Overview

overview

10

Static

static

3

3143cfc018...0N.exe

windows7-x64

10

3143cfc018...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09-07-2024 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3143cfc018bcf44682c6ce4f28ab7c60N.exe

  • Size

    135KB

  • MD5

    3143cfc018bcf44682c6ce4f28ab7c60

  • SHA1

    b6e9acd674e3be90d8dc0147673a0bb44b2540a9

  • SHA256

    cd257df528fde9016a833fad9ef04c6e27d9e63e29c299a187400f17cfea46db

  • SHA512

    2a804e2a2cfbb37aec04219c5c52fd454e95bb9ce366c202ae354a529dbb30b12c1138924f64114c51f8bc7ca305f7dfeb59069f2fb099630d179025f620b962

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV78L:UVqoCl/YgjxEufVU0TbTyDDal2L

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3143cfc018bcf44682c6ce4f28ab7c60N.exe
    "C:\Users\Admin\AppData\Local\Temp\3143cfc018bcf44682c6ce4f28ab7c60N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1512
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3068
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2948
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2976
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2864
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:31 /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2696
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:32 /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2044
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:33 /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2076
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2264

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      c9a7d1b9ffedcbe8c0d70e2e53f442c3

      SHA1

      6fb8ac81b6e78bca07a29fc02b8aaae48ac270cb

      SHA256

      b9d9a27a9fa35b5f6bd708a1e882a172e9cafc81d62ac0a856a0744900370b10

      SHA512

      9042f829cc1920bf7d1ea637be6a3e31b015748722a8b84c81dc4258bb2167e17f974fd60f469b450de34af0e93a27785572c994cc084ae25c924670a604fd3c

      Download Submit

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      f1104b642f3afaf09208ec0cbb13d354

      SHA1

      24608527465f4c46781e1d5a692ed5ee8205ffcb

      SHA256

      cd575c33898f53ee9bc0575a35460066595e4fc9afc0d649d18234b7720e4213

      SHA512

      6bf849787e1b91b797ebf5cb8a054b6b2d73a31ad94ac3bf962b3bd1fad4baa6a97d33dc1148629070e03fbbf1344c0c010e95c4e188baee629b55467d0d8457

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      4a67938d069935bda2df19b5e9b3b015

      SHA1

      43d0028293aaa6c04a04c0a14e900d407f5a425b

      SHA256

      014eae30269b298dc5230a336331fc3e8635c89dc177ac755000bc5cb460fecc

      SHA512

      a5959211fee984d31aa1a89c5c9cedc1e8fd380ba5213daeb74adbad430476f2a82d5932e3bf62ba4ae468259f7a03e56a600113816c9fa3d5d7ca82f1e62675

      Download Submit

    • memory/1512-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1512-9-0x0000000000270000-0x000000000028F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1512-43-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2864-41-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2948-30-0x0000000001B50000-0x0000000001B6F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2948-42-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download