Overview

overview

10

Static

static

3

218e9c4663...7N.exe

windows7-x64

10

218e9c4663...7N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    218e9c466321330d999d754655dda79bcbbe9b87305f0dd8c413a7ff6dd491d7N.exe

  • Size

    135KB

  • MD5

    c12a5b6c82549a51a17d21721c8caf00

  • SHA1

    77541fff8d907ed504445b643308c09b93ee8e1c

  • SHA256

    218e9c466321330d999d754655dda79bcbbe9b87305f0dd8c413a7ff6dd491d7

  • SHA512

    0bc8e5b5dfa23d607d47017f2848bfedd8d84cece4a7c38f36565f1a39c480345ccb111f4b660d507ab94947f68b878abb0e8236c1248c9d60bd402b91908bd5

  • SSDEEP

    1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbgDWSGo:XVqoCl/YgjxEufVU0TbTyDDalno

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\218e9c466321330d999d754655dda79bcbbe9b87305f0dd8c413a7ff6dd491d7N.exe
    "C:\Users\Admin\AppData\Local\Temp\218e9c466321330d999d754655dda79bcbbe9b87305f0dd8c413a7ff6dd491d7N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1860
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2072
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2356
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2716
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2844
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:28 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2908
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:29 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2368
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:30 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1832
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      70ef57ac8b4e081abf5eed9e221798eb

      SHA1

      8d3e2d9976dcd10d2c64554c78310ed50904297f

      SHA256

      ae0f9c361d8e90a2f6255fdc3d7dee758641c7b049c6ef894542775c2813da40

      SHA512

      5f62bb5220ad98958c7a3467879dc4feb4f12d372abf1f018fc397b100837005d63768bc13b1afedcb48761c8098fc34bd3d7093186cd34461e36011176aeb7f

      Download Submit

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      d523257ff0980b58e40c6a299bf650f5

      SHA1

      2a34d5cabc74372ac459085d1534a1d003b9cd1d

      SHA256

      07e261b62bcc17f442b463e13d64fe6429a64e46b2b9de7f317c5506966356f5

      SHA512

      42777d057cf9e1cd64207156e23128464c4796e4a9b350078d84e533fc0f725934b0d63f4370ca7ca88ed1c82f72a936abcb1e919079e6756e193cc18690562a

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      fc567a556c99f95c9495c80c882ea18e

      SHA1

      cc28a4579d93d8f56e4db1ceb675cae658b187e8

      SHA256

      fdb2aeca7b672812e25edddc209fce2c3f5a61244f78908b618454157e4157c5

      SHA512

      57c48e98211bfb23446f5a68d636079f4fc684ab162d8779dc5bbdefc286361da151b52b02a941dcc6948fbfd39cb4b30d4e1bcde38161b10122a6d3ccc035dc

      Download Submit

    • memory/1860-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1860-9-0x0000000000320000-0x000000000033F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1860-42-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2072-43-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2356-29-0x00000000002D0000-0x00000000002EF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2716-44-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2844-41-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download