Overview

overview

10

Static

static

3

6e12b57fa3...0N.exe

windows7-x64

10

6e12b57fa3...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-08-2024 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e12b57fa31dde6e68c697b13e3f2c20N.exe

  • Size

    135KB

  • MD5

    6e12b57fa31dde6e68c697b13e3f2c20

  • SHA1

    42b6652a12afb53cd8357b03e1573b933acd8e15

  • SHA256

    3157844376f1f67efa460820531e495d78f3371d7b10bbd666c6c84909ffc1cb

  • SHA512

    0ef1278c3ead46a832978af8aefdc85bc77b3073dca2ff84be703cd5fd6a45acf1a7d3b656d100308062fc01692073363daa9f6fc86bb202cfcbcf6a0f5d3389

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV8cybW:UVqoCl/YgjxEufVU0TbTyDDalicybW

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e12b57fa31dde6e68c697b13e3f2c20N.exe
    "C:\Users\Admin\AppData\Local\Temp\6e12b57fa31dde6e68c697b13e3f2c20N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2972
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1068
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1664
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2812
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2860
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1304,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=1440 /prefetch:8
    1⤵
      PID:3748

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      06cba94369438e923c28c401d71a9ce3

      SHA1

      a627cddf4ef7b5b101220a847f3f96eec46e0487

      SHA256

      c8dfbf600282af05561d8065008b6b0fe91c9c252f7362da40e94c944652ec4f

      SHA512

      45b5d721e35e4a346a7594c3c1f4debe49d9692fd51b2542ec830e0f07d360e073a21caa6f8614d6f308fe16d96817ace562900e96a71e66cb0b02c749c27e1f

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      08c4c02dbc44dc3129b7a2fcbf7035a0

      SHA1

      0695fd192fdf7e8d847cb750d7a6f0f61192e892

      SHA256

      77ace85b7612e852ef389738ca2b3b9965757a4a78cfb7ee161b6e5e4487e193

      SHA512

      0f0f4c08afc0ccc9d3a2cb055539d3bbab7e7db980dc5672013b6d7352a4351852cc264d32b125a35e9117276dbf4efb8ead3533fb4e6d0c2e60da241dd431b1

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      b564c056712e886131723d908eb058b7

      SHA1

      f1fec4bf6083a7d3ad14b33774523a04b16cd8b6

      SHA256

      9272f4ff46bd871b5c332a7e1d0bb62082cc704b95428ab46c376b381a28c875

      SHA512

      a380dd51974a180fba91aa5d59120f8e3af66661392d8a40a7b1813747e2e54e51bff1006ea0ede12c4bfcd6d1a8c584c6df621a0b1f7321913a6258518b7b47

      Download Submit

    • memory/1068-35-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1664-33-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2812-36-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2860-32-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2972-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2972-34-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download