Overview

overview

10

Static

static

3

cfbf7ea728...0N.exe

windows7-x64

10

cfbf7ea728...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 15:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cfbf7ea72899cc9fdc5f0334286292f0N.exe

  • Size

    121KB

  • MD5

    cfbf7ea72899cc9fdc5f0334286292f0

  • SHA1

    a250c615a8cee9d9c61c427176f356b2afa61967

  • SHA256

    1310d072484682e806775691b7c7e75308975952d8e931ca869cabeb7f151130

  • SHA512

    dc96e8184cf2fe083efb0b92a4fba4c6ecef6a3ae51d3e1770d92ef0cccd3984676585e06f3918fe624d4b828e380c37adca70c2956ac8723f1e666e313f96eb

  • SSDEEP

    1536:9X9TaOt5OuXpBFZQUSvnsk+z/ypuOASsIc9XmkbxH3n:9X9TP3OuXpBkAz/yjvc9X/9Xn

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfbf7ea72899cc9fdc5f0334286292f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\cfbf7ea72899cc9fdc5f0334286292f0N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3136
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4944
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4188
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4712
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    121KB

    MD5

    f66875a2b959f1df5b1c086ef8737f05

    SHA1

    bb6208be2bcbcf71e7c55c9a13293ffa15b129ee

    SHA256

    df51a944473e490d4f5690a5af32f76b8ede2eb543121693ad4d8d5cedc8c8b2

    SHA512

    34142341fd3b83e7c6bd2cb2a568fc9064c628846e384be95f6564c25998eda47c6bc52cb7ae32aaac337d0dc2521390e069908d8ab53069b139acafd418676b

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    121KB

    MD5

    d72daaa7bb6d27d492f6c5547c69df61

    SHA1

    34e0d792a115c1ce33368df41cdba6c1e9fe48de

    SHA256

    7223d5c433a04ad56d4d9f2fdfebe716d97b759cddc18b64e175bc633fb96475

    SHA512

    56db9fb0ace4be228ffdf72cabac1ebed84df850dbb6f8e9d8462fa4fd7cc9066e2cb0861b55e33b52b7805f96960d4bbc026204704ebc48dc69df0a3bc05549

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    121KB

    MD5

    bbb63d188c1090c81972e913d4bd5b87

    SHA1

    2c297564438c89711d389b8be91a0df44283b261

    SHA256

    b5c2887735249cab93a4721d67ac4db64f293617ef00a5503eed93052651885c

    SHA512

    28497830c5b243e2dbecaa830a1b5615ef51f01d0c62f14cabfad7187b7d02a0a768fc86c4aa11f1b631140411ba0fdd3156c9d78f1cbeaf175f5540d9dbbfff

    Download Submit