Analysis

  • max time kernel
    102s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 22:03

General

  • Target

    66c08694a84314b53bacde050af39730N.exe

  • Size

    206KB

  • MD5

    66c08694a84314b53bacde050af39730

  • SHA1

    ad6e2c01041589df7b6375634e4e155505e05eca

  • SHA256

    ac14d042c3ccd1d6098433bd54e37e275d53194c40e0594892e9676faa6ce25c

  • SHA512

    a4d72e608400709a1628481c9093acfbeb2555cc210435f6770d624c5d624e09286185c7bd3f2942463b117a3f05984410c283d1c8164a8f598ef9878950f1bd

  • SSDEEP

    3072:/VqoCl/YgjxEufVU0TbTyDDalblsssssssssssssssssssssssssssssssssssst:/sLqdufVUNDaJ

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66c08694a84314b53bacde050af39730N.exe
    "C:\Users\Admin\AppData\Local\Temp\66c08694a84314b53bacde050af39730N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4532
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3124
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2200
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2264
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    206KB

    MD5

    fcbd362447bbe155fc3331fa83bf7a37

    SHA1

    19d4488dfcba653139b7b96a8d7d0531da928d10

    SHA256

    39e7cf9dc5bfce7ccd933a1c56a893b2b8bb626f377a31a79a7107dd48f21c74

    SHA512

    8bf7d8a119dc43c9f73dcfb9ba7b224a5f0bba185ccbf0dcfffc422bcbec9fd2a25efbbeb753c8b4438378b3127a8e76bd3b525859b6190a85354a149dd60dad

  • \??\c:\windows\resources\spoolsv.exe

    Filesize

    206KB

    MD5

    d30452b9327cfeb363dcec7d380484f5

    SHA1

    ed8ba45f5be301f4d9e894c3bdc86d2e71456c05

    SHA256

    350d620da5eb0e9fd1652a0dc3ca7b03b5adfc806d6d364c2601adf01a9e7cc0

    SHA512

    b6118c22b381e7b89126545c1b33c3df2b6e101815327cb7de2184b9141d8817ff238beff175832e418ea231bcc53b0aa54ae63fd490d8229139605df601e33e

  • \??\c:\windows\resources\svchost.exe

    Filesize

    206KB

    MD5

    38851542a84106800cb6f94f23146c44

    SHA1

    49fe63c0c41c9deb4d595bb2808b8730dcf570a7

    SHA256

    58548c6a13fe50186335d75f895ecb1c91d46ab4a6de4dde761c70b833f05c4b

    SHA512

    4c86bc6b628a959a2f1835a346aa06990f246ea274b82f6b0e9e5962296d5fd789db208c42e80e7eacc6ed9bbf0566531a9a449e2a7be7a7f328233f5a6d0f8b

  • memory/2200-34-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2264-25-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2264-37-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2292-33-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3124-36-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4532-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4532-35-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB