a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3d

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
Size

3.6MB
MD5

24c344626fa30b02c6dd357e8aff54a0
SHA1

0f295f350e2c0b0d772010b98fbaed3ba8f12074
SHA256

a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3d
SHA512

45386e27f66a5ad950993d3cb1b91e8bbd49206fd0ea16aae491ed6eab8b235959f9e3b1b2ec4209c7c0afb12258fc52117391620a033ea80acf2bbd4c75af5f
SSDEEP

98304:ddByXcdnlLwOrI5Vfeg91hZOhkRpsinj+:ddien+OrFuBR6c+

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2472	explorer.exe
2868	spoolsv.exe
2816	svchost.exe
2936	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2472	explorer.exe
2868	spoolsv.exe
2816	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 32 IoCs

pid	Process
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2472	explorer.exe
2472	explorer.exe
2868	spoolsv.exe
2868	spoolsv.exe
2816	svchost.exe
2936	spoolsv.exe
2936	spoolsv.exe
2816	svchost.exe
2472	explorer.exe
2816	svchost.exe
2472	explorer.exe
2816	svchost.exe
2472	explorer.exe
2816	svchost.exe
2472	explorer.exe
2816	svchost.exe
2472	explorer.exe
2816	svchost.exe
2472	explorer.exe
2816	svchost.exe
2472	explorer.exe
2816	svchost.exe
2472	explorer.exe
2816	svchost.exe
2472	explorer.exe
2816	svchost.exe
2472	explorer.exe
2816	svchost.exe
2472	explorer.exe
2816	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe
2040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2472	explorer.exe
2472	explorer.exe
2816	svchost.exe
2472	explorer.exe
2816	svchost.exe
2472	explorer.exe
2816	svchost.exe
2816	svchost.exe
2472	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2816	svchost.exe
2472	explorer.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2868	spoolsv.exe
2868	spoolsv.exe
2868	spoolsv.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2936	spoolsv.exe
2936	spoolsv.exe
2936	spoolsv.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2472	2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe	31
PID 2464 wrote to memory of 2472	2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe	31
PID 2464 wrote to memory of 2472	2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe	31
PID 2464 wrote to memory of 2472	2464	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe	31
PID 2472 wrote to memory of 2868	2472	explorer.exe	32
PID 2472 wrote to memory of 2868	2472	explorer.exe	32
PID 2472 wrote to memory of 2868	2472	explorer.exe	32
PID 2472 wrote to memory of 2868	2472	explorer.exe	32
PID 2868 wrote to memory of 2816	2868	spoolsv.exe	33
PID 2868 wrote to memory of 2816	2868	spoolsv.exe	33
PID 2868 wrote to memory of 2816	2868	spoolsv.exe	33
PID 2868 wrote to memory of 2816	2868	spoolsv.exe	33
PID 2816 wrote to memory of 2936	2816	svchost.exe	34
PID 2816 wrote to memory of 2936	2816	svchost.exe	34
PID 2816 wrote to memory of 2936	2816	svchost.exe	34
PID 2816 wrote to memory of 2936	2816	svchost.exe	34
PID 2472 wrote to memory of 2568	2472	explorer.exe	35
PID 2472 wrote to memory of 2568	2472	explorer.exe	35
PID 2472 wrote to memory of 2568	2472	explorer.exe	35
PID 2472 wrote to memory of 2568	2472	explorer.exe	35
PID 2816 wrote to memory of 2704	2816	svchost.exe	36
PID 2816 wrote to memory of 2704	2816	svchost.exe	36
PID 2816 wrote to memory of 2704	2816	svchost.exe	36
PID 2816 wrote to memory of 2704	2816	svchost.exe	36
PID 2816 wrote to memory of 2040	2816	svchost.exe	39
PID 2816 wrote to memory of 2040	2816	svchost.exe	39
PID 2816 wrote to memory of 2040	2816	svchost.exe	39
PID 2816 wrote to memory of 2040	2816	svchost.exe	39

C:\Users\Admin\AppData\Local\Temp\a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
"C:\Users\Admin\AppData\Local\Temp\a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2472
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2816
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2936
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:02 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2704
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:03 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
3.6MB

MD5
0686fd3241e7544eae7020363f22b098

SHA1
599475fe6e09dd903a148dd438a5b2b30b02c432

SHA256
3c8f6ba354def03cacda3c5baea4b98c37fae5fe0c57d2f14f09753eea64d82e

SHA512
c788528efaecdd6e0f4dcadbffcb32b9ce1c7aafd64c5ca7c9bef56c084135727fecdfd32adab4cb199b377ebe81b268ba5a404b63674ef4b70732a8e27a016c

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
3.6MB

MD5
246427424d370f3f015993d6fe1a4037

SHA1
1d5b420104c8fd9eb13a4d96b83ea4c071352682

SHA256
440890420d37e7763127d5f6b9875d9f190fb5958e39e4ce8b8b0bfcb430faae

SHA512
a40f375a745647e6fe3de47e78d300ac23087bf8ce816b7fe652f3250b00e8c2bd1d76d6c4130fea680559c2df75e89fc2b2dcf141cbb3813b93d8f00d2ec5b3

Download Submit
\Windows\Resources\svchost.exe

Filesize
3.6MB

MD5
8c03e3926fbb3f706c4feff2a8308809

SHA1
acd799c3d26ccc7c99671947a342ecd5fda1cc9d

SHA256
4c5343cca26b8a41b87aea4f9e27e383a5f1c395533046a95a730d3381c7816c

SHA512
add13d68b9c36e953c8593086460a288517e70c3d346ec7263023d563103bc7c6320e23989ec17d66bc39958340bf9c486728ea0fea360b4140fb31b22b766b4

Download Submit
memory/2464-40-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2464-1-0x0000000077E90000-0x0000000077E91000-memory.dmp

Filesize
4KB

Download
memory/2464-10-0x0000000003930000-0x0000000003CB4000-memory.dmp

Filesize
3.5MB

Download
memory/2464-0-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2464-49-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2472-56-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2472-60-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2472-72-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2472-70-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2472-68-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2472-50-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2472-66-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2472-52-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2472-54-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2472-64-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2472-13-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2472-62-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2472-58-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2816-59-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2816-51-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2816-61-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2816-57-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2816-63-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2816-55-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2816-65-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2816-73-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2816-67-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2816-71-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2816-69-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2868-24-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2868-48-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2868-33-0x0000000003850000-0x0000000003BD4000-memory.dmp

Filesize
3.5MB

Download
memory/2936-47-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download