Overview

overview

10

Static

static

3

41cec026ce...0N.exe

windows7-x64

10

41cec026ce...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 16:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe

  • Size

    398KB

  • MD5

    7adcc540704242a9785bacd4ee5d51f0

  • SHA1

    79db8040b844aa2c59a8941c6493424bfcb20399

  • SHA256

    41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380

  • SHA512

    6f609e4246e8c26b31b5de3b1575952724f7a8b6f7eacb610fea5c66d288cec511ab70c20bc50c268db163b1b7159694907f3356b38e04ee23b20d9874f9074f

  • SSDEEP

    6144:gDCwfG1bnxLERR9sadDCwfG1bnxLERR9saco:g72bntEL9/d72bntEL9/co

Score
10/10
defense_evasiondiscoveryevasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe
    "C:\Users\Admin\AppData\Local\Temp\41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Impair Defenses: Safe Mode Boot
      • System Location Discovery: System Language Discovery
      • Modifies registry key
      PID:1860
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2572
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2620
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2044
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2476
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2996
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:468
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Users\Admin\AppData\Local\Temp\avscan.exe
          C:\Users\Admin\AppData\Local\Temp\avscan.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2380
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\windows\W_X_C.bat
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1736
          • C:\windows\hosts.exe
            C:\windows\hosts.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1720
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
            5⤵
            • Adds policy Run key to start application
            • System Location Discovery: System Language Discovery
            PID:688
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2088
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1388
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2116
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    845KB

    MD5

    452ae15da0f98ed2e6149d354cd6a0bf

    SHA1

    b044da932a043b9535f1f8a0ffd04aab04a88517

    SHA256

    c545000e64a9f7ba3316c7970c59a69879dbfe1665257a539297e9869ff86d55

    SHA512

    2f13de51ac82a0a1bef407f6c49c1a717ab913fb728609be32b69567a0f3beafc8ab75bb5e6d6a3ecd66ef63faab50e6e815185202a806e88f0bac366242997f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    1.2MB

    MD5

    f37728881b7c0c9a5eb1a429c7afb0a1

    SHA1

    81b2481c0944dc7fce0eb8dde376dcdc95fa752c

    SHA256

    3327772fce04b27cdfc1de7d37b7d8c00e99d028cc120f267d55425d124464da

    SHA512

    cce856aa804e07aa4940105bb6d0d549121db5ce0d49df573747843cef842c18cf6c61140c2b9c42172d2be8601c238cf310d0b5d2595dfb7ca61f468163cd0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    1.6MB

    MD5

    609ed262706d1fe7869546f1b2d86620

    SHA1

    5d4ca4a4f28b82f111c79360c38c04861f0df370

    SHA256

    1a6035a419c1340d4177e776aa92c31c31232e5ad25ce99276e3ad575f11b1c2

    SHA512

    bafcced5ffad3beb96170f7bccc7a4780bcfde2df6a24b6d618af02ec63220f73ffffc1cf12cb9cbba606b308e7e841fd1e0ab1c11e13960bc65fcb50f59a1a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    2.0MB

    MD5

    48065a8c7ba39095320c39bb1f1cd424

    SHA1

    6aed24489569aa4e4205f0e707699ce5398d8e87

    SHA256

    9b26d1d5aef59d1830357347c85b9aacd729d3f1fa52b89fbc804ddedea96bd0

    SHA512

    48ae0f3b562eba9e624d32258d859268b17e7ca33bde38ce2d09dc883a74b345c0d5bb8f617d819d80b4fa44f3760d48f052d0d1a31f39238a16ba2ed59b3333

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    2.4MB

    MD5

    48b00b648d08c1fec45e097b5d30c327

    SHA1

    cbba5087455580ac3647c2f348b8a071e19059ab

    SHA256

    87269446d105eed1371afe3ec750ed8fd924057233c3dd0797f7d8c2de2943cc

    SHA512

    2bb3d7e05e3403500eda6aa019d53dd33bc2d1b84839c711d8f48eafd54d55d8bd08b2d07520f070b9cc53be7c5a80472bfa97361cf24d9a2da28be6c5bc7cf5

    Download Submit

  • C:\Windows\W_X_C.vbs
    Filesize

    195B

    MD5

    71afe05995ab9855480e1b5b0cbd516f

    SHA1

    4c96a6537720ec4770ac3cd1e59a914f007fe3ba

    SHA256

    8bdfb6dfdb2722c9f23b40d28f507f897f113c3e74f032f2944580b771ae9640

    SHA512

    d5579eedf848f4d689394ead51a70e16db07241920eccbdc18b572ec46383eb7050ee06339cacf8113d59344e50aef0f202197517a03090cf70e2cbf30770ba6

    Download Submit

  • C:\Windows\hosts.exe
    Filesize

    398KB

    MD5

    b0f5a3b6ba78c855668528d1ba1742a1

    SHA1

    d8a50d2557c67cb531c6abeb7a5da85b00571cf4

    SHA256

    d315d84f92e32b8be9947788acdf4209c3d79628415cc783c5306fea58b6b09e

    SHA512

    27291060cec588d42500630afadaa4774f8c8182b5396cb68514fe230d463c3e311ebea4b0d06e47e6facdf2aad6fc574cb4c4a954a3a2f950ba1f0759780ef6

    Download Submit

  • \??\c:\windows\W_X_C.bat
    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\avscan.exe
    Filesize

    398KB

    MD5

    75645ce6ca6f4a8cc147d3eff8f2ae23

    SHA1

    9ec6dd3ef3fce50871e9e95edcba2b13e5bb4a24

    SHA256

    9d72f8f6bad4d788d9c5c7e286cee0837dfa78ce16df1f59831e768b0bf1656a

    SHA512

    929ddc360943fa22a40e1e0c170e4ea532c61d3a0cbba66c630c714d07dc5165676b36d30f4475e1dd19cb2f52f5a9194896272b96acb63eac4e12031ae827e6

    Download Submit

  • memory/2548-57-0x0000000002540000-0x0000000002640000-memory.dmp

    Filesize

    1024KB

    Download