Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/11/2024, 08:24
Static task
static1
Behavioral task
behavioral1
Sample
af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe
Resource
win10v2004-20241007-en
General
-
Target
af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe
-
Size
135KB
-
MD5
9e744e9c8c56ca5749f11d3421172049
-
SHA1
94368a884542dfd78c9d2802415ad94cfb083e8a
-
SHA256
af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94
-
SHA512
d628f6cad788ebe7e8960cfb4fc3be74870b90671bb486fed0aa098e815806ab2b6dd81e9998550eca95454b1e7c908bbfe77ba06bd7cde860d84777bfed9eb3
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVmY:UVqoCl/YgjxEufVU0TbTyDDalQY
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1992 explorer.exe 2076 spoolsv.exe 2140 svchost.exe 2748 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1992 explorer.exe 2076 spoolsv.exe 2140 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2828 schtasks.exe 2016 schtasks.exe 1188 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 2140 svchost.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 2140 svchost.exe 2140 svchost.exe 1992 explorer.exe 2140 svchost.exe 1992 explorer.exe 2140 svchost.exe 1992 explorer.exe 2140 svchost.exe 1992 explorer.exe 2140 svchost.exe 1992 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1992 explorer.exe 2140 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 1992 explorer.exe 1992 explorer.exe 2076 spoolsv.exe 2076 spoolsv.exe 2140 svchost.exe 2140 svchost.exe 2748 spoolsv.exe 2748 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1868 wrote to memory of 1992 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 31 PID 1868 wrote to memory of 1992 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 31 PID 1868 wrote to memory of 1992 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 31 PID 1868 wrote to memory of 1992 1868 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 31 PID 1992 wrote to memory of 2076 1992 explorer.exe 32 PID 1992 wrote to memory of 2076 1992 explorer.exe 32 PID 1992 wrote to memory of 2076 1992 explorer.exe 32 PID 1992 wrote to memory of 2076 1992 explorer.exe 32 PID 2076 wrote to memory of 2140 2076 spoolsv.exe 33 PID 2076 wrote to memory of 2140 2076 spoolsv.exe 33 PID 2076 wrote to memory of 2140 2076 spoolsv.exe 33 PID 2076 wrote to memory of 2140 2076 spoolsv.exe 33 PID 2140 wrote to memory of 2748 2140 svchost.exe 34 PID 2140 wrote to memory of 2748 2140 svchost.exe 34 PID 2140 wrote to memory of 2748 2140 svchost.exe 34 PID 2140 wrote to memory of 2748 2140 svchost.exe 34 PID 1992 wrote to memory of 2660 1992 explorer.exe 35 PID 1992 wrote to memory of 2660 1992 explorer.exe 35 PID 1992 wrote to memory of 2660 1992 explorer.exe 35 PID 1992 wrote to memory of 2660 1992 explorer.exe 35 PID 2140 wrote to memory of 2828 2140 svchost.exe 36 PID 2140 wrote to memory of 2828 2140 svchost.exe 36 PID 2140 wrote to memory of 2828 2140 svchost.exe 36 PID 2140 wrote to memory of 2828 2140 svchost.exe 36 PID 2140 wrote to memory of 2016 2140 svchost.exe 39 PID 2140 wrote to memory of 2016 2140 svchost.exe 39 PID 2140 wrote to memory of 2016 2140 svchost.exe 39 PID 2140 wrote to memory of 2016 2140 svchost.exe 39 PID 2140 wrote to memory of 1188 2140 svchost.exe 42 PID 2140 wrote to memory of 1188 2140 svchost.exe 42 PID 2140 wrote to memory of 1188 2140 svchost.exe 42 PID 2140 wrote to memory of 1188 2140 svchost.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe"C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2748
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:26 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2828
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:27 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2016
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:28 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1188
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2660
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5bbc9de349fca53405c501a1e18b14e72
SHA1828680086341e04ef301a06c57a7c411fb1f2b70
SHA256f5c3600ec8eddafbd50dcfab4f231faefd08c714af72e316d92c74c819b8360f
SHA5122e64e1a7189af73c2d2b166ae5d2a59d626af89d2a1e939ff09674043a1e7e2b091054bedc301547bef458ee010ca116a757cb8206b301191f6e6d79c3308291
-
Filesize
135KB
MD56eea316962b66e53374f20901a805ab1
SHA10d7417183dd7296dc84b78c6da765bdeee0f867d
SHA256ec43e30fe75683cb89c93af8383ddc8b1f5f7f5bc30c8bcde71bc69b41462bf8
SHA51278d12ecc876695861bf1ac466c81bceeb58b6b2b6cbd35ada9b30f94e4c5dcba83ccba0511b9c4c0e4fc43b4501627d8e161d47e7ecbb94f06b95a81e098dc0c
-
Filesize
135KB
MD5c70154edb4ee2ae06e036e182c39f310
SHA185b0e4da7d16a9475d9f3deb993a3fcacc200526
SHA256449585f0c8272348a0708621bcf554e371ab15aed5e1974f96d47252c349ac5b
SHA5127432dabb119b5adf584590974ead186d02fa75641a31139901cdc2db14c7af5224d8746e9f17d5a077e11f27e06ec78bf8042d0de96e943dd9248e21639f9588