Overview

overview

10

Static

static

3

d66cdbed81...0N.exe

windows7-x64

10

d66cdbed81...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/08/2024, 02:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d66cdbed815fa50e73cb5ec8cc6ed760N.exe

  • Size

    1.2MB

  • MD5

    d66cdbed815fa50e73cb5ec8cc6ed760

  • SHA1

    d0a9fb067e36491e809239f2857cc8d742e3c148

  • SHA256

    30f951191ac71bb68d6e1b596a11d8e75a5315bb033e2ac2be9264d65324a1d8

  • SHA512

    5da91662427aefcb7df3270561f09d95973ed698cb759dc29f386f3a534b854e5285b528a8fb3fd86ceef1adf9bd34db629380aac9a75a8260648bd5e195f242

  • SSDEEP

    24576:Wj+cktriK2PVboYTicnT1SBb//wDKULTrhSFkOTu+FMb:DSPVboYTVABjRGtSFruNb

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 31 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d66cdbed815fa50e73cb5ec8cc6ed760N.exe
    "C:\Users\Admin\AppData\Local\Temp\d66cdbed815fa50e73cb5ec8cc6ed760N.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3668
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:508
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3164
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4460
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    1.2MB

    MD5

    6de56a0f8e553f34837cbc9cd7c413f3

    SHA1

    b94c615c47e2c2e3bc30eaa4c500529ea89b7341

    SHA256

    fd574a41497ecd22fe6691b4e05dd6c73ab527c99c154ec380f50e2dc225d9e3

    SHA512

    596762628bb7a7d52737ad4886eed0df1aa6deed2fcca10d77811bb0cf38a06dc549c0b8c13165ac9ca2faa009791d80435c02695739db806663e36e342f8de1

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    1.2MB

    MD5

    60a20890c4a4f7852586ff79e684c63a

    SHA1

    a87a1dcdce612d79f6009b78f33e415306308f3d

    SHA256

    29ec200b47f9c5723d808fb8ce9fd6ab8d8e28d61150d50a7bf9c74a55bdbf58

    SHA512

    920a59ae9ac7dc5e5aa30df867c7299680d6590c6f738db3659a0e7063ff81e932b11832634f332acb2dca798419a8960da1dbb41384e5738026fe838e08fd6b

    Download Submit

  • \??\c:\windows\resources\themes\explorer.exe
    Filesize

    1.2MB

    MD5

    9546abc8361f50e2c676f886314fe0ca

    SHA1

    ade9b4f8118b1d6f7595f0c3bcd89c08e8939241

    SHA256

    c187abc18b5368eb596c998bdd3078314a6bc0e6338919ede6f961aec59233c0

    SHA512

    41782ba2d9e08bd97cdbfe8a562b19587448a54ea942a19ce3151a5b17d5e9e271c938e4ae7037c9411c0d2ca7d3ad13e5a2fd54a38c42d4e866c71c169ebeda

    Download Submit

  • memory/412-34-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/508-46-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/508-58-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/508-50-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/508-38-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/508-60-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/508-40-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/508-42-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/508-52-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/508-44-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/508-56-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/508-48-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/508-54-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3164-35-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3668-0-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3668-37-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4460-49-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4460-51-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4460-53-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4460-47-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4460-55-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4460-45-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4460-57-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4460-43-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4460-59-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4460-39-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4460-61-0x0000000000400000-0x0000000000793000-memory.dmp

    Filesize

    3.6MB

    Download