Overview

overview

10

Static

static

3

c7c6b5398c...ed.exe

windows7-x64

10

c7c6b5398c...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-06-2024 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7c6b5398c5411835112fed2d4169c76f07f4850c920d17f692df14aac7fa3ed.exe

  • Size

    741KB

  • MD5

    1d27448a1cb8c95ab3839ce58cf1c469

  • SHA1

    2fec19da397b24020835d821b4c617c30172e06f

  • SHA256

    c7c6b5398c5411835112fed2d4169c76f07f4850c920d17f692df14aac7fa3ed

  • SHA512

    0c2fc5e27009ffebeeb201473ee155bf21648752954a2e1d6b8d651c008d94f3cea1ad678f8bc2fcd3d8c1f00db9695e90ee0a6b3c7c4053c51718c245046dee

  • SSDEEP

    12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1Fc:lIt4kt0Kd6F6CNzYhUiEWEYcwU

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7c6b5398c5411835112fed2d4169c76f07f4850c920d17f692df14aac7fa3ed.exe
    "C:\Users\Admin\AppData\Local\Temp\c7c6b5398c5411835112fed2d4169c76f07f4850c920d17f692df14aac7fa3ed.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2164
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2900
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2584
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2672
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2676
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:11 /f
            5⤵
            • Creates scheduled task(s)
            PID:2508
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:12 /f
            5⤵
            • Creates scheduled task(s)
            PID:1448
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:13 /f
            5⤵
            • Creates scheduled task(s)
            PID:1688
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2384

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      741KB

      MD5

      be06961549f81d8ce4a5d36f392318a5

      SHA1

      c62180a62c92dc8a885927fa7756140bbe0fd491

      SHA256

      bb6f00ba46c8185f2472e7cd89bcb370b1f2b2d84d5ab2b27a1039012c6e2a9c

      SHA512

      5c9840e6d58eb2a624315a4eaa4bc865f3fb3fb03d9c23e7f1b6db81307f963c38473464594896d2377372c584e766fb338f180b9186c38956cd9eaf94491663

      Download Submit

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      741KB

      MD5

      ab1c219fec29e7f3726085e75cb1c1b6

      SHA1

      3994bb415ea8d4f3b59df71b93a3917cdb35e7d3

      SHA256

      36662d935f1936987c7f10bb0301aa06186dbdb14be2a10acc33236fc5d7b39e

      SHA512

      7c35aae94a045fe6713c3d0bd75ce77a08880457e2bc601243301bb79bdf898b91abaf31234b5e06f0cfe85ef0b5d0a7c471dee7ea1848d6756045fe57ab0de8

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      742KB

      MD5

      5979d9f0423989d626751ef16c181c0c

      SHA1

      73c2b3e7584c7ba59569b4066c68bc29dfde9f0c

      SHA256

      d8db312a91192a5c35e69dfe62c7b4a9b6c86638a99766d58998c0defd88e728

      SHA512

      c3ea43c73bda63c4aa8b3e9b5d9466e622ba8bfdbd85ecf889ef56b07f2eab59ca9e2af73898ea90ba33991f653606ae8132888dce43d3cf80e3e18fe8b46d96

      Download Submit

    • memory/2164-47-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2164-9-0x0000000003EB0000-0x0000000004222000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2164-0-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2164-50-0x0000000003EB0000-0x0000000004222000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2164-46-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2584-30-0x0000000003C70000-0x0000000003FE2000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2584-45-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2672-52-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2672-57-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2672-69-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2672-51-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2672-37-0x00000000038E0000-0x0000000003C52000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2672-55-0x00000000038E0000-0x0000000003C52000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2672-54-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2672-65-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2672-61-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2672-59-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2676-44-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2900-56-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2900-62-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2900-64-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2900-53-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2900-49-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2900-70-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2900-72-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2900-76-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download