0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
Size

206KB
MD5

f2eca8a1384f05e2080249c0decd8e30
SHA1

0a15d4edf45594070eb498baf37d4799987e4ea3
SHA256

0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9
SHA512

3d33aaea079a8a815fd831f7262cc52caee26592b966de315f446e5094b5cddbb29b0c05b9754c6c1c59b58236ed18b9e11fff2eca92a5486e2e989b4fe69162
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdg:/VqoCl/YgjxEufVU0TbTyDDalbg

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
1292	explorer.exe
804	spoolsv.exe
2736	svchost.exe
2760	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
1292	explorer.exe
1292	explorer.exe
804	spoolsv.exe
804	spoolsv.exe
2736	svchost.exe
2736	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3016	schtasks.exe
992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
1292	explorer.exe
2736	svchost.exe
2736	svchost.exe
1292	explorer.exe
1292	explorer.exe
2736	svchost.exe
1292	explorer.exe
2736	svchost.exe
1292	explorer.exe
2736	svchost.exe
1292	explorer.exe
2736	svchost.exe
1292	explorer.exe
2736	svchost.exe
1292	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2736	svchost.exe
1292	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
1292	explorer.exe
1292	explorer.exe
804	spoolsv.exe
804	spoolsv.exe
2736	svchost.exe
2736	svchost.exe
2760	spoolsv.exe
2760	spoolsv.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1292	3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe	30
PID 3060 wrote to memory of 1292	3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe	30
PID 3060 wrote to memory of 1292	3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe	30
PID 3060 wrote to memory of 1292	3060	0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe	30
PID 1292 wrote to memory of 804	1292	explorer.exe	31
PID 1292 wrote to memory of 804	1292	explorer.exe	31
PID 1292 wrote to memory of 804	1292	explorer.exe	31
PID 1292 wrote to memory of 804	1292	explorer.exe	31
PID 804 wrote to memory of 2736	804	spoolsv.exe	32
PID 804 wrote to memory of 2736	804	spoolsv.exe	32
PID 804 wrote to memory of 2736	804	spoolsv.exe	32
PID 804 wrote to memory of 2736	804	spoolsv.exe	32
PID 2736 wrote to memory of 2760	2736	svchost.exe	33
PID 2736 wrote to memory of 2760	2736	svchost.exe	33
PID 2736 wrote to memory of 2760	2736	svchost.exe	33
PID 2736 wrote to memory of 2760	2736	svchost.exe	33
PID 1292 wrote to memory of 2616	1292	explorer.exe	34
PID 1292 wrote to memory of 2616	1292	explorer.exe	34
PID 1292 wrote to memory of 2616	1292	explorer.exe	34
PID 1292 wrote to memory of 2616	1292	explorer.exe	34
PID 2736 wrote to memory of 3016	2736	svchost.exe	35
PID 2736 wrote to memory of 3016	2736	svchost.exe	35
PID 2736 wrote to memory of 3016	2736	svchost.exe	35
PID 2736 wrote to memory of 3016	2736	svchost.exe	35
PID 2736 wrote to memory of 992	2736	svchost.exe	39
PID 2736 wrote to memory of 992	2736	svchost.exe	39
PID 2736 wrote to memory of 992	2736	svchost.exe	39
PID 2736 wrote to memory of 992	2736	svchost.exe	39

C:\Users\Admin\AppData\Local\Temp\0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe
"C:\Users\Admin\AppData\Local\Temp\0bfaf5af70b11c4ebfd913e86fe67ebc5ec01c223994a97d8117024e319787c9N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1292
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:804
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2736
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2760
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:09 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3016
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:10 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:992
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
9e325a324097f71dc75a2d0ddb202634

SHA1
c104d12331b913bd59aa2641369c88eab48736a5

SHA256
3b5f9e5f068b44c50bd3686ed1033981e650f735975bcbe68eb43a8858fa8d4e

SHA512
becb18eda6f69ba7f9f2f8fce0de10fbbf1bbb06cd01e8ef2cb1b524c4e416eadf53ac9ad88694660e6d459e82f7501a5ee0950ea8b5a218eb256b124569537c

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
960ea31eccdf9bd228f0832a4b054549

SHA1
5139d5c2040f2dee5a4bcb04a25247e1621e381c

SHA256
c3bfbc2abf6d0b5eda759de525d01123b5c218916270a47d82a168be5e423303

SHA512
3223d175d37bc0a79f8b7a1060c2de37b2d54ce2b5976ec69adde28740dd28c2c72fc9a431b8cdaa64205ddfd3e900b5c88bf7ab268b660a74538414820876e0

Download Submit
\Windows\Resources\svchost.exe

Filesize
206KB

MD5
59d1df530ebffec04c52cdd1d763f907

SHA1
9a9c3acdd5ce7dfd073a0bcf0cf59ef02eb0901d

SHA256
d68734e47bcb5a35eee41b12814b3bf139998e3c659ed6dd603ac72ed079c6bf

SHA512
94b8634b5e6e258e944f1ef0e92da8bfcd30d9379a09f539d01c80f142cf9a0d554dc09fb87b8f87e9d7db83f858f3414a49d1e600b3456a5cd2854893cd9b28

Download Submit
memory/804-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1292-26-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/1292-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1292-55-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2736-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-13-0x0000000000520000-0x000000000054F000-memory.dmp

Filesize
188KB

Download
memory/3060-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download