c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
Size

2.5MB
MD5

d8874a5a86769a37d3147c2a6061d1c9
SHA1

03a48cc2062073e998e010a8c4b458e05b99bcac
SHA256

c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb
SHA512

6f7384152d78eec8433a04c8c5adf467cee47450b32d08a4baa04557cf2aa63d5194558bb005a95e728640f79d98886f4fe76ae75f39d18716212c6882709f89
SSDEEP

49152:gxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxa:gxx9NUFkQx753uWuCyyxa

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Detects executables packed with Themida 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2940-0-0x0000000000400000-0x0000000000A0E000-memory.dmp	INDICATOR_EXE_Packed_Themida
\Windows\Resources\Themes\explorer.exe	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2940-11-0x00000000037B0000-0x0000000003DBE000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2764-12-0x0000000000400000-0x0000000000A0E000-memory.dmp	INDICATOR_EXE_Packed_Themida
\Windows\Resources\spoolsv.exe	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2588-24-0x0000000000400000-0x0000000000A0E000-memory.dmp	INDICATOR_EXE_Packed_Themida
\Windows\Resources\svchost.exe	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2744-36-0x0000000000400000-0x0000000000A0E000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2660-44-0x0000000000400000-0x0000000000A0E000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2660-48-0x0000000000400000-0x0000000000A0E000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2588-50-0x0000000000400000-0x0000000000A0E000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2940-51-0x0000000000400000-0x0000000000A0E000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2764-52-0x0000000000400000-0x0000000000A0E000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2744-53-0x0000000000400000-0x0000000000A0E000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2764-59-0x0000000000400000-0x0000000000A0E000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2764-65-0x0000000000400000-0x0000000000A0E000-memory.dmp	INDICATOR_EXE_Packed_Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2764 explorer.exe
2588 spoolsv.exe
2744 svchost.exe
2660 spoolsv.exe
Loads dropped DLL 4 IoCs

Processes:

c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exeexplorer.exespoolsv.exesvchost.exe

pid process

2940 c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2764 explorer.exe
2588 spoolsv.exe
2744 svchost.exe

pid	process
2764	explorer.exe
2588	spoolsv.exe
2744	svchost.exe
2660	spoolsv.exe

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2940-0-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
\Windows\Resources\Themes\explorer.exe	themida
behavioral1/memory/2940-11-0x00000000037B0000-0x0000000003DBE000-memory.dmp	themida
behavioral1/memory/2764-12-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
\Windows\Resources\spoolsv.exe	themida
behavioral1/memory/2588-24-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
\Windows\Resources\svchost.exe	themida
behavioral1/memory/2744-36-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2660-44-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2660-48-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2588-50-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2940-51-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2764-52-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2744-53-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2764-59-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2764-65-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spoolsv.exesvchost.exespoolsv.exec1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe
File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2940 c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2764 explorer.exe
2588 spoolsv.exe
2744 svchost.exe
2660 spoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3012 schtasks.exe
2244 schtasks.exe
1700 schtasks.exe

pid	process
3012	schtasks.exe
2244	schtasks.exe
1700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exeexplorer.exesvchost.exe

pid	process
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2764	explorer.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2764	explorer.exe
2764	explorer.exe
2744	svchost.exe
2764	explorer.exe
2744	svchost.exe
2744	svchost.exe
2764	explorer.exe
2764	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2764 explorer.exe
2744 svchost.exe

pid	process
2764	explorer.exe
2744	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
2764	explorer.exe
2764	explorer.exe
2588	spoolsv.exe
2588	spoolsv.exe
2744	svchost.exe
2744	svchost.exe
2660	spoolsv.exe
2660	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2940 wrote to memory of 2764	2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe	explorer.exe
PID 2940 wrote to memory of 2764	2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe	explorer.exe
PID 2940 wrote to memory of 2764	2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe	explorer.exe
PID 2940 wrote to memory of 2764	2940	c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe	explorer.exe
PID 2764 wrote to memory of 2588	2764	explorer.exe	spoolsv.exe
PID 2764 wrote to memory of 2588	2764	explorer.exe	spoolsv.exe
PID 2764 wrote to memory of 2588	2764	explorer.exe	spoolsv.exe
PID 2764 wrote to memory of 2588	2764	explorer.exe	spoolsv.exe
PID 2588 wrote to memory of 2744	2588	spoolsv.exe	svchost.exe
PID 2588 wrote to memory of 2744	2588	spoolsv.exe	svchost.exe
PID 2588 wrote to memory of 2744	2588	spoolsv.exe	svchost.exe
PID 2588 wrote to memory of 2744	2588	spoolsv.exe	svchost.exe
PID 2744 wrote to memory of 2660	2744	svchost.exe	spoolsv.exe
PID 2744 wrote to memory of 2660	2744	svchost.exe	spoolsv.exe
PID 2744 wrote to memory of 2660	2744	svchost.exe	spoolsv.exe
PID 2744 wrote to memory of 2660	2744	svchost.exe	spoolsv.exe
PID 2764 wrote to memory of 2664	2764	explorer.exe	Explorer.exe
PID 2764 wrote to memory of 2664	2764	explorer.exe	Explorer.exe
PID 2764 wrote to memory of 2664	2764	explorer.exe	Explorer.exe
PID 2764 wrote to memory of 2664	2764	explorer.exe	Explorer.exe
PID 2744 wrote to memory of 2244	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 2244	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 2244	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 2244	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1700	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1700	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1700	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 1700	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 3012	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 3012	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 3012	2744	svchost.exe	schtasks.exe
PID 2744 wrote to memory of 3012	2744	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe
"C:\Users\Admin\AppData\Local\Temp\c1f137e967b895a9c21f96eb4e96d307ec964ac467f39215a9d834a2c0578cdb.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:21 /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:22 /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:23 /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
3⤵
PID:2664

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe
Filesize
2.5MB

MD5
b9cb19cf61e663590a7b1ac222adb4fe

SHA1
694f1ce24f03a38e47c6fdbfeb814159c289300e

SHA256
6de071999518751c12686d1033be948cbfe9e50fd93178232f69d1af410d6c9b

SHA512
ac3d5e8242534852bc502823210a0d1c7352b5d03480acbed7695d07a77e5c6c906a7ffe356b6982f3e114f81c6338c032f48b4f347076e31aa4905e6f0d32fe

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
2.5MB

MD5
94567a480a3e2ed9a818335188daa464

SHA1
a12a3dde92d1d31d2f2b593ceb82af62c9579bd1

SHA256
f3b14ebc281d219db46f9278b0ba8d45143ba6db5b9d29f78da6bc8fae44f5a7

SHA512
0b8159fba94d796ae372ec09d670a8a1d551082543c91da51da8fe446beef2a29dfd2aaf8421064f35c039bac66507d26235da7a87ff1ff3b1fd7a1d96d775db

Download Submit
\Windows\Resources\svchost.exe
Filesize
2.5MB

MD5
cbd36db7ca7c25a37e36e9da2c5bfcc5

SHA1
69e4f485285a2d1a54d9a0c08a4669e43f6627a5

SHA256
2703543d973bae9300bc11e1a830cbc83f10d72a8bffa3390b702e8c60866f01

SHA512
27550403a9952450215c43346cccede637be3cc2c419accbb6f4ed93523cefd03cbc29ec31f4db979447d33b4d5b32bdcf34bdffdca2c42855ae72de4749727b

Download Submit
memory/2588-50-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2588-24-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2588-35-0x00000000036B0000-0x0000000003CBE000-memory.dmp

Filesize
6.1MB

Download
memory/2660-48-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2660-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2744-36-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2744-43-0x00000000032D0000-0x00000000038DE000-memory.dmp

Filesize
6.1MB

Download
memory/2744-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2764-23-0x0000000003870000-0x0000000003E7E000-memory.dmp

Filesize
6.1MB

Download
memory/2764-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2764-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2764-54-0x0000000003870000-0x0000000003E7E000-memory.dmp

Filesize
6.1MB

Download
memory/2764-59-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2764-65-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2940-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2940-11-0x00000000037B0000-0x0000000003DBE000-memory.dmp

Filesize
6.1MB

Download
memory/2940-1-0x0000000077BC0000-0x0000000077BC2000-memory.dmp

Filesize
8KB

Download
memory/2940-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads