fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
Size

135KB
MD5

3af296ab5b9ff7607a13b388c3569806
SHA1

6297f13a128b2fba5cbd8cecbc4cf50d511c6d48
SHA256

fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac
SHA512

872eb4381faae43c50b80b2c82cbeaf87ffea2b392700d986ef9a5152843e9e96f8a46ffa50b130118051d1895460b4ae05e9acf0e6ac63ea58d6d16d7e733ae
SSDEEP

1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbglB:XVqoCl/YgjxEufVU0TbTyDDaleB

Score

10^/10

defense_evasion discovery persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1992	explorer.exe
2624	spoolsv.exe
2832	svchost.exe
2564	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1992	explorer.exe
2832	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
1992	explorer.exe
1992	explorer.exe
2624	spoolsv.exe
2624	spoolsv.exe
2832	svchost.exe
2832	svchost.exe
2564	spoolsv.exe
2564	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1992	2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe	86
PID 2036 wrote to memory of 1992	2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe	86
PID 2036 wrote to memory of 1992	2036	fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe	86
PID 1992 wrote to memory of 2624	1992	explorer.exe	87
PID 1992 wrote to memory of 2624	1992	explorer.exe	87
PID 1992 wrote to memory of 2624	1992	explorer.exe	87
PID 2624 wrote to memory of 2832	2624	spoolsv.exe	88
PID 2624 wrote to memory of 2832	2624	spoolsv.exe	88
PID 2624 wrote to memory of 2832	2624	spoolsv.exe	88
PID 2832 wrote to memory of 2564	2832	svchost.exe	89
PID 2832 wrote to memory of 2564	2832	svchost.exe	89
PID 2832 wrote to memory of 2564	2832	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe
"C:\Users\Admin\AppData\Local\Temp\fce926200a95022fe9096b31504c1815d45ddb7c05eff2e60e591487813091ac.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1992
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2832
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
72682d5b2836f1045022ad609814b0d4

SHA1
d76e745bb0837f379d37737aee4519e5c41caabe

SHA256
9480e3deb4bc6623460581a9b1e50fc4f894c4aeae71a1d43037c5c0bdf94098

SHA512
5097c57f66d79a02614adf3b1c8621170e903f58fef4c682b21c4cf3f52a562be56f7bb1e038c7fbf5baf3784c4bbb09f5a2fbbccf595b50249050202c9b3cc1

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
2e66295ab5f952f9a92170a50e9b1129

SHA1
913953abcd8568df6d219cdf4716362e125d4da3

SHA256
6c09569295ed3d58ddbd518e251c366275568d9fe41107cc883d29f00b9f1d23

SHA512
0dde6896330c87b4191fac5e7dcfd419e2682ed7ad889d2ffdfe84c7722c840c9e3c4f1848b79fdf6dee519592d56e7a5a88070c968a4c6322e4c4c7b4238e5d

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
606b8295ecf100e4d755d609e5aaf56b

SHA1
7d59d529e0f9eb4a9eea3c92f396b0afc726ab65

SHA256
1dcbe9b097d9e50cd7fa785572a8cd25deb17997e67d8aecafa3a44638b73b5b

SHA512
564cd8eb47bc5fafd50eae0a0a131f65d6ba6b21b54d009f93c4d90939810551b1db9aca9e1adcc77eeb4629764238c9af6332e52a0e0c46f7033a0e040cc3a2

Download Submit
memory/1992-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2036-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2036-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2564-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2832-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download