0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
Size

2.6MB
MD5

d2d299317746466f249c1bd3770049e0
SHA1

992612fd7397e5973e138bb3c780da7abea2f3d7
SHA256

0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0
SHA512

45095e730ecebc198fd4853bdd535ed498cb0a1a6f2dc5c1852ef56d0056f343b7fd461afc9c96e571b701871f62c3f40df95b5969fe78d594066d7455441afe
SSDEEP

49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/M:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/M

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4540	explorer.exe
2664	spoolsv.exe
1244	svchost.exe
3924	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 30 IoCs

pid	Process
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
4540	explorer.exe
2664	spoolsv.exe
2664	spoolsv.exe
1244	svchost.exe
1244	svchost.exe
3924	spoolsv.exe
3924	spoolsv.exe
4540	explorer.exe
1244	svchost.exe
4540	explorer.exe
1244	svchost.exe
4540	explorer.exe
1244	svchost.exe
4540	explorer.exe
1244	svchost.exe
4540	explorer.exe
1244	svchost.exe
4540	explorer.exe
1244	svchost.exe
4540	explorer.exe
1244	svchost.exe
4540	explorer.exe
1244	svchost.exe
4540	explorer.exe
1244	svchost.exe
4540	explorer.exe
1244	svchost.exe
4540	explorer.exe
1244	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4540	explorer.exe
1244	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
4540	explorer.exe
4540	explorer.exe
4540	explorer.exe
2664	spoolsv.exe
2664	spoolsv.exe
2664	spoolsv.exe
1244	svchost.exe
1244	svchost.exe
1244	svchost.exe
3924	spoolsv.exe
3924	spoolsv.exe
3924	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 4540	1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe	82
PID 1580 wrote to memory of 4540	1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe	82
PID 1580 wrote to memory of 4540	1580	0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe	82
PID 4540 wrote to memory of 2664	4540	explorer.exe	83
PID 4540 wrote to memory of 2664	4540	explorer.exe	83
PID 4540 wrote to memory of 2664	4540	explorer.exe	83
PID 2664 wrote to memory of 1244	2664	spoolsv.exe	84
PID 2664 wrote to memory of 1244	2664	spoolsv.exe	84
PID 2664 wrote to memory of 1244	2664	spoolsv.exe	84
PID 1244 wrote to memory of 3924	1244	svchost.exe	85
PID 1244 wrote to memory of 3924	1244	svchost.exe	85
PID 1244 wrote to memory of 3924	1244	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe
"C:\Users\Admin\AppData\Local\Temp\0161442d409f433f68eaf4f3ce31b4e28ec8a65cf01b516bdedcad35609798f0N.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4540
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1244
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
afb0d294b2de5461277ebe35b4587fc2

SHA1
ed6cddace4b2913b5bf7a942df3989eac85f71f1

SHA256
89fa9a9b6cfc0dd6c22fc6db49af432e4268a011d4303a1cde4a4e05594a76a3

SHA512
af5835eba15abaed051ec289d62c3812f8d09b5dbe73335d164bd4413369977df9b9679f8e22ca4d87519ae29bfc77bbe23a193439f4ef08cc97c9053a5c2598

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
c22bbca7441cea0c65b3fbe0153eeb0f

SHA1
7b655abcbf8e7be6d0a56958cc8a93d7145f7dd9

SHA256
a9ba862a0907251f9b231b0d74cc94fbabb533618547259719f424020249bf74

SHA512
aee1e30ac659be9b77b2ef21b4b4e0dcb7c4e3aa52e5949d2d3525764532e68764889b8915436dec63b88d15f014742b6e8a67e7b768dc9c6795ea02fc8c1a68

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
db8a9e7e42a04dc1d2adf80b6db63fe8

SHA1
cda01ddc0214e6a3583745b11d20fb1cb26014e5

SHA256
8694f8c7c47a3a53fd911d337980071f1c647bc03f9b4f84ebf8af4a9a1e1197

SHA512
046ffffc298e422ba76be4a8853d79033299987a59ff8d3e5e814517c730e7fa05988c919b4f5c5c3e85e8c318627ffed76dd478058595520b65643c25b5235e

Download Submit
memory/1244-59-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1244-61-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1244-69-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1244-67-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1244-65-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1244-53-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1244-63-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1244-51-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1244-48-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1244-57-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1580-43-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1580-44-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1580-0-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1580-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2664-40-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2664-42-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2664-20-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2664-21-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3924-39-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3924-34-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4540-56-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4540-45-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4540-50-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4540-60-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4540-11-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4540-62-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4540-64-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4540-52-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4540-46-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4540-68-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4540-10-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download