Analysis

  • max time kernel
    120s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 00:58

General

  • Target

    983feeba8559708cdf24ccfe95e6b500N.exe

  • Size

    1.4MB

  • MD5

    983feeba8559708cdf24ccfe95e6b500

  • SHA1

    0284cd93330c39a56517c0524b58f99bae212e05

  • SHA256

    f2c407fd5807bfef519782f4a1ddb692e517253458038af8cb95afa1c9d12867

  • SHA512

    f69524363cd51da69ca2cc46f83b8cfb743aa3db1eff0041a0e3106ac2a1f40e7886a21813bb23f45fef46777c490dacfc20cce76ca6b76738786785045884a1

  • SSDEEP

    24576:cFOa8YUyYp231mT6lq7UM4nM2dNR0iTgk22FyDbJ7wDS+eUZ:smwmTSWUMIM2p0iTgkf4V7rUZ

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • r77

    r77 is an open-source, userland rootkit.

  • r77 rootkit payload 1 IoCs

    Detects the payload of the r77 rootkit.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500N.exe
    "C:\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3056
    • \??\c:\users\admin\appdata\local\temp\983feeba8559708cdf24ccfe95e6b500n.exe 
      c:\users\admin\appdata\local\temp\983feeba8559708cdf24ccfe95e6b500n.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2796
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5096
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3284
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2684
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:348
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500n.exe 

    Filesize

    1.3MB

    MD5

    2619a95b7823ba7d7061723fb24899ff

    SHA1

    a0f8509a84b80e740e9010f2caebdb366d765026

    SHA256

    2f7d0647c2643ebed6a9c84b7bf5f22e8daf38f53376428c82993a2438abe4ec

    SHA512

    83c7f59860ea57379f6f114cfbc671f8a7d8d7495ab0c74d6cf0b73b4449c213305d19a9f6a68090774511254f1e314038fcc0c1a4f14427c1b258b282396fb6

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    135KB

    MD5

    3622ddde7c96b8117a84547fddd5032f

    SHA1

    a74fee6c50ddf71745f2b208e7c7db1ad66841ca

    SHA256

    1dd25d200de965098a7420078c7748d99397a104ad91ee763205eda6f5638fb4

    SHA512

    940bfe09e17d6612652e03a5881dc961a42ef14e9039dc12626265ffa6a21f2fc16851f776da04d83085aa045c59cd24c8dfec44ae14b6e45e6498ab00912f45

  • C:\Windows\Resources\Themes\icsys.icn.exe

    Filesize

    135KB

    MD5

    eb26863ba35c122485365deb42a871d7

    SHA1

    a60c83d2744059df05d8706c55a10e09861357ce

    SHA256

    8df9bfbe2e8c53f196fdb0d9a43d117a54a89a6d3dffb41140973fe78e8b8bee

    SHA512

    c872c1bde7408cfe2f8e3f80a173a1d0a74fbb1a2de81d889b354fc7f06cb129d92a0087c415e94f1621324f2d5795a15adfcc02e1244200e0dd5d20aba7781d

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    135KB

    MD5

    7cdbd6eab4c515a5741f0eb1bd4279d9

    SHA1

    1b755d0807a5d2f04325000b23083011d7abd811

    SHA256

    93b37b86ed6249418d0ddd256ec2d0648ef30a8b7ad2c5b9dbe2eaa76a4a12ce

    SHA512

    b31e2e7b097b59438478c49467444fcb73c30df61c066bdd050b9d801399bbfa3ecc01293bcd9486e80ca915c825ed23fe23ff2303aaa3a2b6f0fae250a9c9b7

  • C:\Windows\Resources\svchost.exe

    Filesize

    135KB

    MD5

    27e57f9dda22ef60cb121d57aa5a32ec

    SHA1

    7b4203a88a9eceb22412e7844f8e7e16372bd8fe

    SHA256

    390030cc666f7026fd31e3dccf7aa4e8add46630a16d6f363bf0b915eab2c11b

    SHA512

    d03f7e9b85ee21ef2e14c4bc1b76c5e6dd106213e9b1655b1e51a102bbda866157584ac0ba133c2d3489f6860c2c4d18047218080dabbdd21c5da98523a0f9ba

  • memory/348-42-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/348-66-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2684-52-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2796-62-0x00007FFE4FF50000-0x00007FFE50A11000-memory.dmp

    Filesize

    10.8MB

  • memory/2796-13-0x00007FFE4FF50000-0x00007FFE50A11000-memory.dmp

    Filesize

    10.8MB

  • memory/2796-10-0x000002D78A4D0000-0x000002D78A502000-memory.dmp

    Filesize

    200KB

  • memory/2796-9-0x00007FFE4FF53000-0x00007FFE4FF55000-memory.dmp

    Filesize

    8KB

  • memory/2796-64-0x00007FFE4FF50000-0x00007FFE50A11000-memory.dmp

    Filesize

    10.8MB

  • memory/2796-63-0x00007FFE4FF50000-0x00007FFE50A11000-memory.dmp

    Filesize

    10.8MB

  • memory/3056-54-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3056-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3284-65-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3556-51-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3556-48-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/5096-15-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/5096-53-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB