Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 05:37

General

  • Target

    fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe

  • Size

    135KB

  • MD5

    3ea610f47ece05b75bf6a2c8c5f3c139

  • SHA1

    ea62733ed4d07515eb401e02d9325f920e0f69f0

  • SHA256

    fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466

  • SHA512

    7a9d3d81c1e58c297610e3d5f866c8955c88a44a2130ce26c2b8a7cbda9ed352c24585fb4ea55aa0d450f0be0d9da4c1b91c38c74fa973bb82c27ea5d0032291

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVIh:UVqoCl/YgjxEufVU0TbTyDDaleh

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe
    "C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2564
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4352
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:704
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1056
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    135KB

    MD5

    aa450174d15d16f084c41dfe59ea7b76

    SHA1

    472fb1a3b6e2f908e8381c3495d3e8a7d34e7fdb

    SHA256

    0ced3150fb1d9f9016b4c1c418553c3593bcbb4a7aa254e66b371ee0c241dfbf

    SHA512

    a690210c64c58c36de0b0846129a2c5adebdedce561dff068514bdc68f4a25946730e658edf3c95a669259643b84bb5db8bf5355b1b0b02e1d4e219c7b19cfdf

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    135KB

    MD5

    46bf70a8cca0bf61dfdb9563efa2c9bf

    SHA1

    55ac6716ec7ebe440aef4e315d5df766260d2e92

    SHA256

    0e242ff479876d83b6fde31f9419a2b9de72a19b949f73cf18fad55cfcb131ff

    SHA512

    99ec9e1cfd410a26ce4a056f7427a4b6680c88b6fdebcaf4794ae51cbaae5e126491846ddbb4e517ad307ef0e1b1ed881056b2662a5308269692e5223bef81aa

  • C:\Windows\Resources\svchost.exe

    Filesize

    135KB

    MD5

    5a98aa8e38cb61d9eed7767accf58229

    SHA1

    35f85ca01882c7ab8f62032226ba1dbe46be3f5f

    SHA256

    b220400d30047511871f7f6c08574040fa5a4bdc1f7d318cba7017f7d0c18982

    SHA512

    dea7c2cf0555442cfb60497edbd35c1f5449e7b0373bc822e3ab02f4226abb3b4c27bfdc027a687c9daeada8fd108285238a58ab05ff8a47ab285a5ffdb61ef6

  • memory/704-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1828-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2564-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2564-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4352-8-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB