Overview

overview

10

Static

static

3

6449181764...2N.exe

windows7-x64

10

6449181764...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 05:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6449181764ab8b7abdd395d9c034f53adeb990080bb83b1a8cb90c36c21aed52N.exe

  • Size

    135KB

  • MD5

    9239e2832598e4ff002e71199f4bc4c0

  • SHA1

    0b7295fc847ea4892946ad062d287e1f36fdfc32

  • SHA256

    6449181764ab8b7abdd395d9c034f53adeb990080bb83b1a8cb90c36c21aed52

  • SHA512

    a0e4f26bc76129b7ed315976137a2a31ae85e51950d02b28f316baf554b7aa5e723dbeccf0df1ba5d284ec24bb42c0f0929768a8a7a18b8c322e95462c8b2027

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVZDqIH:UVqoCl/YgjxEufVU0TbTyDDalPDfH

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6449181764ab8b7abdd395d9c034f53adeb990080bb83b1a8cb90c36c21aed52N.exe
    "C:\Users\Admin\AppData\Local\Temp\6449181764ab8b7abdd395d9c034f53adeb990080bb83b1a8cb90c36c21aed52N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3664
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5100
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2180
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4816
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    c2b83951fb0fedb2c6f93a4fe5fd94d7

    SHA1

    ecfbfb46a81dff5fd854cc4e0c79d7ae0900e885

    SHA256

    f966bc93745c9a1a4c8b4d8b8eb95efde6622a05f0bed97add71699061691a56

    SHA512

    7039c5e454385156c67b9f6356700a1e3d3ab24196727de64ad0de5bfa28430f7f30f1ec6d3e04113fecd8ab75650b2196cb28e65a51767704ca219c79511f69

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    4c49f2935d53725485bd5acd0874552f

    SHA1

    249b9b472af39a27d7a2e08837c59613f32095da

    SHA256

    ffdee49608cd6838de06b56834852483fb6ae06c3e4b1d0564cf58f6c30acc69

    SHA512

    2697889fb220e30d957f7ab4ee83ce9c182b5597967b5f3dc5ec555461dc266da7533563f95daa6a4d75b4dd3ba76ef2a27d618d5636288903a307fb88be406c

    Download Submit

  • \??\c:\windows\resources\themes\explorer.exe
    Filesize

    135KB

    MD5

    cf9e99e3fd15c4a51391f8ceb8f91379

    SHA1

    027cae2925f8ac6df4a9b444ee53e3f229b08e96

    SHA256

    a336e6c15504c6834fbd90faf99f5f906a8912b31fc0a3e365cfc04b9fc924ff

    SHA512

    ced82ef9bdba16a0a27b0dd6c8f2d97a989a6803e45db5a02353248d39d72bb8c4d7b3b8b2daf42c1f1a3a2986a595aad173808536777fd041ed1c288a609bfe

    Download Submit

  • memory/2180-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3664-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3664-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4196-32-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4816-36-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/5100-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download