Overview

overview

10

Static

static

3

21699db7cb...6N.exe

windows7-x64

10

21699db7cb...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2024 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21699db7cbd7023f9a73fb5457ce84f3a6e48e7cb4afc8f5ef5c53a30a30ab26N.exe

  • Size

    135KB

  • MD5

    34d8a514f9b1257a6c34487dc3592ce0

  • SHA1

    c7d1cbb4b024e6c900ed8bda23e03520e11134bb

  • SHA256

    21699db7cbd7023f9a73fb5457ce84f3a6e48e7cb4afc8f5ef5c53a30a30ab26

  • SHA512

    d21332a4257567998b8244a08e01347ac912332e71c9c45962f6cbab02aafb54f439c337c307f5a840c9d6d3bf5023f3b823a57c0d7f68b3f7c5275e894cf90f

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV+P:UVqoCl/YgjxEufVU0TbTyDDalgP

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21699db7cbd7023f9a73fb5457ce84f3a6e48e7cb4afc8f5ef5c53a30a30ab26N.exe
    "C:\Users\Admin\AppData\Local\Temp\21699db7cbd7023f9a73fb5457ce84f3a6e48e7cb4afc8f5ef5c53a30a30ab26N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3000
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1712
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1256
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:884
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    bc491c8f66134e0bc22e67a5964a5927

    SHA1

    5200e1c87b9b31e093bd9d282365dcadc986ec0b

    SHA256

    fa106368711ccb0c3a903bf0d6bdf287bac81e1e04c358f4802abad40c3110de

    SHA512

    a567e00ad63e756979318fbd343654c13b58b6aefbd2eff0ee07e4722a70f21243fc57069463e348b9a74c4a3ff764275a36ec259044dc912d70862eb8545165

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    f46ed9e1129f917beb9f2e582d6d26cd

    SHA1

    ddd88a259cb09443f46912ff39c8805626944f6e

    SHA256

    5f662aa20f424a56f35436c5c26fb5a864ea1b6e3f022580d2142aef816caeca

    SHA512

    67e0edfd6f402aaca66f142a71175963347f5c87cc3d8a11758732c99e743057334ae46691d6eb74c6a834718babb1e705802f44dd72ac9a672fc3cd12f9eef9

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    f0966ba5c3b5f812b0e4b05081b433cc

    SHA1

    e543029991b1583fa00337717585833a9cd8a456

    SHA256

    6e1a5429370d1c9f7270a3bb228ab40afaee85528d5c1003de6a04bc4114e1f7

    SHA512

    91844a3c9e37bc1b45fa1168209d48d5a34ddcbc129f5375bd86ce7148274c40c89878e60a90cb9ae6a698321ea789432c8164abaa6a1d29d6357559df3e056b

    Download Submit

  • memory/884-36-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1256-32-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1712-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2284-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3000-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3000-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download