aa3e8fae7ce9f67681df65a278fa728a89defeac3e00305371e4b2571a935b34

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0fd0016c5c701dbe7689d478c293fe0N.exe
Size

206KB
MD5

f0fd0016c5c701dbe7689d478c293fe0
SHA1

91c3028901eb74d6b3d3514139d654a5122bac20
SHA256

aa3e8fae7ce9f67681df65a278fa728a89defeac3e00305371e4b2571a935b34
SHA512

f5f60bcde88f76278883daed342776b30537f370dd88377ec37536692cfa236d274221d4c1682e43b083f9b09df1b0a3a66510bf2725dd9cf4249370a11c9b48
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdCUUUUUUUUUUUUH:/VqoCl/YgjxEufVU0TbTyDDalbg

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4932	explorer.exe
1132	spoolsv.exe
3712	svchost.exe
2820	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	f0fd0016c5c701dbe7689d478c293fe0N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0fd0016c5c701dbe7689d478c293fe0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4932	explorer.exe
3712	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
116	f0fd0016c5c701dbe7689d478c293fe0N.exe
4932	explorer.exe
4932	explorer.exe
1132	spoolsv.exe
1132	spoolsv.exe
3712	svchost.exe
3712	svchost.exe
2820	spoolsv.exe
2820	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 4932	116	f0fd0016c5c701dbe7689d478c293fe0N.exe	84
PID 116 wrote to memory of 4932	116	f0fd0016c5c701dbe7689d478c293fe0N.exe	84
PID 116 wrote to memory of 4932	116	f0fd0016c5c701dbe7689d478c293fe0N.exe	84
PID 4932 wrote to memory of 1132	4932	explorer.exe	86
PID 4932 wrote to memory of 1132	4932	explorer.exe	86
PID 4932 wrote to memory of 1132	4932	explorer.exe	86
PID 1132 wrote to memory of 3712	1132	spoolsv.exe	87
PID 1132 wrote to memory of 3712	1132	spoolsv.exe	87
PID 1132 wrote to memory of 3712	1132	spoolsv.exe	87
PID 3712 wrote to memory of 2820	3712	svchost.exe	89
PID 3712 wrote to memory of 2820	3712	svchost.exe	89
PID 3712 wrote to memory of 2820	3712	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\f0fd0016c5c701dbe7689d478c293fe0N.exe
"C:\Users\Admin\AppData\Local\Temp\f0fd0016c5c701dbe7689d478c293fe0N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:116
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4932
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3712
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
e50981a452d00730cd985a767727edb0

SHA1
827896da9932670bcc87cf25940d46f073dc0fe4

SHA256
fb4580cfdd7ddb10add4ab46773a08ea0a827c73c9027acf243f46789820a38c

SHA512
10efb97d752b5d150f589184dc634ed2ae0a0801c86c6470adc3a8f8a869ca1b624eabb9fe0219adb95796a35fa5d3c5365b476a8e98c5fc29c931eb6b77a21c

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
f50fb3f8bd19b5e4f59a370400df5ff3

SHA1
1d77326acad2ed57bf030d37e6ec5f00d02e4bf9

SHA256
59e2ff19c2b32fd1af0f18aa4cb325dcd66178f9601e49ccf70eb3378656a901

SHA512
469725c6e9458f98541cf699ccee2f19154f05b3386056232a5b13c4615d60560e3e219e80a351ad644367a1999b3b9a02fb13ab80a8ecc0cf0405a5c25ccef3

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
206KB

MD5
93f7715f70bda840f614e195ea6ceb7b

SHA1
680701a631bd310dc61e09d0d4db92d0275899e0

SHA256
9c26fb168f0b429936439aed2a4c92e3209024969dbd2e093b26754ab4147661

SHA512
dac131c5fa1421ea986519522c3936c269f8c65591ab2437625037e67763fc304d5d80b4a39447d8957aa06f75cc5f16710d4c65e6ba33beadbc362b3dfd937d

Download Submit
memory/116-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/116-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1132-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download