Analysis

  • max time kernel
    120s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 09:17

General

  • Target

    8cc042c84aa3b910a6a8af2b9e5d64b0N.exe

  • Size

    206KB

  • MD5

    8cc042c84aa3b910a6a8af2b9e5d64b0

  • SHA1

    6d98cad862ff6eae9ae6fcbe50dd0f4ba4d19159

  • SHA256

    eb872a057436f78449d2eb3149fa07ec7278ccd1797e5038a734966a2f4f430c

  • SHA512

    eab97c8c9c623ca7c5b65fec64e18f654a27a4d1656b2ece6249a749ff736f14ea9215148fedda76358dbcb47c8d02f0ed1b0cd0dbd44d50a320a96c8be2e989

  • SSDEEP

    1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdi:/VqoCl/YgjxEufVU0TbTyDDalbi

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8cc042c84aa3b910a6a8af2b9e5d64b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8cc042c84aa3b910a6a8af2b9e5d64b0N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2672
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3056
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4776
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2132
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1716

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Resources\Themes\explorer.exe

          Filesize

          206KB

          MD5

          5468c5e5ccf6a653b2d69565a2ef909c

          SHA1

          23def32346e86eeb0a747a105d53e31edfc01a8e

          SHA256

          55886492daafbaa35aee2e69269d75fc8695967b714889e3f75d3138c3cb488d

          SHA512

          c198d66e1cc8ec620f9f6a7d0aae5b68cad32d282c4973a0cbdccbce068b75b9254d2db489b2da45a2fea06de02cd114b5877ef4e00d5ee49d048de374f34a4d

        • C:\Windows\Resources\spoolsv.exe

          Filesize

          206KB

          MD5

          8991892937e4399848be22a7c171cb84

          SHA1

          d1b1942431ec897a13b5229a6243422b695a8a9e

          SHA256

          70f1a58a7d376d93c16e035d2433fa47afeb8c2370b622004fc51fb7c96e8498

          SHA512

          714c8699f92002996f112f7daa2a910c4cd175c75524c967c25373d48f4844d6b3532b7a39e29d2f89c22eb646f5a57753da14c0b99ec36f77a9e8ed4d26adbd

        • C:\Windows\Resources\svchost.exe

          Filesize

          206KB

          MD5

          04cf5421b29ccb4b99ce9dd269fed599

          SHA1

          b8fdf3113599d1d7ce30c57339af89a1f4c5d442

          SHA256

          3df377947f0e63019b2cdf95d0803988ceda8d79dd934ddfd74a6d25f3fc9b39

          SHA512

          c62703d4a8bdda5dfb23b9c7df5e9679b5eb4acf9426ec00aeca21357e37856eb7616fbf051527c2dda95e444fe2f2d8f24eb1893f7b6c500c321b4463c0ebfa

        • memory/1716-32-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2132-36-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2672-0-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2672-34-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/3056-35-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/4776-33-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB