Overview

overview

10

Static

static

3

01b3c37b7e...81.exe

windows7-x64

10

01b3c37b7e...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    108s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 17:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    01b3c37b7e00f0c62aafce1a209e9a81.exe

  • Size

    135KB

  • MD5

    01b3c37b7e00f0c62aafce1a209e9a81

  • SHA1

    e66bdfdd8b5ff95ef773d6620e6527f0a7b8fb1d

  • SHA256

    39c30060191d8b1f133abd6281046714754444a3217de25f7ff2627e8c236311

  • SHA512

    50d7073241dad2afb554e595c6121b4eacedb94644a9b4329e99eee4c3c81d8f0425872bb9d69f7a2f233b3b655da853e183b96be44fb6fbe24cb06f021e1dae

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVXh:UVqoCl/YgjxEufVU0TbTyDDalRh

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01b3c37b7e00f0c62aafce1a209e9a81.exe
    "C:\Users\Admin\AppData\Local\Temp\01b3c37b7e00f0c62aafce1a209e9a81.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2400
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2332
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1744
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2756
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2684
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:50 /f
            5⤵
            • Creates scheduled task(s)
            PID:2896
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:51 /f
            5⤵
            • Creates scheduled task(s)
            PID:1692
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:52 /f
            5⤵
            • Creates scheduled task(s)
            PID:2000
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2852

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Resources\spoolsv.exe
            Filesize

            135KB

            MD5

            ea56ced992aef408174f05d4b50f45d7

            SHA1

            fce8c80f908d5fce56d5c8385a7b9aaa608aee0f

            SHA256

            de287a2963a64d28ddd6e74a5077db3077ad4527cc17c5109b12fd3b90c208c7

            SHA512

            418af6ebee868635449d8ff7054527c858e039a4d0fc97154645981ab0e41d05645aa6b711b1ef2fbca06a9455a2ebbce93b5511a6a348f4d372a8ed364692db

            Download Submit

          • \Windows\Resources\Themes\explorer.exe
            Filesize

            135KB

            MD5

            bcc0af485b657ebfabfbd5c4ecc5c3ed

            SHA1

            dbe5586ab21b4d20982c60f6582a9096be95183f

            SHA256

            094dc8dfbe328c995abd71f680f36ce37581eb17c785f64173f01f9514653c35

            SHA512

            f302d5bdfc34bd2b1986522d621d3d1edf3fe33c9e9496de61d384de1911fca32284a657d40f0da9c2d27221a9f50f8aa88ec8226cd7f23d68ed63dafcf3397f

            Download Submit

          • \Windows\Resources\svchost.exe
            Filesize

            135KB

            MD5

            6c437fb97c8e22338f94c017248ba037

            SHA1

            bb681617824e80644b1f16226d8de6a860238dc0

            SHA256

            3aa0416b78ab05cb8366602ea46383da5eee81e4880251f6e2152debe3ddc926

            SHA512

            48f84ca18354fb8c7e29ad53d2c11a642e079f9768108a83c7a3d2226c83d61f4692444d57667df8a847dabfe993092ec0622e4e1acc42ea74a51ab370eb76c7

            Download Submit

          • memory/1744-41-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2332-18-0x0000000000280000-0x000000000029F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2400-0-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2400-42-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2684-40-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download