8e3d8687f6cd0cc38d1f5fea30f376ba04e45a8b2a44ad7d1d1ec02977ca5dcc

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcb09a66da3c04458f02d543e40e6930N.exe
Size

135KB
MD5

fcb09a66da3c04458f02d543e40e6930
SHA1

ff64f19f22435017b7de7fc00206589583e2a1d9
SHA256

8e3d8687f6cd0cc38d1f5fea30f376ba04e45a8b2a44ad7d1d1ec02977ca5dcc
SHA512

2a744c501d753bc8e78baa2585eb7d84f3d25f3cd2466d357af60a90f7cdc9c0c86a0affb84dfc637af1a90001fa74d9c1343cb8645e0105d155a976b57e4892
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV8R:UVqoCl/YgjxEufVU0TbTyDDaliR

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4864	explorer.exe
3560	spoolsv.exe
1416	svchost.exe
2716	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	fcb09a66da3c04458f02d543e40e6930N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcb09a66da3c04458f02d543e40e6930N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe
4864	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4864	explorer.exe
1416	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4548	fcb09a66da3c04458f02d543e40e6930N.exe
4864	explorer.exe
4864	explorer.exe
3560	spoolsv.exe
3560	spoolsv.exe
1416	svchost.exe
1416	svchost.exe
2716	spoolsv.exe
2716	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 4864	4548	fcb09a66da3c04458f02d543e40e6930N.exe	83
PID 4548 wrote to memory of 4864	4548	fcb09a66da3c04458f02d543e40e6930N.exe	83
PID 4548 wrote to memory of 4864	4548	fcb09a66da3c04458f02d543e40e6930N.exe	83
PID 4864 wrote to memory of 3560	4864	explorer.exe	84
PID 4864 wrote to memory of 3560	4864	explorer.exe	84
PID 4864 wrote to memory of 3560	4864	explorer.exe	84
PID 3560 wrote to memory of 1416	3560	spoolsv.exe	85
PID 3560 wrote to memory of 1416	3560	spoolsv.exe	85
PID 3560 wrote to memory of 1416	3560	spoolsv.exe	85
PID 1416 wrote to memory of 2716	1416	svchost.exe	87
PID 1416 wrote to memory of 2716	1416	svchost.exe	87
PID 1416 wrote to memory of 2716	1416	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\fcb09a66da3c04458f02d543e40e6930N.exe
"C:\Users\Admin\AppData\Local\Temp\fcb09a66da3c04458f02d543e40e6930N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4864
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1416
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
bbb1a9abb1593b01f6c0b5160bb4f338

SHA1
3b09f46833d3ec66adc30f5c964531d7329e45bf

SHA256
1aee81ea078dd2f8dd655ce4d01601e3c184af76763c0b7e686eb2897ab01dc6

SHA512
29dd0ef1280efd362bf6e7b8e76a3fe4f2b72f550308fe490069352db94a143fd33929cf2fee15ad54e917c90cf148c69ca9a9385fe69b87a609c365fa5e8e44

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
5affab626b3e68a70f79a7fe65ad3b17

SHA1
0fc48d4b0ea3651c7037d75d00a65eb7cb4183e2

SHA256
d5bb58a07009c1b9a5ba2f0d733cd1b4c71b0ed35c68f7014e55628b739246f3

SHA512
ec08635272269082fb4a99edaec84cd88ee35c40c1224639a642b5bcd4e8055ec8b5341cb7f582ce393fa241828775f156f704cb047b0c2ce749396fc5bb1f62

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
d7b974de8d01921e2577b02e8b251754

SHA1
ce26fbba5744e567a239edd0ffdf22dc05455cd2

SHA256
38cd45c9c1f36335bc96c91c3475a6b3b316b22b3ee536897d84f2e13918c07f

SHA512
144d724d79def3301fd1ef77bba116ae248dff6364f604f845ae8fc1dc9d099d090f4150946e6cbee86f017798096736abb2a3d1f5af1dc7f1b30f62b099e141

Download Submit
memory/1416-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2716-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3560-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4548-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4548-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4864-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download