Overview

overview

10

Static

static

3

6df62f50ef...9e.exe

windows7-x64

10

6df62f50ef...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 22:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6df62f50ef8049a160d111b8aefa9722b3b1aaf34203794f00255fea743f0d9e.exe

  • Size

    135KB

  • MD5

    ca061d69d65607eb03c27754d8d537c3

  • SHA1

    c9a458371fb943ba4e315a6e2b65c54a4a394bab

  • SHA256

    6df62f50ef8049a160d111b8aefa9722b3b1aaf34203794f00255fea743f0d9e

  • SHA512

    93317c9ad055fd72c077fd4baff6f9badfdde8abc970372629a39b592f2dc4f56aaad8b606812e1c27cf84825f9431434a270e1f715308f8f0a30ca266d557cf

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVBB:UVqoCl/YgjxEufVU0TbTyDDal7B

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6df62f50ef8049a160d111b8aefa9722b3b1aaf34203794f00255fea743f0d9e.exe
    "C:\Users\Admin\AppData\Local\Temp\6df62f50ef8049a160d111b8aefa9722b3b1aaf34203794f00255fea743f0d9e.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4180
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2600
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:612
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3332
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1492

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Resources\Themes\explorer.exe
          Filesize

          135KB

          MD5

          71efa234c0fb6abfa1668d72baf20a44

          SHA1

          6a2da987720164c9ce21c28cd516e24cbabd98e3

          SHA256

          afa1e57dce14f96e4a9afdc0f98e8b44c08bd0b36f7706b51680967df5007535

          SHA512

          4bf07397679fcdac3a9848b5bc6217e7d3fc3632aad919f99a9c9252328749998664fb4744484d8f2c6e6a5b70d05c14ba433f00df4d1977c5c476e3069c0c4e

          Download Submit

        • C:\Windows\Resources\spoolsv.exe
          Filesize

          135KB

          MD5

          824808d4d92914b4d1424c3f532559cc

          SHA1

          44ea47dd138131a76aacdcdd5428e6f134d5eae8

          SHA256

          d231eda21026a06c0618232687aab7061130c064af89c6c1f9e107b9edb60290

          SHA512

          2427cbac1804d540bbb29cdc08eca84dd7d51b71ffde1bc881a073d88f40819a9c14c4c05907da1c095856f350a5867b29f14f7be38231f4065f2bec7221eee6

          Download Submit

        • C:\Windows\Resources\svchost.exe
          Filesize

          135KB

          MD5

          94512394b9100dd8c1d86e2b478e8280

          SHA1

          14d3a494fb9e18e13819c0404fa516f14973ea30

          SHA256

          c02855a5b9c656bded4fe9ee0f2721d8b475b8fde62b4a42684819f20e107446

          SHA512

          f8d6969b16cc07772a44897492157e06c61c6e8b252b3886ab85e6d643848a0a9207c46a9b10e65af341decae1d9841119554efb6c940c48df5502661613d825

          Download Submit

        • memory/612-17-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/612-34-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1492-33-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/4180-0-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/4180-35-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download