f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069

Analysis

max time kernel
31s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 14:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
Size

206KB
MD5

7cdab2169c8adacb6f31f51dcda8ab10
SHA1

9e3c75e5996510d7034b6e70a1a89b4c4da803b2
SHA256

f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069
SHA512

55f052b5d5aeb86239bea59e3dc226a5a58022fa170cac15239fd47a05cfb12aab2c284656633ca26fb07e75aa5a5357fdd178d013edaac1798944b293503128
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdk:/VqoCl/YgjxEufVU0TbTyDDalbk

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4684	explorer.exe
896	spoolsv.exe
2208	svchost.exe
4136	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe
4684	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4684	explorer.exe
2208	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
4684	explorer.exe
4684	explorer.exe
896	spoolsv.exe
896	spoolsv.exe
2208	svchost.exe
2208	svchost.exe
4136	spoolsv.exe
4136	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 4684	2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe	82
PID 2284 wrote to memory of 4684	2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe	82
PID 2284 wrote to memory of 4684	2284	f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe	82
PID 4684 wrote to memory of 896	4684	explorer.exe	83
PID 4684 wrote to memory of 896	4684	explorer.exe	83
PID 4684 wrote to memory of 896	4684	explorer.exe	83
PID 896 wrote to memory of 2208	896	spoolsv.exe	84
PID 896 wrote to memory of 2208	896	spoolsv.exe	84
PID 896 wrote to memory of 2208	896	spoolsv.exe	84
PID 2208 wrote to memory of 4136	2208	svchost.exe	85
PID 2208 wrote to memory of 4136	2208	svchost.exe	85
PID 2208 wrote to memory of 4136	2208	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe
"C:\Users\Admin\AppData\Local\Temp\f95b4d39d412c1fd58d3a9c2c9be82bd7cf2820a13e63feb8556a8fa56b07069N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4684
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:896
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2208
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
11524b5281e9a97c48419fee6a75b052

SHA1
9bb2e0eeb202f39bbe7a913ee98ae1eb5616ff97

SHA256
96470e01c0d8c000bd2bc960b2b9bc07e5c997b89d698a3ed79a0e4bc60b3f11

SHA512
2a16c48ee28cac4ad0aec19e98c54567723faca6831cfeacc1b0187e6e772412087d420ad431a933b54ad112d40a249b078de0d4875e75b3391639ff59ad557b

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
dc0730058b784ebd5ec196e9b0610365

SHA1
3d14dfaa1bd28f487f272a045fd3d41dff408711

SHA256
30a1f2c53f4350405268c0058dedfe2341cc5c2fdbe824b9a3dfdf9ba370dfc4

SHA512
fbecd2827b520e316dfbee747daadccf24b1c133d60324ce25b802812eb275b82d44ad41cdca2730fa66cea16025d04102d01c5bf60022269b0ada1e42cbc16b

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
206KB

MD5
e480ef455fa95f9885166e9cd83e7fd4

SHA1
78c97b8f91ba00dfcdd495860788370d96e9289a

SHA256
e9114c8811363c51dcf299ab85d476d5252be792e0048247ab1fd4a00915589b

SHA512
7ed9716856150bc8d45194bee2a6aae83ab8995a7171937c8e42499c46750898a170e62aa543cc0ae9ee41d79783daf9d85796181587f8b2631054554a4310e2

Download Submit
memory/896-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2284-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2284-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads