Overview

overview

10

Static

static

3

f916bbf01d...8c.exe

windows7-x64

10

f916bbf01d...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-04-2024 05:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe

  • Size

    121KB

  • MD5

    ef46b2a0b62c0d32c5d0a93e89afc02a

  • SHA1

    675e9583128ff9d43034baf0952c52402edcf6d1

  • SHA256

    f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c

  • SHA512

    cf359456fdc87bc1685350d7af195bf96241747f7115bbf18430bb74ead11e2348097ba19382bd831de09461d2e9e54417b571554fb818b4dd80ba6423158400

  • SSDEEP

    1536:9X9TaOt5OuXpBFZQUSvnsk+z/ypuOASsIc9XmkbxH3u:9X9TP3OuXpBkAz/yjvc9X/9Xu

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe
    "C:\Users\Admin\AppData\Local\Temp\f916bbf01d64d41a01427aae6db4b66c7533a31d9317c02d1bca90814627778c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2936
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3028
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2988
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2596
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2604
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:26 /f
            5⤵
            • Creates scheduled task(s)
            PID:2564
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:27 /f
            5⤵
            • Creates scheduled task(s)
            PID:1788
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:28 /f
            5⤵
            • Creates scheduled task(s)
            PID:2096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\Resources\Themes\explorer.exe
    Filesize

    121KB

    MD5

    7d4fa3796b8c1995cc6312584c71e5a3

    SHA1

    ef07ddfa42f9ebaf04d27efdc06da61fd9579440

    SHA256

    1530d8dd523004f4336de576bcc617f2dbf9a934c6d9c2f0a75192f10563079c

    SHA512

    e0fd03b9111535e22135b935d72aef0e6b797f110942328f3029d539beed9074fc2a6174ffd34c9dbeaab8dd81416cb7e8965835354b36881b1bc92146893828

    Download Submit

  • \Windows\Resources\spoolsv.exe
    Filesize

    121KB

    MD5

    67294f2aa8cf006ab3e6735ca931d3d6

    SHA1

    433d607e9848a9a0c7298f529f40e1c48739c0cf

    SHA256

    55248a3f3c889d9edb3fdee532d15bbae934e88094ef92db6769e7e17bb5c7b8

    SHA512

    285fb324cf5b3d424ec652158f2f9f1deb3a9b1aadad871184109b676a46367e00aa653f5a263496657f6364cb561d351b2b55a9f824cb4be17874397020ecb7

    Download Submit

  • \Windows\Resources\svchost.exe
    Filesize

    121KB

    MD5

    f0764c2a14abe55b95261815d4961c4c

    SHA1

    7a1d1add4d0a3d28b5eed7d587077fd816ae4381

    SHA256

    4aee39797934381957d8bfee342534df1429335bae30edcb677f738edf3d3077

    SHA512

    a34b96de4eb8fa2aefdcd93d8c35c75c40b70ecc4d6377ae429dc65bef707b90c7496c305cddc25565644b66589a3852ffee9d1f9c40e2c915f5b3bf27aa6882

    Download Submit