Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-04-2024 02:55

General

  • Target

    c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe

  • Size

    135KB

  • MD5

    8e54bcbc6d7c3c11ce5a058463f02a6f

  • SHA1

    867552607510068f384c9d6986947fa63c3c9768

  • SHA256

    c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200

  • SHA512

    b072a96e130a26f0663eedca29b42fa169607a54a4241193562f9a58a21a6ae5352624172e25fc4e2e21cfdda32b9c14b1332b019be60018ced6ba066285e986

  • SSDEEP

    1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbgtx:XVqoCl/YgjxEufVU0TbTyDDalqx

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe
    "C:\Users\Admin\AppData\Local\Temp\c35fc58abaaf7b5eedb55dbeb8e495960878d89c26b68c8f4f7cbca4690d4200.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2732
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2752
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3904
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5100
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    135KB

    MD5

    b93008756f8b9003f1c995726a30f94d

    SHA1

    435814163fee63440c638c858ff587b6304a6b3f

    SHA256

    d2d034a8d1c21fc190629d34362b96e93ae1481e208152d7d20d4d687bf94887

    SHA512

    158fc9065b4705632374482a40fc94f843111a0fd5b4790c0a43ee833ad95713295f249fc6e29c61738b290f161b10aad212ce03ba5a7838419286602e6441d1

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    135KB

    MD5

    571d3203bd9ce6fec45f6a4048c3545e

    SHA1

    283273a2425ef6842945b01cf75e1d781027134d

    SHA256

    ebb074e6b90ced520b5f90454234aaf35d521f747249da112179756d76bca968

    SHA512

    41cf214b86cfb515016083720ecfbb88ca7dfe76e89028e603c5265cdefe6f784a37cdba5f3e47a23b7ffca36f4e81f6163668b560a6c5e9017b2ab4d365530e

  • C:\Windows\Resources\svchost.exe

    Filesize

    135KB

    MD5

    5cf70b9cece345094ad29e9375ccb0dd

    SHA1

    a417e9c42f9508c17b796587726c6b33b049dd32

    SHA256

    9e35cb70ced859c5c04795561ac735e3a922c807c704b97061f0868c8ba5db5d

    SHA512

    01541fe482242f6c6e6b82d2d055400bbd42250508fd689b7c611b30c812b2492e7c95e7f0990e19c9efbfec8a40ed63488f7e9d86f18a8ab28a33fe620e77a0

  • memory/2732-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2732-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2752-9-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3904-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4524-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB