Overview

overview

10

Static

static

3

66dc6c59cc...66.exe

windows7-x64

10

66dc6c59cc...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 00:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe

  • Size

    135KB

  • MD5

    28c450127304cb7dca5ee42830c680c0

  • SHA1

    400ccdc95dfb43ab8730072cd1bdfbabe6e28337

  • SHA256

    66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866

  • SHA512

    8e1a5e812db5ad6096b2127ade3f087fbe9bd28ad5a2cd97f61a1d6031bccbde7b50adc34f8526aad01f1a85e85d7822de5dffded0b7d8f35dc0156c9155f5fd

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVPi4Vg6k+:UVqoCl/YgjxEufVU0TbTyDDalc+

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe
    "C:\Users\Admin\AppData\Local\Temp\66dc6c59cc77a27c4bc7190e02d03c487c6cfb36d62060fde5f0fbc0f2442866.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2948
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4764
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4900
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1924
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    893be6119cee0a3a7b61f24e0777c180

    SHA1

    ac620222017ff2d32a7bf0d1085c0a09105ddf99

    SHA256

    480ea97cc265e3f9819247008f0e12c9ab633adb44cd8639b534def4b7be65f6

    SHA512

    462ee5e0a7384ec44518d53b34614c94ab7cd507da4edf2f2781c1f5fc94221f73fd8285f9b3c931c88c7c56de125e52e4ae0ae602ef943e0bf62a0fb5f1d457

    Download Submit
  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    28ec3b75f555058ed8b859c5ececef4e

    SHA1

    c41baec1c6c7e3ad18f243da0f237510e68a484b

    SHA256

    4d160632c280f469d2b397559d09ed0fcadceb96ce27d95cc81de2a209ccd74a

    SHA512

    7e2942daf9f585cfba26d6286a24e795b226086a0795b8a6683f7502e836fdd9024e37a4a015d68f1f8ed8684687a7aa6d9cc5dc74f27d39a117ad3b6b4e7ad4

    Download Submit
  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    662f137e0f22e03b5f902e3444f20f65

    SHA1

    affd45ef7780972f1a3c9d17725b851d08f28ced

    SHA256

    dc1edd47e493ded8f33f59ca30a0e1126a2ef765c6e71aadda3851d7ac3a168c

    SHA512

    dcdae7de412f440f922fb84c7adeea49294702c4320f98aece0f51539cdc34310d112221a745adc3405913c1816bf98600bc341e7ee279ffbf66ff1b72913f5b

    Download Submit
  • memory/2948-0-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2948-35-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/4748-33-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/4764-8-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/4900-34-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download