Analysis
-
max time kernel
65s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 09:12
Static task
static1
Behavioral task
behavioral1
Sample
d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe
Resource
win10v2004-20241007-en
General
-
Target
d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe
-
Size
135KB
-
MD5
950b8d7ea0857324d631fac44ed1e8d0
-
SHA1
60c200f453ff3dc77df5efcdc6bb50411c074645
-
SHA256
d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64
-
SHA512
0511fa48f9f3437f228f98470cdf46f2ce56a63a8b8f9b38671d4161e0710b0dcb5331c1dbb5221f75e782168ecc36ca535934457fe888cb3d3bd48106eca4e2
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVXY:UVqoCl/YgjxEufVU0TbTyDDalRY
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2100 explorer.exe 1228 spoolsv.exe 2516 svchost.exe 2120 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2100 explorer.exe 1228 spoolsv.exe 2516 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2688 schtasks.exe 2472 schtasks.exe 2772 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2516 svchost.exe 2100 explorer.exe 2100 explorer.exe 2516 svchost.exe 2100 explorer.exe 2516 svchost.exe 2100 explorer.exe 2516 svchost.exe 2100 explorer.exe 2516 svchost.exe 2516 svchost.exe 2100 explorer.exe 2100 explorer.exe 2516 svchost.exe 2516 svchost.exe 2100 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2100 explorer.exe 2516 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 2100 explorer.exe 2100 explorer.exe 1228 spoolsv.exe 1228 spoolsv.exe 2516 svchost.exe 2516 svchost.exe 2120 spoolsv.exe 2120 spoolsv.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2100 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 30 PID 2356 wrote to memory of 2100 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 30 PID 2356 wrote to memory of 2100 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 30 PID 2356 wrote to memory of 2100 2356 d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe 30 PID 2100 wrote to memory of 1228 2100 explorer.exe 31 PID 2100 wrote to memory of 1228 2100 explorer.exe 31 PID 2100 wrote to memory of 1228 2100 explorer.exe 31 PID 2100 wrote to memory of 1228 2100 explorer.exe 31 PID 1228 wrote to memory of 2516 1228 spoolsv.exe 32 PID 1228 wrote to memory of 2516 1228 spoolsv.exe 32 PID 1228 wrote to memory of 2516 1228 spoolsv.exe 32 PID 1228 wrote to memory of 2516 1228 spoolsv.exe 32 PID 2516 wrote to memory of 2120 2516 svchost.exe 33 PID 2516 wrote to memory of 2120 2516 svchost.exe 33 PID 2516 wrote to memory of 2120 2516 svchost.exe 33 PID 2516 wrote to memory of 2120 2516 svchost.exe 33 PID 2100 wrote to memory of 1748 2100 explorer.exe 34 PID 2100 wrote to memory of 1748 2100 explorer.exe 34 PID 2100 wrote to memory of 1748 2100 explorer.exe 34 PID 2100 wrote to memory of 1748 2100 explorer.exe 34 PID 2516 wrote to memory of 2688 2516 svchost.exe 35 PID 2516 wrote to memory of 2688 2516 svchost.exe 35 PID 2516 wrote to memory of 2688 2516 svchost.exe 35 PID 2516 wrote to memory of 2688 2516 svchost.exe 35 PID 2516 wrote to memory of 2472 2516 svchost.exe 39 PID 2516 wrote to memory of 2472 2516 svchost.exe 39 PID 2516 wrote to memory of 2472 2516 svchost.exe 39 PID 2516 wrote to memory of 2472 2516 svchost.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe"C:\Users\Admin\AppData\Local\Temp\d60c58e38b1de3e07ebcf36b8d8464568a9225aad58bdb438f3f14bfb3bc0f64.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2120
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:15 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2688
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:16 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2472
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:17 /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2772
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:1748
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5b46161d87fa4bda453a5ee6548a464ba
SHA196c975275ae2b571a96f346bee492a336143fe38
SHA256806d5c39e9170bdb890ac5ab6246a6ded3eacec3ac2a9b9a7634c63358a146e3
SHA512618e0c2c5554c96f65d28e86237ef089552f1b7ebec2c259ebfb48cea78a9e170cc51d82012923066802520a48c96b93da7a1546a133a7915d4af958b0395e37
-
Filesize
135KB
MD596fc0503f056e0183576ac366f8b47f4
SHA1a2cd5f5e20c70eb31298919984dd77485ae8ace7
SHA256c944fc61cfa321d3cc46cea56c11da4e2b1f5029d50798e9f4e19263f59c1b0a
SHA51284ce671ba42336cb3368d554f7f2be86293ed398b9e4e8ff078d1cffa544a0e7793c0f5297e23bce259259826b4b2947a67cae5f9637c7acee54227fe1bb2b57
-
Filesize
135KB
MD5fbddd7402cc73bbb4f8c036ccf604174
SHA130d6bb4bd123bf6bc205829a84fac3df2deeb6f8
SHA2569ebff83888cc456370606b208e79f0ffd48958e6ac4e2de45660d45f0d3be057
SHA51249ccafae320ae70fea0950ce81e8ea467210896af916fc0e5c3f7d2d4265281eeb30c1bcda5e0de0009ef15cde5de5e5b4fe793e96a7cb9d2fb2b9699ac9d04b