Overview

overview

10

Static

static

3

b5b4eeb48a...dN.exe

windows7-x64

10

b5b4eeb48a...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 03:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5b4eeb48afcdafa22ee0f22a09407c49d0b36b4ec3787e7a5089a0297e7ccddN.exe

  • Size

    135KB

  • MD5

    a014cfc4caa0ea34943e3f257e4d84b0

  • SHA1

    c08640c3f3ba0f4feae91edef3225807578f4aca

  • SHA256

    b5b4eeb48afcdafa22ee0f22a09407c49d0b36b4ec3787e7a5089a0297e7ccdd

  • SHA512

    8102ef018133ffbef1e033eef87e4887cdd619c81296ef7773f5ccaf742c10581f87ec626f0a9f7ada7331d62afae6bdd88acfba4f2bac2bc29b578b0b94bf90

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVdS2:UVqoCl/YgjxEufVU0TbTyDDalrS2

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5b4eeb48afcdafa22ee0f22a09407c49d0b36b4ec3787e7a5089a0297e7ccddN.exe
    "C:\Users\Admin\AppData\Local\Temp\b5b4eeb48afcdafa22ee0f22a09407c49d0b36b4ec3787e7a5089a0297e7ccddN.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2060
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2956
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:972
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2024
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2680
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8
    1⤵
      PID:2892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      b08fc2692f5beb825346f9e09d089f1c

      SHA1

      02e5455e0a1063363a08056df5963e66f692e8f1

      SHA256

      95a8b3ec3bec50ae08c7c0dcd2f5d294a4748aaeeb3e9f8139c7fd7a40192beb

      SHA512

      7103efdf95af4ece109ceb2ad7af0e2e908ae13b6dbf39078383259eb586cc28e0eb9db76b306911b9907041072c4f739c638e85be069f0306328f7b53944fe3

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      566d96667b786163089e663232bebab4

      SHA1

      d29e9ff8b65fd577e682b026fd48b73694e9d229

      SHA256

      20ec875f81f6a85e550063bd02c7bb450293c928f7364af04fe46e2227dc5b39

      SHA512

      c6ec591f01fd762b88a427dce5899b6726970719995dca1cb2ce7fdaf9f789dc765c3fd6850a8ac7e002dcf5a1ebb1d464819bf3356eb271be16ba07a800d550

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      e6a474d34285677147ec48e40f3cc697

      SHA1

      3d7b12f27ae58917e196f2d95dd3214821e761a9

      SHA256

      4a2e1ffe6f7a417561e2edcf8c4d44a1f57be38bae263f1795c88950e12facba

      SHA512

      fe0d8bb51444148a4afd51fb46e97db4e81c0cf1a78e4b787dc3c441e132ad32f83e762ec2bac50a7b14c5713c298bc4b82dc56837bf826e8a97e8b6a019ad58

      Download Submit

    • memory/972-33-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2024-36-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2060-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2060-34-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2680-32-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2956-35-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download