3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280f

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
Size

2.6MB
MD5

86d990c85f15c81131a6ed64586dcf70
SHA1

4a19397eecce203f2f9cf3dea0e3140c851eeaa9
SHA256

3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280f
SHA512

cb8beae25836e06177678aae2debf68f09f71dea567e4ed14887830461f2a2193f137b9c9c2425735ad142e340d149b9ca82034799de79a26b5d4113af0af9a7
SSDEEP

49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/+:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/+

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2596	explorer.exe
492	spoolsv.exe
2724	svchost.exe
2844	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2596	explorer.exe
492	spoolsv.exe
2724	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 29 IoCs

pid	Process
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2596	explorer.exe
492	spoolsv.exe
2724	svchost.exe
2844	spoolsv.exe
2724	svchost.exe
2596	explorer.exe
2724	svchost.exe
2596	explorer.exe
2724	svchost.exe
2596	explorer.exe
2724	svchost.exe
2596	explorer.exe
2724	svchost.exe
2596	explorer.exe
2724	svchost.exe
2596	explorer.exe
2724	svchost.exe
2596	explorer.exe
2724	svchost.exe
2596	explorer.exe
2724	svchost.exe
2596	explorer.exe
2724	svchost.exe
2596	explorer.exe
2724	svchost.exe
2596	explorer.exe
2724	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1948	schtasks.exe
2868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2596	explorer.exe
2596	explorer.exe
2724	svchost.exe
2596	explorer.exe
2724	svchost.exe
2596	explorer.exe
2724	svchost.exe
2724	svchost.exe
2596	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2724	svchost.exe
2596	explorer.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
492	spoolsv.exe
492	spoolsv.exe
492	spoolsv.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2844	spoolsv.exe
2844	spoolsv.exe
2844	spoolsv.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2596	2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe	30
PID 2592 wrote to memory of 2596	2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe	30
PID 2592 wrote to memory of 2596	2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe	30
PID 2592 wrote to memory of 2596	2592	3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe	30
PID 2596 wrote to memory of 492	2596	explorer.exe	31
PID 2596 wrote to memory of 492	2596	explorer.exe	31
PID 2596 wrote to memory of 492	2596	explorer.exe	31
PID 2596 wrote to memory of 492	2596	explorer.exe	31
PID 492 wrote to memory of 2724	492	spoolsv.exe	32
PID 492 wrote to memory of 2724	492	spoolsv.exe	32
PID 492 wrote to memory of 2724	492	spoolsv.exe	32
PID 492 wrote to memory of 2724	492	spoolsv.exe	32
PID 2724 wrote to memory of 2844	2724	svchost.exe	33
PID 2724 wrote to memory of 2844	2724	svchost.exe	33
PID 2724 wrote to memory of 2844	2724	svchost.exe	33
PID 2724 wrote to memory of 2844	2724	svchost.exe	33
PID 2596 wrote to memory of 2872	2596	explorer.exe	34
PID 2596 wrote to memory of 2872	2596	explorer.exe	34
PID 2596 wrote to memory of 2872	2596	explorer.exe	34
PID 2596 wrote to memory of 2872	2596	explorer.exe	34
PID 2724 wrote to memory of 2868	2724	svchost.exe	35
PID 2724 wrote to memory of 2868	2724	svchost.exe	35
PID 2724 wrote to memory of 2868	2724	svchost.exe	35
PID 2724 wrote to memory of 2868	2724	svchost.exe	35
PID 2724 wrote to memory of 1948	2724	svchost.exe	39
PID 2724 wrote to memory of 1948	2724	svchost.exe	39
PID 2724 wrote to memory of 1948	2724	svchost.exe	39
PID 2724 wrote to memory of 1948	2724	svchost.exe	39

C:\Users\Admin\AppData\Local\Temp\3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe
"C:\Users\Admin\AppData\Local\Temp\3e926e144582b99e5c4aa1f6989bd1f96fe6b37e3858174e67e1af851df1280fN.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2596
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:492
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2724
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2844
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:29 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2868
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:30 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1948
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
821747b5f0d5f55fa299749a6d25ec9f

SHA1
17fd9fb945bf656e12a1c37bc0d45cad0700b71f

SHA256
fbb456935896fe19e7e4003645c87492c5e4d34a7bcd6f55b6cfd81c09ac5659

SHA512
e687d300b7a5ca9ebd03393821f3af1958814485f4233cf88fb3a5224b83f0dacae0d2b0058c4104bc65ba1452b73398d1c24d3983a6063562139ea4ba4ec7b2

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
5aee233d6bbc01450bb2870f71b2d5f8

SHA1
22554a3a5d0eaf29d7fb1dc5c55fd8cd93837b6d

SHA256
554c1b6167a2bcd7e9764afdaf0b196cfe61e4e246371ecc4f18beef1384c3fa

SHA512
6d3a0649f0c2ef9a43c51f0acbfb6e2e223d8d82273e02430fbb75277400d13f4b6a886ab2c18246d6b4e30e1d04be365ca445514db41b1682d7b9fc96923ed8

Download Submit
\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
1d161c88fa1d0784332980158b4db38a

SHA1
a979d2a11e6847c8ffce20c25ed268ee05ea1bd2

SHA256
edfbd0cecd4057eb5d473810cdff9a3e6a8cdc837b722e3f1d2d9b6cf4089a73

SHA512
2225189f5107d595d0dd4a9ecd865e8ca2ab280528a07941463637213c9f30128a6691767e01be82e0e118e9e48b414719e1179d6b6729b5eb46257068819d02

Download Submit
memory/492-51-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/492-24-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/492-35-0x00000000042E0000-0x0000000004C31000-memory.dmp

Filesize
9.3MB

Download
memory/2592-54-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2592-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2592-10-0x0000000004320000-0x0000000004C71000-memory.dmp

Filesize
9.3MB

Download
memory/2592-0-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2592-53-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2592-44-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2596-59-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2596-72-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2596-80-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2596-78-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2596-15-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2596-76-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2596-55-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2596-56-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2596-57-0x00000000044A0000-0x0000000004DF1000-memory.dmp

Filesize
9.3MB

Download
memory/2596-74-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2596-13-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2596-70-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2596-68-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2596-62-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2596-64-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2596-66-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-58-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-45-0x0000000004200000-0x0000000004B51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-63-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-69-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-65-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-71-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-67-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-73-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-61-0x0000000004200000-0x0000000004B51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-75-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-81-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-77-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-39-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2724-79-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2844-43-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2844-49-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download