Overview

overview

10

Static

static

3

e680be65d9...50.exe

windows7-x64

10

e680be65d9...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 04:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe

  • Size

    135KB

  • MD5

    1d0a66f30196a3f2590cd3d9e4f797d9

  • SHA1

    75e713603788c63e69610922a1c9f2e1472e9e94

  • SHA256

    e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50

  • SHA512

    fd370dd449a5f0dcc2b389bf32433c97147c1560c53e5fbd00f7314a90ecbbb3b37a9e69ce80f59ab3e376bb26dfcbc8ba1b428fc2dc7ffb65bebac908a96d1e

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVIU:UVqoCl/YgjxEufVU0TbTyDDal+U

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe
    "C:\Users\Admin\AppData\Local\Temp\e680be65d92f0c4b3b9c9caad2ddebbc6d5ba3dd2023a934d8b96658d26c8b50.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4960
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1836
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4356
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:8
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    cdfb026859a70874a5692b7bb302348e

    SHA1

    3a48b020331f95457323f68700f0a508cfc996f5

    SHA256

    4912da3494e2b30f8fd5f2da153668cdfd571605c4b72dacd3c3652223fc5518

    SHA512

    c04290235941178e6eae5d07e8c7d419c458ee68c739f775213a9507c2fe915bb75ed9cc764f6ef053319841e9abb717f080da82554fb735612e89febf80baf3

    Download Submit
  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    48cc2f05c385866745b200f237acd177

    SHA1

    9695dbc585c4cef07d7b27af017a4db9e1d10ba3

    SHA256

    15426b21a4cccff99a7aec4617fc05a89909e2d6f13f2814be0a291ae878ae8e

    SHA512

    c334a819df29dd76bca33a711649499a038eab04ea840ef2b8853a6c8b3bbc7b6ba22646399806d39ffe2ad0e2e561f33d6f719218d310004cd82f80f0d4a9a2

    Download Submit
  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    dbe6fecc97e04b3551766da536d2c2ac

    SHA1

    074f243f819c9081b549cfe631051c995d4cf006

    SHA256

    665918ae26fdbee27901c619f9dd335892f216acb28d12cd1eee297e954c874d

    SHA512

    638539841f31e33859f7eb3d415ec1b79fc0cab932910ae34f82835013b10daf2276484fb5d14469ed17bf77c0caed2a92980e00a1182c8b1e72287bd6358ee7

    Download Submit
  • memory/1836-9-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/4112-33-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/4356-34-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/4960-0-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/4960-35-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download