Overview

overview

10

Static

static

10

0a36612eda...7f.exe

windows7-x64

10

0a36612eda...7f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 18:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a36612eda4f0714682345b5641c4a293a9b107402717ac57d95f37840df4c7f.exe

  • Size

    57KB

  • MD5

    7c05d4361e696c9a12f354b871e463fd

  • SHA1

    ff4014a4c2e817705de7d6470021031675033f2e

  • SHA256

    0a36612eda4f0714682345b5641c4a293a9b107402717ac57d95f37840df4c7f

  • SHA512

    44d7fd5e83956b32c404be41eeedfc14b6ef1eadb3cfffdecefd5df66d5c9689605b4df7e55fd13a671450d307750153339a3375de182fbc3aee1cd98c046af1

  • SSDEEP

    1536:6Ps27oLrMhknGu3uw3/55NpwCAawbtKFYpNUTIX:6Ps27krP13uIXNpwCwblrUIX

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • UPX dump on OEP (original entry point) 11 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a36612eda4f0714682345b5641c4a293a9b107402717ac57d95f37840df4c7f.exe
    "C:\Users\Admin\AppData\Local\Temp\0a36612eda4f0714682345b5641c4a293a9b107402717ac57d95f37840df4c7f.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2932
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3488
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4052
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3608
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    57KB

    MD5

    3755f3dd2d23adf795f8ee0a08cc1d4a

    SHA1

    5a58a2d29a048d2c930a93ed3519df35eaab5d00

    SHA256

    6320124920854cce10e095fb6262cbd5e8b5728b6da3294e2a00a7300415142c

    SHA512

    781f37bc0d8703a52e3e9f620639447797c4eefc4d601158459121a0eb983ea7caf8f28454c2fc553b494fbde9e5ec0bbeffa1ec24489cc549208a08a8333e1a

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    57KB

    MD5

    90b2f18636db5c09f8b6ed8e8d2b5938

    SHA1

    eaf79603a89f1adf1c7f7213e57235724aa6e301

    SHA256

    6e8efacc458d353bf7b28ec77f7b5493cc5b98d00540eb194cac4db3f16eab8f

    SHA512

    f2b17c6238368f98433ecd4eeb7fd32142e336fb9e8d59d9dd57814ea93ab37face2976309e7b4c0a7607a5fc9b46c5700ed5b5c3bcdca0c5e6988b5746c71ac

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    57KB

    MD5

    6c2347284ac8a3254dff26e53b86c7be

    SHA1

    63a0d43bdac1744db165a63f7db90856b98e60b5

    SHA256

    c6f7c1d1baaae782bbe2d96dc7e6cfac591a0a88898903170ff96174c41491af

    SHA512

    39f5af0c2b27ac00eaa60b79e4e4a606e45bbec4e7613d7f33589da28ddf760a866798e4cc829813ba2574f9be83db8868a6cceef6cfeef06873f9a2e78bd404

    Download Submit

  • memory/2688-30-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2688-34-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2932-0-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2932-38-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3488-39-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3488-49-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3608-40-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4052-36-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download