858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bd

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
Size

135KB
MD5

3132a11da390f887775fd5b2c955fa70
SHA1

6cd1e44d2a29b689233ba880de2569074463bfb1
SHA256

858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bd
SHA512

8d00bbad68c36cdc9ea00fd3d559e6aadd875b682fbbc70415f0d04689978df42b193e9d306f728ead8690d1279520c9451ce0e6327d8c971115386753d71897
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV9z:UVqoCl/YgjxEufVU0TbTyDDal/z

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3872	explorer.exe
4312	spoolsv.exe
3508	svchost.exe
1144	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe
3872	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3872	explorer.exe
3508	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
3872	explorer.exe
3872	explorer.exe
4312	spoolsv.exe
4312	spoolsv.exe
3508	svchost.exe
3508	svchost.exe
1144	spoolsv.exe
1144	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 3872	1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe	85
PID 1648 wrote to memory of 3872	1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe	85
PID 1648 wrote to memory of 3872	1648	858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe	85
PID 3872 wrote to memory of 4312	3872	explorer.exe	87
PID 3872 wrote to memory of 4312	3872	explorer.exe	87
PID 3872 wrote to memory of 4312	3872	explorer.exe	87
PID 4312 wrote to memory of 3508	4312	spoolsv.exe	88
PID 4312 wrote to memory of 3508	4312	spoolsv.exe	88
PID 4312 wrote to memory of 3508	4312	spoolsv.exe	88
PID 3508 wrote to memory of 1144	3508	svchost.exe	89
PID 3508 wrote to memory of 1144	3508	svchost.exe	89
PID 3508 wrote to memory of 1144	3508	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe
"C:\Users\Admin\AppData\Local\Temp\858e2981066c9ce348d810dcaded79e16adc507675cac4a993d4b80bb295c1bdN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3872
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3508
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
2e423c78f38c7f8a598373bb1d5c5b6c

SHA1
1eba88f420aa803744af8ff3fd48cba8629ad027

SHA256
20ab3612d030ff7320d3adf27884b11081b50fe459e20a10005b520de73b0153

SHA512
11860f27e9067b57b4bbdfd921ea97ae08357939b3308761c5e76ba2f283d3fd9ff264b20462aef38fad737a3d5888f9e1a13c9e0fb047e96ef1aecd8de7d0ca

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
4c301ed14f12cf665443fa3c97d3437d

SHA1
b659472dda3e502808dc7e2af8364421436232dd

SHA256
db6a4377443f32b3f318d314e05f9cc5126f70891368a316a3966965819cfa04

SHA512
d8252b01cabf16a5236fbd2ea0460784dfa4d1c57dcae8e5b68935b11353180d51d9bb906a4da594d6539597caa46c6636ccf388241ac0488e19e0a48f29f250

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
c72f78620547fadd34e64a3f77a50b22

SHA1
a49db3a3f2f116a8f97e602ce70391a6a1d9ca1c

SHA256
cefa30dae4d40a667d166b3fca91a98c73d6a0f87ebaee72ffed0b374a38d1f8

SHA512
0782261f751caa66dbd7efcc5b672e9b0b2d5fe37ff718a605f966f63b88964a9eac8be63ebadc056978eb4a17594319d91a49861d6e2eae4f2b4adc0dd9d940

Download Submit
memory/1144-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3508-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3872-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download