Overview

overview

10

Static

static

3

cf89b31ff7...2N.exe

windows7-x64

10

cf89b31ff7...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 23:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf89b31ff72eb94c6ba24a05cf493e19e2b9419158fde8fb3bf1485a1012ea12N.exe

  • Size

    135KB

  • MD5

    aacf18b8d8a225aee92342e4639c3e40

  • SHA1

    882ae2e6cb61d925cf6b9cecd767ce6e4e30409d

  • SHA256

    cf89b31ff72eb94c6ba24a05cf493e19e2b9419158fde8fb3bf1485a1012ea12

  • SHA512

    71faf74fffe6d6feca7ea532df586239ec942e9744c87b0435aa6d5814a684be4e171673016feaa8d4bdf810f139f1f8a3a2678c5f87f68ef35a7067e178ae92

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbViEEEEEEEEEEEEEX:UVqoCl/YgjxEufVU0TbTyDDalBH

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf89b31ff72eb94c6ba24a05cf493e19e2b9419158fde8fb3bf1485a1012ea12N.exe
    "C:\Users\Admin\AppData\Local\Temp\cf89b31ff72eb94c6ba24a05cf493e19e2b9419158fde8fb3bf1485a1012ea12N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2992
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1988
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3464
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:940
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    7c88d2b93008570eaa35d50dea576e77

    SHA1

    837b34674b1cf40a7d6c383196a028823dc2dda9

    SHA256

    ff6efc009a4ff06871f8aac983b5a5e38a2f88bc4c2b4ac7e48052d208e7eb10

    SHA512

    279b65f24a489cf3f0e81f156c73ca6637adabcf8893e4b10a390b1ca40b4899b3597a40fdd91f868f4124b161939a293a6d2a73a509f316f0a970f971ddc2da

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    0edf3b58ea2bbe4c677fa1498b7bd72f

    SHA1

    51da37dc8e9f5503f6046f759f0faf94b747a99a

    SHA256

    96bf121088c200b838043040d179123b8bae8fe3dba0cb045021eeacae510c41

    SHA512

    cdd088e99e0905974595f0bf7a97ab0b00c6b0092775c76ac0f57c46c447d8ff74e5c7b314c4457ac982f370ff3bdc9a2e5ed2eb760088634c6ed1e5d4edaf0a

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    6d27a64ed69fe8aaffed4a0d093e85b5

    SHA1

    9329995ebd49cdcacfa35759af01cc7a6f761312

    SHA256

    98dc95721702fb331259e5e79c0ecd83ae9f089aff88db05ca9ed7db3a2b84f6

    SHA512

    a2d8172203585b7b271fbbf34f68c09bcdc2d400c78a580f2842970ce3c16893a7c472a57618a1f2cd9839857430a1330c19f07a271ad11b8557f98711a4f21d

    Download Submit

  • memory/940-36-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/988-32-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1988-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2992-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2992-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3464-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download