a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3d

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
Size

3.6MB
MD5

24c344626fa30b02c6dd357e8aff54a0
SHA1

0f295f350e2c0b0d772010b98fbaed3ba8f12074
SHA256

a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3d
SHA512

45386e27f66a5ad950993d3cb1b91e8bbd49206fd0ea16aae491ed6eab8b235959f9e3b1b2ec4209c7c0afb12258fc52117391620a033ea80acf2bbd4c75af5f
SSDEEP

98304:ddByXcdnlLwOrI5Vfeg91hZOhkRpsinj+:ddien+OrFuBR6c+

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4780	explorer.exe
3260	spoolsv.exe
840	svchost.exe
4140	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs

pid	Process
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
4780	explorer.exe
3260	spoolsv.exe
840	svchost.exe
4140	spoolsv.exe
840	svchost.exe
4780	explorer.exe
840	svchost.exe
4780	explorer.exe
840	svchost.exe
4780	explorer.exe
840	svchost.exe
4780	explorer.exe
840	svchost.exe
4780	explorer.exe
840	svchost.exe
4780	explorer.exe
840	svchost.exe
4780	explorer.exe
840	svchost.exe
4780	explorer.exe
840	svchost.exe
4780	explorer.exe
840	svchost.exe
4780	explorer.exe
840	svchost.exe
4780	explorer.exe
840	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
840	svchost.exe
4780	explorer.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
3260	spoolsv.exe
3260	spoolsv.exe
3260	spoolsv.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe
4140	spoolsv.exe
4140	spoolsv.exe
4140	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 4780	3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe	82
PID 3772 wrote to memory of 4780	3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe	82
PID 3772 wrote to memory of 4780	3772	a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe	82
PID 4780 wrote to memory of 3260	4780	explorer.exe	83
PID 4780 wrote to memory of 3260	4780	explorer.exe	83
PID 4780 wrote to memory of 3260	4780	explorer.exe	83
PID 3260 wrote to memory of 840	3260	spoolsv.exe	84
PID 3260 wrote to memory of 840	3260	spoolsv.exe	84
PID 3260 wrote to memory of 840	3260	spoolsv.exe	84
PID 840 wrote to memory of 4140	840	svchost.exe	85
PID 840 wrote to memory of 4140	840	svchost.exe	85
PID 840 wrote to memory of 4140	840	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe
"C:\Users\Admin\AppData\Local\Temp\a2b780eb141c711ffa2f8da8ff3df7d2e9109232bad7630d5cb0f450fc928c3dN.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3772
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4780
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:840
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
3.6MB

MD5
84276b88aceb0f78e650ebbfdb40125e

SHA1
e6d3dc1be20496cabfcb198d21388abd9d2d4bdf

SHA256
4c5d770c801f27bdba3f1aadafb3b343728fb29eb00c8e9dc4c3b084462f4b5b

SHA512
bef01ca01e6f996cad7ee8522d11dcef9ae1c1643b860d305c65bb9d6f80ae2aebb94cfd41dedb4d67286520d9cdb76c8ba7df974c097d53955451ac2183ff6c

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
3.6MB

MD5
89e0e3be1d4ee7124bdd16707aaaaf50

SHA1
4254ff4d06e8cb890f2a6b9b5de1856a5f6c71e1

SHA256
1e24ac361db8b81330cc3bfb222f2ec4914a23fb265753aeb76b29e783663b8e

SHA512
d271812174463cb2bb7e8af55136397c3a63fc7d7da1e2516df4dd26e7f32d08dcd8edefb9d80bfde87bc57b299f867f5f560dd59f9754598f3a4a1c806e3f69

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
3.6MB

MD5
6986119674c4200c8fcf0920c95ae836

SHA1
9173dd9308bcfcfed117a6aa403767a5653aa9e8

SHA256
3ffd4bfda6b35316b833c50894600ed754cf8862a7642cf9b7bc9dae424c64dd

SHA512
76471ae4d6aa6fba19615f23d157832c378fc3a66c589c2cc4644f0fbe1d08ba5a7198df1dc660500ba198c10e4e656fe752cfe6581c4129f03ef873ebc8306f

Download Submit
memory/840-58-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/840-60-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/840-64-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/840-48-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/840-56-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/840-54-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/840-52-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/840-43-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/840-44-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/840-50-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/840-46-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3260-40-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3772-39-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3772-0-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3772-2-0x0000000077D43000-0x0000000077D44000-memory.dmp

Filesize
4KB

Download
memory/3772-1-0x0000000077D42000-0x0000000077D43000-memory.dmp

Filesize
4KB

Download
memory/4140-31-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4140-36-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4780-41-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4780-55-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4780-57-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4780-47-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4780-59-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4780-51-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4780-63-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4780-45-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download