Overview

overview

10

Static

static

3

4687c842f4...70.exe

windows7-x64

10

4687c842f4...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 21:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4687c842f485a6eef9a77c7327ccb21aaad63c1048d1406518e3d9aab06a9870.exe

  • Size

    135KB

  • MD5

    5b1d03fe0e6202f8fbf18e6a7457d4ae

  • SHA1

    d71b35f854f5b3dffaa87a97caf5f9fd9c28be25

  • SHA256

    4687c842f485a6eef9a77c7327ccb21aaad63c1048d1406518e3d9aab06a9870

  • SHA512

    7cdddb4a6d326d0d5bfcf3d014bf5d367be6208065f951e8e37e4392e41ce13d09f069e32b24caa9e9684f3f0d4d54c5d9cee5b585c77e919a0a7b54be809582

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVLXH/:UVqoCl/YgjxEufVU0TbTyDDal9XH/

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4687c842f485a6eef9a77c7327ccb21aaad63c1048d1406518e3d9aab06a9870.exe
    "C:\Users\Admin\AppData\Local\Temp\4687c842f485a6eef9a77c7327ccb21aaad63c1048d1406518e3d9aab06a9870.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1728
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3060
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2500
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2456
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2860
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:22 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2824
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:23 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2968
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:24 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1312
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2776

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Resources\spoolsv.exe
            Filesize

            135KB

            MD5

            04a74b722688f3bd7d67bbc692e66757

            SHA1

            507bd1dd93f98e61d13b79307ba9c5954e5dbb88

            SHA256

            51d244523009a794649077ed358e125b81e6655ec3cc67173ceec9fb28643b63

            SHA512

            da8259aca7f1938c4746ae6b1591bf4bd5011f88e09e103fc48a11a247355a8da30be9c203a12dbb37925cab0e1caf203f8d536da92da8da4b3ff3f82846c4da

            Download Submit

          • C:\Windows\Resources\svchost.exe
            Filesize

            135KB

            MD5

            37753c985132d01c68671702cfc68bd9

            SHA1

            e95ef7ce9f47151bac11db269317f767eb555e0e

            SHA256

            0e3305742636558e15b8d2e6f9f375daecb99b20a50f0a7ff9d2d71b5e560980

            SHA512

            3d8b6e217088ebde69d92145357d8daded9260711c3814593667d77fa037439ca7825678e73562ce4d854c9a06ee4fb8bf6659ddf602092cc9f0138e0cc6ad82

            Download Submit

          • \Windows\Resources\Themes\explorer.exe
            Filesize

            135KB

            MD5

            29144a5eeeed234227093d7f4ce3826d

            SHA1

            f7f6b0abf0c0f59d69dad0cd8630bcb90c416a4d

            SHA256

            bd56071ed4533adddd75cea97ff1edca5719e26bcd04b4e06431968f0b5592c9

            SHA512

            cced0d4c38518f7b4a7674608569a8c2b87f28dae4b8fd4dd8fd89254848c4f4473afac310374ece91f263987e7aa1f175d7f416c606d3758d2d0ab174fcaac2

            Download Submit

          • memory/1728-0-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1728-10-0x00000000002B0000-0x00000000002CF000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1728-42-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2456-44-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2456-45-0x0000000000300000-0x000000000031F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2500-41-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/2860-40-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/3060-43-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download