Overview

overview

10

Static

static

3

5c7f604d74...0N.exe

windows7-x64

10

5c7f604d74...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    16/07/2024, 03:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5c7f604d749f9e5fbfb149155f88c4d0N.exe

  • Size

    135KB

  • MD5

    5c7f604d749f9e5fbfb149155f88c4d0

  • SHA1

    034522e84db17a086a8eee6dddd96163f596e71a

  • SHA256

    add7afbb28c137e8f3422b27fb959db3480d4f2b8a96d7875cac12655365331b

  • SHA512

    72903ceb151976ca23a6ec0cbeec1023c634ea14eca1985b11f3b335b7bf583437aed5495a0d373bdbbfcf82938ad43e86414e44d74b308dbb0d8f69d2ad356b

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVVKc:UVqoCl/YgjxEufVU0TbTyDDalLKc

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c7f604d749f9e5fbfb149155f88c4d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5c7f604d749f9e5fbfb149155f88c4d0N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3004
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2556
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3028
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1796
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2280
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:20 /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2820
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:21 /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:436
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2456

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Resources\spoolsv.exe
            Filesize

            135KB

            MD5

            78aaa424e889b0d652803a64d2af9714

            SHA1

            c7209bbe723c2f0da90707f5b07df543d0272501

            SHA256

            082ab1491598ff2e738943f956319941c1cbc48c7346ab8573daf8a100cbee8d

            SHA512

            8427b5fc1e38d25018749af213afd445a991ea5a26ed4772d3b59fea6b92d422885a4694fd4cb4e09cb0e8c9a4e20e209fc5990cf87c6ff689ced4e6c7b9bfed

            Download Submit

          • \Windows\Resources\Themes\explorer.exe
            Filesize

            135KB

            MD5

            0e36430e06646ed0298aafe746e6c290

            SHA1

            3fc085f5a6e89e2fe97f6157649a41ffacac84ba

            SHA256

            8f47348bf3d3132f1cb758c43a185ac0a512980bf8dad27484b8f5f82853e9b4

            SHA512

            da4e6d1eecff3b2cbce8e238d13d1294a1679e7498fa6b73ee0080c689e4d132c73de0ecfd33bc7e407f085effe94644dc6337c774644284196f7425b2d3c31f

            Download Submit

          • \Windows\Resources\svchost.exe
            Filesize

            135KB

            MD5

            d5db33cec8b5920f62210101acf27ba7

            SHA1

            0978a8d4a560244c52f33316be98c11a4e110c79

            SHA256

            640df4acfec91766a4faca74ea88701a10c28816704ef4adbbf51b7914a700a1

            SHA512

            5a3b369893042c0256fbdc24c147e71bc46c4efad47e4c67461833e3b453afa0fd54579ec2f28d9210b0f7c465d917a3b38170913877759a27eb2a6ffd9a9f72

            Download Submit

          • memory/2280-39-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/3004-0-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/3004-41-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/3028-40-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download