Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2024, 02:26

General

  • Target

    ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe

  • Size

    233KB

  • MD5

    699ebda3389fde874bf062f761ac329e

  • SHA1

    c80d075ddf25e6bf749ccbeddfca943d721f6df3

  • SHA256

    ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc

  • SHA512

    ebac09d10e25ed9f91207c64906ed3e70ef6742dcb9fe6a5d72cb51c9ed60e5519e4440ab85fea002163560aac5c8f08586ac757e1da55b31a7dc13821db33d6

  • SSDEEP

    3072:5VqoCl/YgjxEufVU0TbTyDDal6z/dAMhdF2jBCmLdjaf3k6aaICeHE:5sLqdufVUNDaAz/LLvmpjE3EaICek

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe
    "C:\Users\Admin\AppData\Local\Temp\ae8480b3d9ca1b8f3af9abcebbafd081ae53ab86fd50955a8ae43bc2b43bd0bc.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2360
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4860
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1988
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4900
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    234KB

    MD5

    c5b1c32a1357e3fd6ec5dc935b9466a1

    SHA1

    a5a4ea87b24ad3f0eb258449e10403e90da1d8b9

    SHA256

    21a6a6e6735494d9c2c7f366ec041f4834545b1b941db49720ef6d1bb165d3d8

    SHA512

    98e1be9c9e31983929ffed977e6522c1b0b499bd25ed6ba8028c0f2cc98fa1f059e2b413aa2f1a1f0ca2681dc5e93923bde809408bb3f58174e400ead51e1255

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    234KB

    MD5

    f7a06b7ac99c3f5a2b7d98d994d8acdf

    SHA1

    86815ffe6a9f851865297b6def5a9a380de01d87

    SHA256

    db3c174f41b2b3348ab68bb0003fcb25a742de8dde9aab37b7245ce8e88f8a07

    SHA512

    f8e809b709ba96995d54fcf474b14ed1518380ad7a65b998fd1c1ae8c9d7d1fb8b901c7979c3f818aa660ec2f8ecc14c3977278d7b50a0fe831636449f7802e7

  • C:\Windows\Resources\svchost.exe

    Filesize

    233KB

    MD5

    eafecc1164d871928c8aeaa59a3e5604

    SHA1

    fdc21a213e2522ef349ed861e2da7368f7ef6791

    SHA256

    4addf7f131fb1e8d557a357f7b9c3b9e9fc91b9322139070ab1f869702dc4bd8

    SHA512

    a2a42d470c49d90964e1f6bbe3a6bdda1cdf981f05c69b1547c9e659a1e37eb693b3b5d81ebb36b77f24f9f2ecdaf68701bab6604bd45fa12ac5aa4bd96b74dd

  • memory/1988-33-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/2360-0-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/2360-34-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/4856-32-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/4860-35-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/4900-36-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB