Analysis

  • max time kernel
    150s
  • max time network
    49s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 05:15

General

  • Target

    fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe

  • Size

    741KB

  • MD5

    537eb8efffe8d1e0f927d0dad1d6e799

  • SHA1

    b05e25a73a915c7221302b8887047145042d8b5e

  • SHA256

    fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092

  • SHA512

    f20c9c932bdeeba201351c7f15bdd4d6540f2d58bd312395c6c46863971fa10194b78e922250c2131b16a7e904a730abbdb01393a816970ab9d88acb5bc7e399

  • SSDEEP

    12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1FL:lIt4kt0Kd6F6CNzYhUiEWEYcwD

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe
    "C:\Users\Admin\AppData\Local\Temp\fe5c1bb3ee34227cc4169f7f7e22e98d9715352ccfddd39444098821e3f2c092.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3776
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1912
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4432
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4272
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    741KB

    MD5

    455d0f02a1c75dc6f28d00f74d70be7b

    SHA1

    889df61432d534f812c497dac5cb8951eedf90fc

    SHA256

    113d37db9cefada6e929bb043ab1a840e2fbeda455b11b82ad013263116cdc3f

    SHA512

    afcd1ed00e011e5a7cbadac5e135a873a013b804fd0b2404738e608cba490016248cb6332333b0dee3ff4dfdf7c524acd3327c55c72d1dbd487c529dd71cf801

  • C:\Windows\Resources\svchost.exe

    Filesize

    741KB

    MD5

    d6ec3e592b3cea9c9d252c5e3a4bf179

    SHA1

    349ba883b0da31b82332a594bc524fdc17fc26b8

    SHA256

    28608d7437b954354d298383ed48b94c9bd89cfb5e2133e7eafd016f98df518e

    SHA512

    6b253709dfc7704e945f3231414f72c204c3dbf11c0ae86f6f4c22a1750aa6911c9e47db44c4f0e4cf3e8c10dfe43a0f0966e181d9e70c965c2c41276a436d82

  • \??\c:\windows\resources\themes\explorer.exe

    Filesize

    741KB

    MD5

    5cb868ef658a0c8aaa8b155d33d77635

    SHA1

    c684c563bd31074a3505b509c8856786acb8eb23

    SHA256

    3dcc3dc214360286b5b12af15711e175b152f2fdc5a06e828abfd02f94a422ce

    SHA512

    086750c0538e68125006472c227b40905ba297be80467b545c6e6db7cea1f3a572e95f2e73128d914ee9e951e945d90161cec29ccebbb075bc426a2629f68142

  • memory/220-35-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/1912-49-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/1912-9-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/1912-63-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/1912-38-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/1912-57-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/1912-40-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/1912-41-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/1912-51-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/3776-0-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/3776-37-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/4272-42-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/4272-48-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/4272-52-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/4272-39-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/4272-58-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/4272-64-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/4432-18-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB

  • memory/4432-36-0x0000000000400000-0x0000000000772000-memory.dmp

    Filesize

    3.4MB