Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 08:59
Static task
static1
Behavioral task
behavioral1
Sample
d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe
Resource
win10v2004-20241007-en
General
-
Target
d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe
-
Size
135KB
-
MD5
6846d3a6156030f790645430397d3d65
-
SHA1
be370f708018d3e34ef09b0199b3c93dac8304ac
-
SHA256
d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e
-
SHA512
9b55a1d95f8fb5316f66198e35f75d36f1026e7ad51e1ab9da3fa7e7732f58b87afeb69ad3fd6035ea7ed2ea9a7b83073c66d4ce8438646e9656e8586df6e8cb
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVhpalY:UVqoCl/YgjxEufVU0TbTyDDalQlY
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2892 explorer.exe 2816 spoolsv.exe 2980 svchost.exe 2408 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 2892 explorer.exe 2816 spoolsv.exe 2980 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2904 schtasks.exe 2180 schtasks.exe 2076 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2980 svchost.exe 2892 explorer.exe 2980 svchost.exe 2892 explorer.exe 2892 explorer.exe 2980 svchost.exe 2892 explorer.exe 2980 svchost.exe 2980 svchost.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2892 explorer.exe 2980 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 2892 explorer.exe 2892 explorer.exe 2816 spoolsv.exe 2816 spoolsv.exe 2980 svchost.exe 2980 svchost.exe 2408 spoolsv.exe 2408 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 840 wrote to memory of 2892 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 29 PID 840 wrote to memory of 2892 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 29 PID 840 wrote to memory of 2892 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 29 PID 840 wrote to memory of 2892 840 d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe 29 PID 2892 wrote to memory of 2816 2892 explorer.exe 30 PID 2892 wrote to memory of 2816 2892 explorer.exe 30 PID 2892 wrote to memory of 2816 2892 explorer.exe 30 PID 2892 wrote to memory of 2816 2892 explorer.exe 30 PID 2816 wrote to memory of 2980 2816 spoolsv.exe 31 PID 2816 wrote to memory of 2980 2816 spoolsv.exe 31 PID 2816 wrote to memory of 2980 2816 spoolsv.exe 31 PID 2816 wrote to memory of 2980 2816 spoolsv.exe 31 PID 2980 wrote to memory of 2408 2980 svchost.exe 32 PID 2980 wrote to memory of 2408 2980 svchost.exe 32 PID 2980 wrote to memory of 2408 2980 svchost.exe 32 PID 2980 wrote to memory of 2408 2980 svchost.exe 32 PID 2892 wrote to memory of 3024 2892 explorer.exe 33 PID 2892 wrote to memory of 3024 2892 explorer.exe 33 PID 2892 wrote to memory of 3024 2892 explorer.exe 33 PID 2892 wrote to memory of 3024 2892 explorer.exe 33 PID 2980 wrote to memory of 2904 2980 svchost.exe 34 PID 2980 wrote to memory of 2904 2980 svchost.exe 34 PID 2980 wrote to memory of 2904 2980 svchost.exe 34 PID 2980 wrote to memory of 2904 2980 svchost.exe 34 PID 2980 wrote to memory of 2180 2980 svchost.exe 37 PID 2980 wrote to memory of 2180 2980 svchost.exe 37 PID 2980 wrote to memory of 2180 2980 svchost.exe 37 PID 2980 wrote to memory of 2180 2980 svchost.exe 37 PID 2980 wrote to memory of 2076 2980 svchost.exe 39 PID 2980 wrote to memory of 2076 2980 svchost.exe 39 PID 2980 wrote to memory of 2076 2980 svchost.exe 39 PID 2980 wrote to memory of 2076 2980 svchost.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe"C:\Users\Admin\AppData\Local\Temp\d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2408
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:01 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2904
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:02 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2180
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:03 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2076
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:3024
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD57692791471778a4a853f95a1432e436d
SHA1841dcdaee35834d92f7dc19b4f820eda26c67dce
SHA256067d0eb1ba8630591e02c6b1bf5e36b2c44a6134386d58a211519c49b820e87d
SHA51259acbb9b3b597d03c1152f4e41e580baa497d089e459b98f5a7033f665598f298428d7e8caf272ec67e77aaef13a378d8dfd555d6194394ffaa0d61706ab1cbb
-
Filesize
135KB
MD5c6ec53082f88514f0c4592b02db764ad
SHA1200e301cbfbd610d0e0658ad7047eb0f670e0d8f
SHA256b0236637880ce5e09e6838e0ed811867ae4e0603cbae2ba5ab9315a77d2efdc1
SHA51293bc27100ce0ea935bda140ca71cf4e6d9a24855d4c72cd024fb8891bd7830fa8584c1148899a7370ab3d5cd909567e4a0595377c25a84347e7742378a39b778
-
Filesize
135KB
MD5f3c6e4823b21448193b57b9bbeccd2d9
SHA14b8ab9799ba39155f3b7f4c507e1e5880d08ce62
SHA256f13e7095c7418d7c4d6d059d4dcb739c3377560645a3f8335574bec88afb0fb4
SHA5124e1595e3715b34c05329e570468346e7fc79a1ee7834a0b13658ca3688607054d71b740fe6fa860effccb97b4d33addd73e355f749639c06348fe7b2ffb69eea