f1bd
-
SSDEEP
3072:/VqoCl/YgjxEufVU0TbTyDDalblsssssssssssssssssssssssssssssssssssst:/sLqdufVUNDaJ
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3124 explorer.exe 2200 spoolsv.exe 2264 svchost.exe 2292 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 66c08694a84314b53bacde050af39730N.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66c08694a84314b53bacde050af39730N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe 3124 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3124 explorer.exe 2264 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4532 66c08694a84314b53bacde050af39730N.exe 4532 66c08694a84314b53bacde050af39730N.exe 3124 explorer.exe 3124 explorer.exe 2200 spoolsv.exe 2200 spoolsv.exe 2264 svchost.exe 2264 svchost.exe 2292 spoolsv.exe 2292 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4532 wrote to memory of 3124 4532 66c08694a84314b53bacde050af39730N.exe 85 PID 4532 wrote to memory of 3124 4532 66c08694a84314b53bacde050af39730N.exe 85 PID 4532 wrote to memory of 3124 4532 66c08694a84314b53bacde050af39730N.exe 85 PID 3124 wrote to memory of 2200 3124 explorer.exe 86 PID 3124 wrote to memory of 2200 3124 explorer.exe 86 PID 3124 wrote to memory of 2200 3124 explorer.exe 86 PID 2200 wrote to memory of 2264 2200 spoolsv.exe 88 PID 2200 wrote to memory of 2264 2200 spoolsv.exe 88 PID 2200 wrote to memory of 2264 2200 spoolsv.exe 88 PID 2264 wrote to memory of 2292 2264 svchost.exe 89 PID 2264 wrote to memory of 2292 2264 svchost.exe 89 PID 2264 wrote to memory of 2292 2264 svchost.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\66c08694a84314b53bacde050af39730N.exe"C:\Users\Admin\AppData\Local\Temp\66c08694a84314b53bacde050af39730N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2292
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5fcbd362447bbe155fc3331fa83bf7a37
SHA119d4488dfcba653139b7b96a8d7d0531da928d10
SHA25639e7cf9dc5bfce7ccd933a1c56a893b2b8bb626f377a31a79a7107dd48f21c74
SHA5128bf7d8a119dc43c9f73dcfb9ba7b224a5f0bba185ccbf0dcfffc422bcbec9fd2a25efbbeb753c8b4438378b3127a8e76bd3b525859b6190a85354a149dd60dad
-
Filesize
206KB
MD5d30452b9327cfeb363dcec7d380484f5
SHA1ed8ba45f5be301f4d9e894c3bdc86d2e71456c05
SHA256350d620da5eb0e9fd1652a0dc3ca7b03b5adfc806d6d364c2601adf01a9e7cc0
SHA512b6118c22b381e7b89126545c1b33c3df2b6e101815327cb7de2184b9141d8817ff238beff175832e418ea231bcc53b0aa54ae63fd490d8229139605df601e33e
-
Filesize
206KB
MD538851542a84106800cb6f94f23146c44
SHA149fe63c0c41c9deb4d595bb2808b8730dcf570a7
SHA25658548c6a13fe50186335d75f895ecb1c91d46ab4a6de4dde761c70b833f05c4b
SHA5124c86bc6b628a959a2f1835a346aa06990f246ea274b82f6b0e9e5962296d5fd789db208c42e80e7eacc6ed9bbf0566531a9a449e2a7be7a7f328233f5a6d0f8b