Overview

overview

10

Static

static

3

42417bf001...9N.exe

windows7-x64

10

42417bf001...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42417bf0010fab89e267e605100768839e36d37f9b318136b36fd4efa0c95729N.exe

  • Size

    135KB

  • MD5

    95b707a7f19c982836eb0e7f2d10a760

  • SHA1

    ae486af3b37886b89b3fbc12c792eb2b20409c2a

  • SHA256

    42417bf0010fab89e267e605100768839e36d37f9b318136b36fd4efa0c95729

  • SHA512

    ae07467d8e2c2b93eaf402eee33678f7625b474ea3e73e2f7054c4c007184bdcca457d7ca2e2c4f19ede51de220f39d554298c408e6845ee93e885cb536860aa

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVIm:UVqoCl/YgjxEufVU0TbTyDDal+m

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42417bf0010fab89e267e605100768839e36d37f9b318136b36fd4efa0c95729N.exe
    "C:\Users\Admin\AppData\Local\Temp\42417bf0010fab89e267e605100768839e36d37f9b318136b36fd4efa0c95729N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3224
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1236
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2408
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4408
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    14f328b6da96f7f56b0ea58e05948f5a

    SHA1

    f451b96450351beb5d204f08f3379c9cde282877

    SHA256

    65d50b17cb8a9f29270780787090754bc204603c07da00817ce5e6561bc1efd9

    SHA512

    550d48b5e15b926c3eaa645fcd10842d628d0ecb12333a30f2a04c78d60b6da81639fa46186ea5dae081a60cc3b9f3180af086367ac100f81db0f8e0a5fd5308

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    713da76a497692f8241f34735d51d83b

    SHA1

    5000d69622243ad5c34c0112e3fb75ed7a5e828b

    SHA256

    06500c6bba8edbb6e8aa6372cb3c0181283c84bb238ff9ab92f5658aaded272f

    SHA512

    ecbe6c022ca27cf877f48674719cfc10e8246e1afb5d0a872216e1ac19bfc461c9fee61add6244521f03cc122a5b6c32e399210d1db92fb6a1a70fd5c65dcad1

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    f59373b747af6061b16df6c25b3611bb

    SHA1

    d2c8d5fd53d80fabd2f403c84e74ccfa81933329

    SHA256

    43e7d982be9187c43b8e615e67c0d774bc251dfb0f99bc4ab836a9b6f6344410

    SHA512

    af493b9ef7d3f756c0c0e73d8994ed028f93b7623ebc64b9f402c27b0bf5ce2dcc5dccd791e091aff17df63730abfbe6e838c4a9d1f80dc2ddab32280aa6a478

    Download Submit

  • memory/1236-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1984-32-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2408-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3224-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3224-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4408-36-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download