769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 04:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
Size

135KB
MD5

8559c6756994c72f49b4a47951f77ed0
SHA1

2bbc524de50503abf26d47ffe12d2e9967130c6b
SHA256

769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065
SHA512

332bc8486adc5c8f412ad27b2fab8797b95d24b810f9188ce06c00fb69928c62734ee57ef2425751d24d64293504fbe4e108d9eb5952e14ba199c4a073b7264d
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVuWXb:UVqoCl/YgjxEufVU0TbTyDDalTXb

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4620	explorer.exe
2148	spoolsv.exe
4156	svchost.exe
3436	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4620	explorer.exe
4156	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
4620	explorer.exe
4620	explorer.exe
2148	spoolsv.exe
2148	spoolsv.exe
4156	svchost.exe
4156	svchost.exe
3436	spoolsv.exe
3436	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 4620	3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe	85
PID 3568 wrote to memory of 4620	3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe	85
PID 3568 wrote to memory of 4620	3568	769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe	85
PID 4620 wrote to memory of 2148	4620	explorer.exe	86
PID 4620 wrote to memory of 2148	4620	explorer.exe	86
PID 4620 wrote to memory of 2148	4620	explorer.exe	86
PID 2148 wrote to memory of 4156	2148	spoolsv.exe	87
PID 2148 wrote to memory of 4156	2148	spoolsv.exe	87
PID 2148 wrote to memory of 4156	2148	spoolsv.exe	87
PID 4156 wrote to memory of 3436	4156	svchost.exe	89
PID 4156 wrote to memory of 3436	4156	svchost.exe	89
PID 4156 wrote to memory of 3436	4156	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe
"C:\Users\Admin\AppData\Local\Temp\769ddd02c846b5916a568e312d1f34b07b159990a41fae57a0dfb82117828065N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4620
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4156
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
4935d84d4a69f53ea81af34a81293586

SHA1
fe01647f49cb27ad5cc974ca89cbab76b128d332

SHA256
b3af31bdaf11389f33343daecdf6d836f4198e6f9706a01524b9156c333ebbc9

SHA512
a50ceb5b799ca58f023541c2786a52d75d5111f4d4246c782548cef6f112b9b721a336ed562387cae7d155c3158f2b33f40c4c8fa8408dc2ae71ffe841102c76

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
1fb31e90861e8ff0e59edd462566461e

SHA1
00aa60a45f9e5822b5cc77cf4b50f342a2263942

SHA256
51f07b4244618a1bed8cb56892b9a7d1af96f14c43f1b1667653ce3be3cb6b03

SHA512
ac0332c248fe0c9a1f27469de9224eb773640c420eb5a606df230700e779ef831ec15f8261b142df32fe08def7bec16bd8527d731e2f5bf88c3633e1863df9b9

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
56f9494906b1a1e063c833a334433285

SHA1
cd33db974058a03ec1df2d0c2416b77a41bffd82

SHA256
b39494e0f5dbcb05903495061fc76e401238da0296e0d3f879a8a748cfacf5aa

SHA512
e755676effebf18366aca282ce52879bcf64156fdfc1a2f47db4ea5441ec9dc4bbd4ad105554f2c3ff49ef0404917b6b34d8e41f99d6b76324d6b1fb47b28e5f

Download Submit
memory/2148-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3436-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3568-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3568-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4156-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4620-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download