71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
Size

135KB
MD5

5266d8ea97ed0539fc9b5a8d0c423ad0
SHA1

98a16b5a9cd2083218be383dc110251b11913e06
SHA256

71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46
SHA512

d7e21b7bd9a43b6293c2626a1d2d8ba2e00aeb9edec671916e4bf34a453174c376d5e15cb00a8eb4c6bb31f11573799aa2c8f6c5753b75a455cbc3afcd2ede60
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVLv6w:UVqoCl/YgjxEufVU0TbTyDDalpv6w

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
3004	explorer.exe
1724	spoolsv.exe
2220	svchost.exe
2752	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
3004	explorer.exe
1724	spoolsv.exe
2220	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2060	schtasks.exe
2828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
3004	explorer.exe
2220	svchost.exe
2220	svchost.exe
3004	explorer.exe
3004	explorer.exe
2220	svchost.exe
3004	explorer.exe
3004	explorer.exe
2220	svchost.exe
3004	explorer.exe
2220	svchost.exe
2220	svchost.exe
3004	explorer.exe
3004	explorer.exe
2220	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2220	svchost.exe
3004	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
3004	explorer.exe
3004	explorer.exe
1724	spoolsv.exe
1724	spoolsv.exe
2220	svchost.exe
2220	svchost.exe
2752	spoolsv.exe
2752	spoolsv.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 3004	2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe	30
PID 2012 wrote to memory of 3004	2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe	30
PID 2012 wrote to memory of 3004	2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe	30
PID 2012 wrote to memory of 3004	2012	71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe	30
PID 3004 wrote to memory of 1724	3004	explorer.exe	31
PID 3004 wrote to memory of 1724	3004	explorer.exe	31
PID 3004 wrote to memory of 1724	3004	explorer.exe	31
PID 3004 wrote to memory of 1724	3004	explorer.exe	31
PID 1724 wrote to memory of 2220	1724	spoolsv.exe	32
PID 1724 wrote to memory of 2220	1724	spoolsv.exe	32
PID 1724 wrote to memory of 2220	1724	spoolsv.exe	32
PID 1724 wrote to memory of 2220	1724	spoolsv.exe	32
PID 2220 wrote to memory of 2752	2220	svchost.exe	33
PID 2220 wrote to memory of 2752	2220	svchost.exe	33
PID 2220 wrote to memory of 2752	2220	svchost.exe	33
PID 2220 wrote to memory of 2752	2220	svchost.exe	33
PID 3004 wrote to memory of 2860	3004	explorer.exe	34
PID 3004 wrote to memory of 2860	3004	explorer.exe	34
PID 3004 wrote to memory of 2860	3004	explorer.exe	34
PID 3004 wrote to memory of 2860	3004	explorer.exe	34
PID 2220 wrote to memory of 2060	2220	svchost.exe	35
PID 2220 wrote to memory of 2060	2220	svchost.exe	35
PID 2220 wrote to memory of 2060	2220	svchost.exe	35
PID 2220 wrote to memory of 2060	2220	svchost.exe	35
PID 2220 wrote to memory of 2828	2220	svchost.exe	39
PID 2220 wrote to memory of 2828	2220	svchost.exe	39
PID 2220 wrote to memory of 2828	2220	svchost.exe	39
PID 2220 wrote to memory of 2828	2220	svchost.exe	39

C:\Users\Admin\AppData\Local\Temp\71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe
"C:\Users\Admin\AppData\Local\Temp\71a808e07d3392bc04529c4bd24b369e9a411e1b27e30cd83eaaefa7b0afbd46N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3004
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2220
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2752
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:17 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2060
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:18 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2828
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
3e3d8c17ae93b4815b8d42d4c72e7fcb

SHA1
fd4371e1793b11a10f3e983e1bde00c1911cb325

SHA256
ba81c4d13d8632e6ab83e2faa34247733fbc34f66f5d23aa74ce9d67cc4c0715

SHA512
7f493c4c978a38367f1f960ceeb86389cc295e5695b6e5885f8684d262af21a37c5cfba3a784da556bf7ce5948c2c94fe49f07b36ac000366bff85e68dca4559

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
7c7dbbe70675f0a6b25e58b477f8cffb

SHA1
64f2c30cd6364b635bfc25065df91697424f9015

SHA256
a63ceaa038b49a0b40e80d739fe777f57d60711d32e5f691bda679c22e07a423

SHA512
a832540ddf31c1655a4fed27f623e5f9a2c352a25bf1f5cbcace7089ad8b61bc04ad9021b6594c75662ddd94ba0ff5bd2c0430f275982b71ec8c4e96fdcb679c

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
36b6967a26b700b97c96fcb39de4366f

SHA1
ed73f57cd72fc0d054515db3337e52a3e4cf3ef6

SHA256
0c8ccb50d679f2c28c0b5a1d4730dbe216e3c2ddefc8361cf5bc7ba780f02e5b

SHA512
f52ff913b0a1e6f8c3b1a0cf07925932e87473c9f623fcb5ed1c9165449883a785892ef6fc4f279d226ce75a52d9ce9a6fc361a613f4d7df2eeb29963ba47760

Download Submit
memory/1724-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1724-30-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/1724-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-9-0x0000000002460000-0x000000000247F000-memory.dmp

Filesize
124KB

Download
memory/2012-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2220-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2752-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3004-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download