d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
Size

135KB
MD5

aeb7ac510c1b62d1e100da60e80bfe50
SHA1

0168886358aba4a0a060771f844bdafdf5535bda
SHA256

d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616
SHA512

2f71721f65759fa96cce0f617ca4cf960ac88da046446756049a937f5e01938e1d2020216d6f6416fff7ac45cd74965ead083f6956996adb5c348b074029123d
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVQj:UVqoCl/YgjxEufVU0TbTyDDal2j

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4012	explorer.exe
3312	spoolsv.exe
4788	svchost.exe
4252	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe
4012	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4012	explorer.exe
4788	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
4012	explorer.exe
4012	explorer.exe
3312	spoolsv.exe
3312	spoolsv.exe
4788	svchost.exe
4788	svchost.exe
4252	spoolsv.exe
4252	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 4012	4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe	82
PID 4280 wrote to memory of 4012	4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe	82
PID 4280 wrote to memory of 4012	4280	d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe	82
PID 4012 wrote to memory of 3312	4012	explorer.exe	83
PID 4012 wrote to memory of 3312	4012	explorer.exe	83
PID 4012 wrote to memory of 3312	4012	explorer.exe	83
PID 3312 wrote to memory of 4788	3312	spoolsv.exe	84
PID 3312 wrote to memory of 4788	3312	spoolsv.exe	84
PID 3312 wrote to memory of 4788	3312	spoolsv.exe	84
PID 4788 wrote to memory of 4252	4788	svchost.exe	85
PID 4788 wrote to memory of 4252	4788	svchost.exe	85
PID 4788 wrote to memory of 4252	4788	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe
"C:\Users\Admin\AppData\Local\Temp\d8eda948ad6f407085922db3b2b5506aab37c82ef24640c7a085d269034e0616N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4012
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4788
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
11b70bf1f0cc00bc15cecd56d793d696

SHA1
60776a71fff236d224453562ee539fe3ccd229bd

SHA256
094c63b5026ed8c0a95dfc01f9247ef4427679f7cf29e84ec6282104a2bc15f3

SHA512
a1fcbbdbc165ec484a7d16627a874048fc590d03e0e3458534352eceb43f6dd4039264e4746e59599bc9258d9ef857f598a141e829559d55b110d621aa51b860

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
5572c5889effa19ceee6e7b8540c3b25

SHA1
e01574a0f3cbc36fbdffc7daeeefb595e69341ee

SHA256
bc1a577440ff24e50d41a5a60021e96ac10b8f1eaa2ade11c5f2b6ac68ab05f5

SHA512
2a4a01654266c8e43a2b0f5f11030cab9ce014a5ace4de05048344e647a6c80843c8e7d81e39c285c2c3af48a87ca279c8a28b374b16177b54dae88ced2103f4

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
716fc9106a16fb344936c9c7cb1cabb6

SHA1
aa78874bdb89d16e206375f2315bcce281215210

SHA256
655f826857bb12b2b874f15c6caa91c157f860c02dba19fd58f68ce5fc6c9dc6

SHA512
b2ef73b19f97a5d8046fb1e5087ead79461984f8fca6df442f3d2ef88352fd0f3e4da1d99bcbbc8d10392c4af9ac85b61fbe4de47887a6a92c9da472e9237e73

Download Submit
memory/3312-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3312-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4012-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4252-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4280-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4280-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4788-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download