Overview

overview

10

Static

static

3

6a33b1596a...0N.exe

windows7-x64

10

6a33b1596a...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 10:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6a33b1596acf9e96bd245ad298120660N.exe

  • Size

    135KB

  • MD5

    6a33b1596acf9e96bd245ad298120660

  • SHA1

    9c645414335d3cbc255bd960d6c1cfb4ef6d23dc

  • SHA256

    f0e5d9e447e7f27be769f30db5b5dadfceded3262ec5c2b2106b30f2611c56f0

  • SHA512

    f3a1baa120b4318b9e4661f8064bb385de4b959694a86b296bcf527f410494780a600c894d24b088ccdd3f870dfb0aee13597e1fc9a7bcaecdde3f54db68998b

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVcTpbqr0B:UVqoCl/YgjxEufVU0TbTyDDaliB

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a33b1596acf9e96bd245ad298120660N.exe
    "C:\Users\Admin\AppData\Local\Temp\6a33b1596acf9e96bd245ad298120660N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2200
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2276
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:672
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2332
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2152
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:53 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1436
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:54 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:492
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:1656

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Resources\spoolsv.exe
            Filesize

            135KB

            MD5

            cd27ee48c0d38960c0404b42f67ad653

            SHA1

            0f7739e49b26add72df1e2f2ea0bf6453029a115

            SHA256

            b1bb4df93de9e46df869fcec309d6f3e31247bde73346ed0ca8e7e309049196e

            SHA512

            6aa007b430b6264634488325da49fe19f8f315adc6d03c91fe214e9f1f5995dc4e14dd830b9d8e7a6284866b1edb9771a32080f83f7affdcd8628f4b5a6573f6

            Download Submit

          • \Windows\Resources\Themes\explorer.exe
            Filesize

            135KB

            MD5

            917e06a54a6f22ffa5c0b6c7235ab122

            SHA1

            5c0c03e22f41102a1a5c63c184b24ac377caeb77

            SHA256

            5b44dce2e0db909752592cffd6b23840416771c487caab4aaae68388e60a9636

            SHA512

            5a9b44a066319b3e6cdbbcffc5af9ce9404063c107ce67c0a4e0aba4993d3e37e93e52a8c93aa8da086403fd70d4783fdcce9d61fc64ff0dd2aaf798c8324268

            Download Submit

          • \Windows\Resources\svchost.exe
            Filesize

            135KB

            MD5

            3cc04515ab12a920e335cd5c31d8b2d0

            SHA1

            c94973679012444363f619fe6996f5f59d23b44a

            SHA256

            dbf819388ca38e466bf4af56d6210c76ac3c02ad8c3d1b5ecc47b0b2a684115e

            SHA512

            6d4e586a45851fef509bebb8c23fb6dc9e4de7cafb9ff2205005c57ffdadec85444be9e26b81a33d9a6cd31ec5469f4132444dcc01bd720810e61584a2cad2bb

            Download Submit

          • memory/672-31-0x00000000003C0000-0x00000000003DF000-memory.dmp

            Filesize

            124KB

            Download

          • memory/672-42-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2152-41-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2200-0-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2200-8-0x00000000004B0000-0x00000000004CF000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2200-43-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2276-44-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2332-45-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2332-46-0x00000000002F0000-0x000000000030F000-memory.dmp

            Filesize

            124KB

            Download