debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
Size

215KB
MD5

9df07e88bc889cf23713548c5b49cad0
SHA1

3bf488f72e9282b5183dec10249ad29749917984
SHA256

debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77
SHA512

49ffdf26ae0711f1a1f56aefa55a223b198cc46a60a14ecf01d80da18aa12b8dc4ee15a3dad64c4577bf4c3f088d3f6bf2d55ed2d3ba450906275c367af2aea3
SSDEEP

1536:JfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJddu5QWXDp:JVqoCl/YgjxEufVU0TbTyDDalbduWWX1

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
5108	explorer.exe
4952	spoolsv.exe
676	svchost.exe
2712	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5108	explorer.exe
676	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
5108	explorer.exe
5108	explorer.exe
4952	spoolsv.exe
4952	spoolsv.exe
676	svchost.exe
676	svchost.exe
2712	spoolsv.exe
2712	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 5108	5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe	83
PID 5084 wrote to memory of 5108	5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe	83
PID 5084 wrote to memory of 5108	5084	debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe	83
PID 5108 wrote to memory of 4952	5108	explorer.exe	84
PID 5108 wrote to memory of 4952	5108	explorer.exe	84
PID 5108 wrote to memory of 4952	5108	explorer.exe	84
PID 4952 wrote to memory of 676	4952	spoolsv.exe	86
PID 4952 wrote to memory of 676	4952	spoolsv.exe	86
PID 4952 wrote to memory of 676	4952	spoolsv.exe	86
PID 676 wrote to memory of 2712	676	svchost.exe	87
PID 676 wrote to memory of 2712	676	svchost.exe	87
PID 676 wrote to memory of 2712	676	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe
"C:\Users\Admin\AppData\Local\Temp\debb15d92cc5eed64e48cbd40e276cc32ce2cb64b82dec24ccd6efb0a3177e77N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5108
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:676
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
215KB

MD5
ae98493f39bf80705fcb452a65431e0c

SHA1
09cec6b0f95599712c0b79c40909fff5f7158434

SHA256
f54cca4a4f59a9d8c41dd7e2fa874985168dd02472764b45209fce67f5c5275d

SHA512
7f38e250435adc4b08429e57a0879a23a3038c035052defb96b3fc77fe0c9e7e1c6e9ee380819e1b8a7d14c7574a3d18b16aea229595ba2752922810479a458f

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
215KB

MD5
a1d4ca2d32aefb8d6811b8dbbaa06900

SHA1
981a09126f10fecd697e2b7153995879beaab763

SHA256
adc4219f6ece3f39346c1298164c1eab557dfe40cf8d4c164013fbc7dea18682

SHA512
7e7d50bb77b9b8ae4dc89b5081e2af610568f2799165d6aae72903a63730bbd6319eb0daa7bdd1806f27d1247b8e3f4485c56a914030717eabeb7f2f82080e7b

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
215KB

MD5
0ab22c30a2225bdb8e77575cdda656eb

SHA1
b4055fac263029efe1e84c37fe62544f64edff2a

SHA256
004f51f037e2130d2381ee31c2f95d5f6bb5e435c6e0cc746ee2406e7617d703

SHA512
b18bbc1bc845161cd9389b2ac420d3399ddc4456ad54f436e9d4bd9503f5a30600f91554da9f679d6b8025a231dad9ac232316042023b299290fcf2c98213ab7

Download Submit
memory/676-36-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2712-32-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4952-33-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5084-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5084-34-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5108-35-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download