Overview

overview

10

Static

static

3

cf89b31ff7...2N.exe

windows7-x64

10

cf89b31ff7...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 23:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf89b31ff72eb94c6ba24a05cf493e19e2b9419158fde8fb3bf1485a1012ea12N.exe

  • Size

    135KB

  • MD5

    aacf18b8d8a225aee92342e4639c3e40

  • SHA1

    882ae2e6cb61d925cf6b9cecd767ce6e4e30409d

  • SHA256

    cf89b31ff72eb94c6ba24a05cf493e19e2b9419158fde8fb3bf1485a1012ea12

  • SHA512

    71faf74fffe6d6feca7ea532df586239ec942e9744c87b0435aa6d5814a684be4e171673016feaa8d4bdf810f139f1f8a3a2678c5f87f68ef35a7067e178ae92

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbViEEEEEEEEEEEEEX:UVqoCl/YgjxEufVU0TbTyDDalBH

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf89b31ff72eb94c6ba24a05cf493e19e2b9419158fde8fb3bf1485a1012ea12N.exe
    "C:\Users\Admin\AppData\Local\Temp\cf89b31ff72eb94c6ba24a05cf493e19e2b9419158fde8fb3bf1485a1012ea12N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2180
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2300
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2616
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2544
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2700
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:13 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2416
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:14 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1720
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      2da2642cf44e4116f0e04d952e6d58ec

      SHA1

      aa374d9cdbcbe7b7b844d62382e8ece5e86005df

      SHA256

      eb28b02e7e28663aab0e6a4f34ed553e837acc92b15bd0d55fc903718dd3c72b

      SHA512

      40fc50ddfa4ff15f8870a588d0c472915e9cf2d6d831acdda63e0cbf6a03a170306bf42b4e23ff85b71d8ca355cc45744a7ac733a284315d843f575a77b7c6f7

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      e39196a1ebe2b4b10a6fea9b3170a73b

      SHA1

      50c4fd02134bb42cf01ebb7e1f19e306bbce4334

      SHA256

      a7890a08263026c1ca3338e518034076f888aa11542135027b6d6166c76f6c90

      SHA512

      dd9d81a644127bc65f000fe4d052231b5286354bedc5834dd649f7d379452d84a7532495c3bd22c1727e982d57cc336469d0ef4adb2444dd6977eb170e06bd4d

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      d773c025358184b31d8afe849e4912e3

      SHA1

      46d59d153fc8572138ae51cdd5280f7a012da5e2

      SHA256

      331d702cca2717a3b0d75ad96198c4d2886faf42efee36ffdb1e8c55a60d134d

      SHA512

      a20b69b53b661da1ac296e803251be479c3645e0b6694958bdb08fcc67d5e203baedfabb17eb57fe7710ec7f14315175ef3100a41b3984e49ea96c49c04cd107

      Download Submit

    • memory/2180-8-0x00000000005E0000-0x00000000005FF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2180-44-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2180-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2300-45-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2544-37-0x0000000000270000-0x000000000028F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2544-47-0x0000000000270000-0x000000000028F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2544-46-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2616-23-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2616-43-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2700-42-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download