Overview

overview

10

Static

static

3

a6abff08e9...2d.exe

windows7-x64

10

a6abff08e9...2d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe

  • Size

    135KB

  • MD5

    02e4168fe15eaba294ee087503c25250

  • SHA1

    8085542c354fcfe7ad650dfe431ce26c3a01b712

  • SHA256

    a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d

  • SHA512

    7313a55bc4136bb5daa0f4c6aaac544b9a97960b0419eb07946485a7fb76f51e1ba41df1fe68674509ce24c91b1a70a64f62bfd5bcedec2571ce744dcbc9ef25

  • SSDEEP

    1536:4fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV5jp00000000000E:4VqoCl/YgjxEufVU0TbTyDDal3jb

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe
    "C:\Users\Admin\AppData\Local\Temp\a6abff08e97aaff33f3aabb84068c569eaa1788842742eaf4d3c38c00bde522d.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:228
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2584
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3468
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5004
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4144

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    219cf687bb193791af596ec44fe3ff2d

    SHA1

    84abe5f4cf3b788cc819fd17164260c2b1b21f41

    SHA256

    baf2d91234a4d5f619088b3fd5df0575e065ec2a4cd58a4edb343cf1c0da031c

    SHA512

    b6d13e2ce1882715b714bd9e9c0e3f977317451be63589795695c31af1a74d0fcdb46d26229a870457b5735a543cadd5a98ceeb056796ff24dbb3fea8e64f32a

    Download Submit
  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    a5c1fff0f1811a49aee2d84c9888d664

    SHA1

    1f9e3e7e584756e3c70ef27ff8fd3b48e9dfde3c

    SHA256

    d279f4aa5c3f2fcb7d4f5b1bff8d30db5736c81702ef84dc0cdb377560d17050

    SHA512

    7e3f962cadf252562ac9c7e926281b9940df3e5c2a879c1c5f9c95981a2b3e3f9a51ef1112df907ba1d589e6f27ece9cad1881b8c696a12f7b701eb9f2214fed

    Download Submit
  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    ace6f94e34170e93169381d538cbe46d

    SHA1

    ad2579c6acb2c7a7ae6a2290d2b08618d5887fb7

    SHA256

    a78903ac58e138d61ee1908981e446b5bfea1a33c07c774985561aafc4d978fe

    SHA512

    a95b9595d1f617033fbdefb8fe96fb102f9f4455c745cbebd87d40e31702e6d9401644e072d3ba5f9a953a147d75ccf7ca32079b746584703e2379e7f407d0a9

    Download Submit
  • memory/228-0-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/228-35-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/3468-17-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/3468-34-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/4144-33-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download