Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 02:26
Static task
static1
Behavioral task
behavioral1
Sample
ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe
Resource
win10v2004-20241007-en
General
-
Target
ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe
-
Size
233KB
-
MD5
699ebda3389fde874bf062f761ac329e
-
SHA1
c80d075ddf25e6bf749ccbeddfca943d721f6df3
-
SHA256
ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc
-
SHA512
ebac09d10e25ed9f91207c64906ed3e70ef6742dcb9fe6a5d72cb51c9ed60e5519e4440ab85fea002163560aac5c8f08586ac757e1da55b31a7dc13821db33d6
-
SSDEEP
3072:5VqoCl/YgjxEufVU0TbTyDDal6z/dAMhdF2jBCmLdjaf3k6aaICeHE:5sLqdufVUNDaAz/LLvmpjE3EaICek
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 4860 explorer.exe 1988 spoolsv.exe 4900 svchost.exe 4856 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4860 explorer.exe 4900 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 4860 explorer.exe 4860 explorer.exe 1988 spoolsv.exe 1988 spoolsv.exe 4900 svchost.exe 4900 svchost.exe 4856 spoolsv.exe 4856 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2360 wrote to memory of 4860 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 85 PID 2360 wrote to memory of 4860 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 85 PID 2360 wrote to memory of 4860 2360 ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe 85 PID 4860 wrote to memory of 1988 4860 explorer.exe 86 PID 4860 wrote to memory of 1988 4860 explorer.exe 86 PID 4860 wrote to memory of 1988 4860 explorer.exe 86 PID 1988 wrote to memory of 4900 1988 spoolsv.exe 88 PID 1988 wrote to memory of 4900 1988 spoolsv.exe 88 PID 1988 wrote to memory of 4900 1988 spoolsv.exe 88 PID 4900 wrote to memory of 4856 4900 svchost.exe 89 PID 4900 wrote to memory of 4856 4900 svchost.exe 89 PID 4900 wrote to memory of 4856 4900 svchost.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe"C:\Users\Admin\AppData\Local\Temp\ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4856
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
234KB
MD5c5b1c32a1357e3fd6ec5dc935b9466a1
SHA1a5a4ea87b24ad3f0eb258449e10403e90da1d8b9
SHA25621a6a6e6735494d9c2c7f366ec041f4834545b1b941db49720ef6d1bb165d3d8
SHA51298e1be9c9e31983929ffed977e6522c1b0b499bd25ed6ba8028c0f2cc98fa1f059e2b413aa2f1a1f0ca2681dc5e93923bde809408bb3f58174e400ead51e1255
-
Filesize
234KB
MD5f7a06b7ac99c3f5a2b7d98d994d8acdf
SHA186815ffe6a9f851865297b6def5a9a380de01d87
SHA256db3c174f41b2b3348ab68bb0003fcb25a742de8dde9aab37b7245ce8e88f8a07
SHA512f8e809b709ba96995d54fcf474b14ed1518380ad7a65b998fd1c1ae8c9d7d1fb8b901c7979c3f818aa660ec2f8ecc14c3977278d7b50a0fe831636449f7802e7
-
Filesize
233KB
MD5eafecc1164d871928c8aeaa59a3e5604
SHA1fdc21a213e2522ef349ed861e2da7368f7ef6791
SHA2564addf7f131fb1e8d557a357f7b9c3b9e9fc91b9322139070ab1f869702dc4bd8
SHA512a2a42d470c49d90964e1f6bbe3a6bdda1cdf981f05c69b1547c9e659a1e37eb693b3b5d81ebb36b77f24f9f2ecdaf68701bab6604bd45fa12ac5aa4bd96b74dd