Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 08:24
Static task
static1
Behavioral task
behavioral1
Sample
af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe
Resource
win10v2004-20241007-en
General
-
Target
af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe
-
Size
135KB
-
MD5
9e744e9c8c56ca5749f11d3421172049
-
SHA1
94368a884542dfd78c9d2802415ad94cfb083e8a
-
SHA256
af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94
-
SHA512
d628f6cad788ebe7e8960cfb4fc3be74870b90671bb486fed0aa098e815806ab2b6dd81e9998550eca95454b1e7c908bbfe77ba06bd7cde860d84777bfed9eb3
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVmY:UVqoCl/YgjxEufVU0TbTyDDalQY
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 5060 explorer.exe 228 spoolsv.exe 3808 svchost.exe 2016 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5060 explorer.exe 3808 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 5060 explorer.exe 5060 explorer.exe 228 spoolsv.exe 228 spoolsv.exe 3808 svchost.exe 3808 svchost.exe 2016 spoolsv.exe 2016 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 448 wrote to memory of 5060 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 83 PID 448 wrote to memory of 5060 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 83 PID 448 wrote to memory of 5060 448 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe 83 PID 5060 wrote to memory of 228 5060 explorer.exe 84 PID 5060 wrote to memory of 228 5060 explorer.exe 84 PID 5060 wrote to memory of 228 5060 explorer.exe 84 PID 228 wrote to memory of 3808 228 spoolsv.exe 86 PID 228 wrote to memory of 3808 228 spoolsv.exe 86 PID 228 wrote to memory of 3808 228 spoolsv.exe 86 PID 3808 wrote to memory of 2016 3808 svchost.exe 87 PID 3808 wrote to memory of 2016 3808 svchost.exe 87 PID 3808 wrote to memory of 2016 3808 svchost.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe"C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2016
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD50feec4d4d59ed37fdd98cdd6ddcbb51b
SHA13614a1b9a47da1115a8ba8af02e306c27bfecdb5
SHA25654cdcff47995bbf7f00a55888ccdb2e7050367247c319fdfb724fb58809766db
SHA512f9e5910edb48cdd900b3de30b9f80eb560492a2ddb1306d42906bbb990d76bab93e299ec933a6e66e4d9eb7b96bce0a7e02a2ad36e754028911a493aff21a432
-
Filesize
135KB
MD5f9b1b9d116d4170a864c8b24f03c3859
SHA15d149d509b429a620375856d5c26247a9ea0fa4b
SHA256cda8e4dec587a08ecfc89c0f8ab02febfcbec77ece40fbbe75fa0f964fcca338
SHA512633800bfde868755d264bbe6f0b396da702ff8ddafa7c172bd1993e8231201d345a32800eb5329d4d92e9bbfd609d05d438d4e839b71d416364ce3e4f95bd4cb
-
Filesize
135KB
MD5688c873ec3c8192a5a3bbd189ddcfe25
SHA12b95e73333b38f0239298ea3e4fc85ba717456bf
SHA2564a4373bc4138f91b2967845717a453c3743afe809bdd384a9feb6690bf48c27c
SHA5125ba4b2e15691d700bf68578acbca5866dd841d76801dd01e0ab42f3d6466105b115ff6b07cfaa5a1c5936a30605cac198c9ed840be2753c62860d88b93ba66c2