Overview

overview

10

Static

static

3

0451a49e4c...d9.exe

windows7-x64

10

0451a49e4c...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe

  • Size

    135KB

  • MD5

    130dde846901b9301657e6f10f4b5320

  • SHA1

    11e55f65af1bfa54c8e542267f59bc3545b62652

  • SHA256

    0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9

  • SHA512

    d521f05934159521099cb17401032e396d92990198fd8fbac3455314c9acf15cfb5c5c87cbd590375993de0313b59e0d5437c46a7edd0cae4d218d81ca4b1a66

  • SSDEEP

    3072:XVqoCl/YgjxEufVU0TbTyDDaljXcHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH/:XsLqdufVUNDae

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe
    "C:\Users\Admin\AppData\Local\Temp\0451a49e4c5de01bc26fa4fd0d5636c378e9bda0d429137f944234349ef6b3d9.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1232
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3428
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1164
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4388
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    33565f4143ba7a5429bb83b46304b8f1

    SHA1

    a7992d1454ca8e15196fded9974cbb9f975d9851

    SHA256

    091e92e6044ab583faf7b1e356902e6e4846cd53e7c1c1da70bd754dd964693d

    SHA512

    a19ca81b714f613c1cfa41ae3626474f1d66d7ec3357b17379c47c97daef2506713c90dbbbdb20c54befa6da679e8acf265964122ceb06124341ec1ca42e460c

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    cb67beed9d385c01b32ee032ab2b1b11

    SHA1

    8afb097fd8c9c6235ae69b726db27b6ffeacf84b

    SHA256

    2938267b741ac4a71f51dc006081f1ac350edf5e4932626dc628a570bdcf3565

    SHA512

    0e63f55a760cda4e370617d6234ca054f97e2c241515fc70e49c0c0e854bcb76353335a6abc610eb0d16bc74f5e20c7a2ba6656820a8b50251742842332cada4

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    0be179a13752945ec65f41ce73cb54a2

    SHA1

    1e96ec3d0eed641f4db1eb393d7ec06d630c1a3f

    SHA256

    6f036403affac2d3987b3771f6379ebba5dd3432895956b6d89837b1c1fa6f9b

    SHA512

    e104b11c28421b076bef84c7de7bfdd9deaf0a63e47582c564064a681e39a6c6c8f13496ec2c8798eaf0004b85c2dafee14d66f5cad5ce35e5701e11d8f84d0b

    Download Submit

  • memory/1164-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1232-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1232-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2468-29-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2468-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download