Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 05:37

General

  • Target

    fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe

  • Size

    135KB

  • MD5

    3ea610f47ece05b75bf6a2c8c5f3c139

  • SHA1

    ea62733ed4d07515eb401e02d9325f920e0f69f0

  • SHA256

    fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466

  • SHA512

    7a9d3d81c1e58c297610e3d5f866c8955c88a44a2130ce26c2b8a7cbda9ed352c24585fb4ea55aa0d450f0be0d9da4c1b91c38c74fa973bb82c27ea5d0032291

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVIh:UVqoCl/YgjxEufVU0TbTyDDaleh

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe
    "C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1632
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2216
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2744
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:320
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1556
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:39 /f
            5⤵
            • Creates scheduled task(s)
            PID:2572
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:40 /f
            5⤵
            • Creates scheduled task(s)
            PID:2040
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:41 /f
            5⤵
            • Creates scheduled task(s)
            PID:2292
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Windows\Resources\Themes\explorer.exe

      Filesize

      135KB

      MD5

      a56470d0f1a0e8f0e0255281122c4d1a

      SHA1

      9bef35270ba4c1b50f11ed52a76341c0718c69ed

      SHA256

      5acceba11b105121b5415a8f69bf523f40f3be21ede92d2f72131547d047224d

      SHA512

      7f8bbf142a12f913ff02d2252fd4c598a5a50f3bf56f820c2247b32febd8d181dec36a4310cc9278e3d1dd53a26f493aa829f20365e155dd637b4018023a8023

    • \Windows\Resources\spoolsv.exe

      Filesize

      135KB

      MD5

      366eb529390c9ab0b9a30a6dec9bf89a

      SHA1

      dd69f237c5b45fd1be90dfe9fc058e48cc638da1

      SHA256

      da7e0d810eb115efc5688a817e139b7d2f4467de27ec0530e8e8dff1515f9985

      SHA512

      307b2902fd0dc507500b04ecf1f5c1bc0723eeedcd805d46a0960b0f9114f1a8819d9e09b96cf56e832889604e2ea6fc5da636c554489ae4f947333f08203f01

    • \Windows\Resources\svchost.exe

      Filesize

      135KB

      MD5

      fb9529b2c4a8e49e31d33f76c5129a06

      SHA1

      8c00e0d7f2ed1e24dcf2adcdcfe2646452fc3a5f

      SHA256

      57b6bd55cd4444eb5c41e92d41901b8b5c472c7988aca13af8c75cb5f7cfc7d1

      SHA512

      2b5070ca21c4a1d4fbe7843fecb233991fc217c6d238fda624ffd6bcb4c39c9e327eb2a9306eb62e5347cc7b2a0a2cabd41906f75fb903073a9df390e4e85668

    • memory/320-38-0x00000000003D0000-0x00000000003EF000-memory.dmp

      Filesize

      124KB

    • memory/1556-42-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1632-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1632-10-0x0000000000290000-0x00000000002AF000-memory.dmp

      Filesize

      124KB

    • memory/1632-43-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2216-21-0x0000000001BC0000-0x0000000001BDF000-memory.dmp

      Filesize

      124KB