Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:14
Static task
static1
Behavioral task
behavioral1
Sample
b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe
Resource
win10v2004-20241007-en
General
-
Target
b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe
-
Size
206KB
-
MD5
d9b79a2638e6b7f6df618ffc260a4f50
-
SHA1
7f52dfd1a1c9d6cfd1b8b2b4eb30bef21d57fa81
-
SHA256
b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09e
-
SHA512
4f39e6407730520139e03ead2e1f8ad2d1d7ebb7bd1ddf304934b87937e4f6b274b002d4c9990754364187134e0b052100d0dd95b7224af332ca9cb8866977f1
-
SSDEEP
1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdylllllllllllld:/VqoCl/YgjxEufVU0TbTyDDalbA
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2284 explorer.exe 4176 spoolsv.exe 3696 svchost.exe 408 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe 2284 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2284 explorer.exe 3696 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 2284 explorer.exe 2284 explorer.exe 4176 spoolsv.exe 4176 spoolsv.exe 3696 svchost.exe 3696 svchost.exe 408 spoolsv.exe 408 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3196 wrote to memory of 2284 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 85 PID 3196 wrote to memory of 2284 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 85 PID 3196 wrote to memory of 2284 3196 b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe 85 PID 2284 wrote to memory of 4176 2284 explorer.exe 86 PID 2284 wrote to memory of 4176 2284 explorer.exe 86 PID 2284 wrote to memory of 4176 2284 explorer.exe 86 PID 4176 wrote to memory of 3696 4176 spoolsv.exe 87 PID 4176 wrote to memory of 3696 4176 spoolsv.exe 87 PID 4176 wrote to memory of 3696 4176 spoolsv.exe 87 PID 3696 wrote to memory of 408 3696 svchost.exe 88 PID 3696 wrote to memory of 408 3696 svchost.exe 88 PID 3696 wrote to memory of 408 3696 svchost.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe"C:\Users\Admin\AppData\Local\Temp\b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:408
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD59441b3381d789637a26ab24abaf7f912
SHA12565734dcb13bf18a05cf9b6d9071148732da49f
SHA25686f8f31c21c840295d944cee0a4bedebb9a71b888e2ba4f80bd8cfa073013a35
SHA512f678c77d73f3dc5191c2389e8c0d2ba7b806489da0f854f45328a9f0752b8200a85dcd7c6e946082cc903b543952543a906455981da3464d03ac6696cd87357f
-
Filesize
206KB
MD52ac63a88abb43264725f90a7418f6521
SHA18f3b4a75155215fef0b1f0773f5ee8aec21900b0
SHA2564fa86ddd0af3de58d64e38a198a0f81e22f4e908f28a0df3da17efcfe0dcd838
SHA512aa40665ab25041bee259d939685bddc3e0a73b97fbbbf5b14321027e1122324580b033a85e842b8a5f6c860f4b02d4e7ef55564093e2d0017d3e5631d1cbee13
-
Filesize
206KB
MD50890c07cacf706094eb8eaaeadca26f1
SHA14e912d367430660830c56748c2826dae511b4f7b
SHA256eab5d4aba5afd888de9c2e6353ba4f4d558dd1be6bdd5c396b2b2f0052d237de
SHA512501fffe5224b1cd527a48d3af58534db195f69862206b3138bb53c5796bf31ce1f21c9c5411037b93e44e64b231b9a0b18668dfb2ade97558104c1d9eaf35dee