Overview

overview

10

Static

static

3

cd1c80c9ff...0N.exe

windows7-x64

10

cd1c80c9ff...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    80s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd1c80c9ff225fe87173296a66307c80N.exe

  • Size

    233KB

  • MD5

    cd1c80c9ff225fe87173296a66307c80

  • SHA1

    1f3bd097fc23e07a0bf48239e3868dc20dfe7782

  • SHA256

    de5a9fc78e68586c3de88604c122d624048f7ba510d82b3880bde0deaf7ca49e

  • SHA512

    7619d1a6e7ff8fc363893aa090790de94856071fa2ce49c7dc8e15288e32f15f929a96f2fef16929fac4352d4b5eb324e760bbb431d1204eb1c5cf112f184840

  • SSDEEP

    3072:5VqoCl/YgjxEufVU0TbTyDDalyz/dAMhdF2jBCmLdjaf3k6aaICeHw:5sLqdufVUNDa4z/LLvmpjE3EaICeQ

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd1c80c9ff225fe87173296a66307c80N.exe
    "C:\Users\Admin\AppData\Local\Temp\cd1c80c9ff225fe87173296a66307c80N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2780
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1948
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2932
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4268
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    233KB

    MD5

    3cfa1e9a182e573d7fe8fb8319f3c2ba

    SHA1

    b23ae96d55d293ac94d914569c4566f969ace975

    SHA256

    663e9c70f894947b2d9ad28f9515b581759ed0afe57fc90970dbe3bdaa6cdfa0

    SHA512

    3b0ba1dd25d8aacac274bbfe075d19fc156f5fe37347081a735402c42366f355ce1b7e6688dca23bcf395a26335caae804e6fd8d71df49b8fde2b5e09ad8e73f

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    233KB

    MD5

    93f68201342a22c8807cfab7f3fe3eaa

    SHA1

    485893eae6cccabb57b1a2b12dabdfa1bb581967

    SHA256

    d5e72125d7849019723e6c7d6030fe62b8f5155edad19b5f6c336d445b1872ed

    SHA512

    8151d31b3189aa13dbabe065a94a4ccbf4b28257d9dd2e539bfb741b78f7a1d71d40fff3a8209a6fcb158cab60af5fb4f96344994f0ef851bb7361f0603f95d2

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    233KB

    MD5

    85899e06a7acc59cc4651b2368645771

    SHA1

    777812bdc9b4674029b5f30de89b77bbc12a0934

    SHA256

    8aa88d1267cb5524fc80a0f76d1fc05fabb79b48681494912f36f8e379220e96

    SHA512

    791c0cc4386003e5ed44eaa660f1202ddfbd1e41036c1efde076ca307b7fb806dbe181cd04aa99a54e184e9d961abc1c48b1d2e2a318a59b1f288cf85a7ac202

    Download Submit

  • memory/1812-33-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1948-36-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2780-0-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2780-35-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2932-18-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2932-34-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4268-37-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download