Overview

overview

10

Static

static

3

6ad1a13022...0N.exe

windows7-x64

10

6ad1a13022...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 20:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6ad1a1302253375fcd6c7380f814f620N.exe

  • Size

    206KB

  • MD5

    6ad1a1302253375fcd6c7380f814f620

  • SHA1

    e8c64500415bf77650034bd8c28fbf7813629be5

  • SHA256

    dbac0525cbbbe1bcd566cf2b8cde307e86f8d59edbd9f3e0b4d31d805d260de1

  • SHA512

    0ede8a0c5cb66ff1d198ccf095cab9831041aaa79219924fe88448f7a0b9de4c7a451062a8ba1febf5ea5b75dbfd4107a2c7ce7dce0bb038b9a2cf11d8eeaa09

  • SSDEEP

    1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdIr:/VqoCl/YgjxEufVU0TbTyDDalbs

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ad1a1302253375fcd6c7380f814f620N.exe
    "C:\Users\Admin\AppData\Local\Temp\6ad1a1302253375fcd6c7380f814f620N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2396
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1700
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2140
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2700
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2864
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:53 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2840
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:54 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2500
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2756

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \Windows\Resources\Themes\explorer.exe
            Filesize

            206KB

            MD5

            05a7383c8ab6ecee6abbcfa4ce637608

            SHA1

            e045662d7872a02d2214a8b2891d9c4c32eff723

            SHA256

            d8ce10cda3f7e79d469bccc325ae49d57739f166f66bee20892e395252b77fe5

            SHA512

            1d3f6fbda00044e1ac87dcf1891dc5d5fa4faf224a916db77089ae8a09c2770a5ffb52edab71edb9d8185386c1aaa560ebbf9b0507f4e3eb8062da2d261364df

            Download Submit

          • \Windows\Resources\spoolsv.exe
            Filesize

            206KB

            MD5

            43b7064e78c94bc0d826388e47299d29

            SHA1

            a2e19a701be08ac8ba5ca6dce8eadfe012cbbc9d

            SHA256

            92c232edd9b9ee6348ba623a8f83df2d2c38083e8814c43c9c7640db1e963f2b

            SHA512

            c9cb75e5c8de7462c5ec4f5923d9f3b4c9a9f86618a5cffdc6350f25043d600ae27df92124823671f6747ec85b0914092563e8ac056f6c7b676b8fdd7ccdb686

            Download Submit

          • \Windows\Resources\svchost.exe
            Filesize

            206KB

            MD5

            a6a32ae6e5fed1365f261446dbfaa405

            SHA1

            d719920d6fbbdd2031225d85b2e8ea3c3553e5ad

            SHA256

            b127e2d24215857a8bce01619e796ee9711dd650969768c975b29dd1c24ca163

            SHA512

            925e544fe1295eaef32f9b53059725c62dbd8df82a725ca38247c88087bd856a875bd1129000fd78a17e9bb662d1460e355149b03e726087b60251b730e54e7f

            Download Submit

          • memory/1700-56-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/2140-54-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/2140-40-0x0000000000290000-0x00000000002BF000-memory.dmp

            Filesize

            188KB

            Download

          • memory/2396-13-0x00000000023A0000-0x00000000023CF000-memory.dmp

            Filesize

            188KB

            Download

          • memory/2396-0-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/2396-55-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/2396-14-0x00000000023A0000-0x00000000023CF000-memory.dmp

            Filesize

            188KB

            Download

          • memory/2700-49-0x0000000000430000-0x000000000045F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/2700-57-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/2864-53-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download