9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534ae

Analysis

max time kernel
117s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
Size

206KB
MD5

1fee45222177f4c2d3c084f1f5437d40
SHA1

e5ae9c1d083f9a0d7c8b00d11dff37de1cac4773
SHA256

9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534ae
SHA512

5c87ed62d4e70ecb9e6d719f7083a8429f418bf4b5be242ac5ff79ba18067de467afd1f01b797068c7eae31dbd41c8def3de4cdc15ef696dd27ba1a751a5610f
SSDEEP

1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdZ:/VqoCl/YgjxEufVU0TbTyDDalbZ

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2332	explorer.exe
2856	spoolsv.exe
2960	svchost.exe
3016	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
2332	explorer.exe
2332	explorer.exe
2856	spoolsv.exe
2856	spoolsv.exe
2960	svchost.exe
2960	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe
2888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2960	svchost.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2960	svchost.exe
2960	svchost.exe
2332	explorer.exe
2960	svchost.exe
2332	explorer.exe
2960	svchost.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
2960	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2332	explorer.exe
2960	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
2332	explorer.exe
2332	explorer.exe
2856	spoolsv.exe
2856	spoolsv.exe
2960	svchost.exe
2960	svchost.exe
3016	spoolsv.exe
3016	spoolsv.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2332	1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe	29
PID 1288 wrote to memory of 2332	1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe	29
PID 1288 wrote to memory of 2332	1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe	29
PID 1288 wrote to memory of 2332	1288	9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe	29
PID 2332 wrote to memory of 2856	2332	explorer.exe	30
PID 2332 wrote to memory of 2856	2332	explorer.exe	30
PID 2332 wrote to memory of 2856	2332	explorer.exe	30
PID 2332 wrote to memory of 2856	2332	explorer.exe	30
PID 2856 wrote to memory of 2960	2856	spoolsv.exe	31
PID 2856 wrote to memory of 2960	2856	spoolsv.exe	31
PID 2856 wrote to memory of 2960	2856	spoolsv.exe	31
PID 2856 wrote to memory of 2960	2856	spoolsv.exe	31
PID 2960 wrote to memory of 3016	2960	svchost.exe	32
PID 2960 wrote to memory of 3016	2960	svchost.exe	32
PID 2960 wrote to memory of 3016	2960	svchost.exe	32
PID 2960 wrote to memory of 3016	2960	svchost.exe	32
PID 2332 wrote to memory of 2636	2332	explorer.exe	33
PID 2332 wrote to memory of 2636	2332	explorer.exe	33
PID 2332 wrote to memory of 2636	2332	explorer.exe	33
PID 2332 wrote to memory of 2636	2332	explorer.exe	33
PID 2960 wrote to memory of 2704	2960	svchost.exe	34
PID 2960 wrote to memory of 2704	2960	svchost.exe	34
PID 2960 wrote to memory of 2704	2960	svchost.exe	34
PID 2960 wrote to memory of 2704	2960	svchost.exe	34
PID 2960 wrote to memory of 2888	2960	svchost.exe	37
PID 2960 wrote to memory of 2888	2960	svchost.exe	37
PID 2960 wrote to memory of 2888	2960	svchost.exe	37
PID 2960 wrote to memory of 2888	2960	svchost.exe	37

C:\Users\Admin\AppData\Local\Temp\9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe
"C:\Users\Admin\AppData\Local\Temp\9e4fd1b538b50e9abede662f6fc56e142a48d291ca28d2785741d90e9a1534aeN.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2332
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2960
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3016
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:31 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2704
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:32 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2888
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
207KB

MD5
4f792d5d090fd24751be5ca1ebe5dd68

SHA1
f6690d9f1e32466008c3f3c1f2d6b208533058c3

SHA256
2002590ca8bd6a71bd2ed297ae5dcdcaac6986659f7bb5b890634e7460ac28b2

SHA512
26d8057629c965555392ea28567ac8f531d73fff7c996b04a9bc3c8b4aa5a964ec0dd82d9e1cc87dc75aa5d6762edc53a16ad872c44725c54d9d096661308828

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
206KB

MD5
0ccefbec2ca5d4e9c044313bcd6a9908

SHA1
ec01167c143241a61c650f5dd9bc242bc51d3b18

SHA256
28fa947086719ddaad4681aa4decd683d0ce90590317f61f894aa3572f613e92

SHA512
d9c797f3c37fbf11f42219a9490432a39f79fa8feaa87122acbdda2cd0342139164e5cd6c0ee804a2cabfd8b724a7085ee7c9fb9b6a5087c7f86c7cda9872969

Download Submit
\Windows\Resources\svchost.exe

Filesize
206KB

MD5
3f7ca3638b4cdfed721f92df71791a0c

SHA1
bdbcb043da4aad3a6689837bd157ff65f0cb0b50

SHA256
450086d988bc1a09abbd3d37af2dcc9a71b734cb4bd666b32a3f87f1e9d7975e

SHA512
d262c77c64cd46260142564b64fc5b53f835e3c6278e37322f75be60d894c1bb7d1ba4b0cd90a6957c7d4d2169016eb97cbad4bc0e4d0ed9286c453cc1c198c0

Download Submit
memory/1288-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1288-13-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1288-12-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1288-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-27-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2332-58-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2332-59-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2856-42-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/2856-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-37-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/2960-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-61-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3016-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download