Overview

overview

10

Static

static

3

AppXor.exe

windows7-x64

10

AppXor.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22/08/2024, 07:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    AppXor.exe

  • Size

    790KB

  • MD5

    48d161ecdea55f44e53df822e4947f5c

  • SHA1

    2a38d2e290561a0937ccaff9c2eff59c554fbeaa

  • SHA256

    07c6bdda512ecb8bbadcf57e4f98b3376ca121dd2102cc17513133d277b0430f

  • SHA512

    c9d4c2755e82f5d8fa64c008fa5442ad3bde809b55011fc763b0c486eeb789a8b84f7f7226ec45fce4ef36adb5aad94513284ee620ead3822fca57df4aa70895

  • SSDEEP

    12288:cFUNDaMzrJbjmrlbrJcYXrCbLrJdLOrOzrJ3bUrvJ:cFOayrxjmrFruYXrCvrHLOrgrtbUrvJ

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AppXor.exe
    "C:\Users\Admin\AppData\Local\Temp\AppXor.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2644
    • \??\c:\users\admin\appdata\local\temp\appxor.exe 
      c:\users\admin\appdata\local\temp\appxor.exe 
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 628
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2708
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2884
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1704
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2624
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2720
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1716
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:54 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2088
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:55 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2020
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:56 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2856
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2916

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Resources\Themes\explorer.exe
            Filesize

            135KB

            MD5

            aef6ce44bf636ac2cfab6df4ff4e49bb

            SHA1

            ef274dd15e286736c9aa903697c9fce3994514ca

            SHA256

            5b9b1b8f6d050daa427953c5eb2b750fc8fd9ad7b21513e9ff4cd4fc1b068083

            SHA512

            f211467b495c19a733a4915176935581babf8558838b318dad79e0e9485eaa8952ae54d11e9611701757fb839b3c37ad6de2c8fd8d57bc6e41e23ad4bc1a6aa1

            Download Submit

          • C:\Windows\Resources\spoolsv.exe
            Filesize

            135KB

            MD5

            0b39b6ef419b54c16fdac9091f69ab1e

            SHA1

            7413157291309a57a0922ab1717c8d5106c512e2

            SHA256

            6cf1f6b661690fbc575300e84e1b17eb1885f4ba07f3caf34d3ff1b1b537712a

            SHA512

            e433fa56f5fc19e82f0336132278cf0f790e5001072ba7593606cfd2cc161d36b4a5e7b1d7c754591c4dca7d60c48680ce5d07b7473c9d5320df86fd3af0c594

            Download Submit

          • \Users\Admin\AppData\Local\Temp\appxor.exe 
            Filesize

            655KB

            MD5

            4bfe50ad13d9656904e0a457ecb9ad67

            SHA1

            6bb235ef4824108bd2818e894be507a7ee1ca979

            SHA256

            5f04ad825ab9c801743d44cca48c8eb4d367090ff328d9d7dac93a3f67383f15

            SHA512

            3543dc41ba5b03233462f2c1598ace6f1f4eae437c504a365e569dab899e6a3cc62503cfa84cecb54060122e80b40b8b1b6e098243079fbcfc4a6e8e840c5052

            Download Submit

          • \Windows\Resources\Themes\icsys.icn.exe
            Filesize

            135KB

            MD5

            c8ad376971a8ca97eeb6d9a54284cc38

            SHA1

            42d87738158b0c08f21bc13e99ebe989836412e5

            SHA256

            ac385c73cbad57313bdc9cc3ab69625869845a8ab5b7a8f5bfb98dc9bdae592a

            SHA512

            6dfd4c2cf3f9dd59465286f7baba2e1c0e109319821dd889609587a53409276d55346c7fa7e2a6620fb4052e611ef0a57c6f7fb5d5f4a4d87ad7817ef65ba8c5

            Download Submit

          • \Windows\Resources\svchost.exe
            Filesize

            135KB

            MD5

            c3ef416c52477ac4b87884797704091f

            SHA1

            4fc806cee4ea22dcb304d21d2c5a2ff5233c0be4

            SHA256

            88a96e9eb3d8eafb05d2f5c9ce4956a791a52c853417ca01340c509c192a1dcb

            SHA512

            3e8d7317b22c5bd0931560b5c80f5117b7d19b4583dad5a370ab1360ed2ada80f6ab545f1e55b5e4f81445608448c7d19cc9e0852b32cd183ccebe6d12755782

            Download Submit

          • memory/1704-71-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1716-67-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2624-68-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2644-70-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2644-0-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2644-25-0x0000000000270000-0x000000000028F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2700-19-0x000000007430E000-0x000000007430F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2700-24-0x0000000074300000-0x00000000749EE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2700-13-0x0000000074300000-0x00000000749EE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2700-12-0x0000000000DF0000-0x0000000000E98000-memory.dmp

            Filesize

            672KB

            Download

          • memory/2700-11-0x000000007430E000-0x000000007430F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2720-63-0x0000000000420000-0x000000000043F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2720-72-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2720-73-0x0000000000420000-0x000000000043F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2884-36-0x0000000000320000-0x000000000033F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2884-69-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download