Overview

overview

10

Static

static

3

8650cbd452...cN.exe

windows7-x64

10

8650cbd452...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 01:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8650cbd4525ed7ccf59b5bb25144f2b14488f1679276327bbe8a6f86c4db66acN.exe

  • Size

    206KB

  • MD5

    818e5d2451bdfd77f1fe4f9eb1c3e7f0

  • SHA1

    c39293cf3a97a17bfe652914f1ef203e0a3d7d5c

  • SHA256

    8650cbd4525ed7ccf59b5bb25144f2b14488f1679276327bbe8a6f86c4db66ac

  • SHA512

    d36d163726b7bbdd9ca4519418e3f0a1ecd500eceae714b3722d6954781da31134c80a074b7caa252939232928b24f1fb8e6d66625f51e91d3d20ca429905423

  • SSDEEP

    1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdN:/VqoCl/YgjxEufVU0TbTyDDalbN

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8650cbd4525ed7ccf59b5bb25144f2b14488f1679276327bbe8a6f86c4db66acN.exe
    "C:\Users\Admin\AppData\Local\Temp\8650cbd4525ed7ccf59b5bb25144f2b14488f1679276327bbe8a6f86c4db66acN.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:516
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:672
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3980
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3356
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2440
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4100,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4616 /prefetch:8
    1⤵
      PID:3116

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      206KB

      MD5

      77d1324810b4168ec2c6333baeefea82

      SHA1

      921e89f111513ff78cc6b9bb4e40d4d41a5fa2a8

      SHA256

      c93165145c8fd77b5a6e58dd1232cb62ec7840601e9e049e5ef82661d301bfac

      SHA512

      0f27f0634a4d4cbeb83c02d1e064e32b6057d036c111f93641f0c265985f55ad38977c48cdcbc279951449d43c7c7ddc58e8dbee02cd82980ebd3994791f0196

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      206KB

      MD5

      78711eb7a0ed7803e53b4f0f09677051

      SHA1

      a97f0699b4f5b09d339a37e9d890b8e0a37f5231

      SHA256

      ea10afb7b0afbc12f5da2f185b14b1f31233f36b7ed0c54b00510fdd9b997783

      SHA512

      b17f7f48294e10dd50e138d7db7a43f97d12e18a5572e8b41b4f59624131c5f1cf908a44830290697c285fe654c8d5a6d013534516aac235ae86c4e53243f4a2

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      206KB

      MD5

      0e1a23075e2b2e23a48ce817bb88d635

      SHA1

      f91d72771c77f9774c3dfebe5d6b911129a2f8d5

      SHA256

      c9696eaa22c47c1337cd1b151901b5b6311d56468082a55afa76e35f938c7e9d

      SHA512

      1d80b029517d069eb21173c2c8b17edd75e83d7f835c5d57c7ef5063bcd0e091d4d04a4ea4fac4639d9568a098c7d63adf1f05c54c871cda2256477b4b304bf0

      Download Submit

    • memory/516-0-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/516-34-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/672-35-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2440-32-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3356-36-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3980-33-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download