Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/11/2024, 08:24

General

  • Target

    af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe

  • Size

    135KB

  • MD5

    9e744e9c8c56ca5749f11d3421172049

  • SHA1

    94368a884542dfd78c9d2802415ad94cfb083e8a

  • SHA256

    af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94

  • SHA512

    d628f6cad788ebe7e8960cfb4fc3be74870b90671bb486fed0aa098e815806ab2b6dd81e9998550eca95454b1e7c908bbfe77ba06bd7cde860d84777bfed9eb3

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVmY:UVqoCl/YgjxEufVU0TbTyDDalQY

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe
    "C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:448
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5060
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:228
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3808
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2016

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Resources\Themes\explorer.exe

          Filesize

          135KB

          MD5

          0feec4d4d59ed37fdd98cdd6ddcbb51b

          SHA1

          3614a1b9a47da1115a8ba8af02e306c27bfecdb5

          SHA256

          54cdcff47995bbf7f00a55888ccdb2e7050367247c319fdfb724fb58809766db

          SHA512

          f9e5910edb48cdd900b3de30b9f80eb560492a2ddb1306d42906bbb990d76bab93e299ec933a6e66e4d9eb7b96bce0a7e02a2ad36e754028911a493aff21a432

        • C:\Windows\Resources\spoolsv.exe

          Filesize

          135KB

          MD5

          f9b1b9d116d4170a864c8b24f03c3859

          SHA1

          5d149d509b429a620375856d5c26247a9ea0fa4b

          SHA256

          cda8e4dec587a08ecfc89c0f8ab02febfcbec77ece40fbbe75fa0f964fcca338

          SHA512

          633800bfde868755d264bbe6f0b396da702ff8ddafa7c172bd1993e8231201d345a32800eb5329d4d92e9bbfd609d05d438d4e839b71d416364ce3e4f95bd4cb

        • C:\Windows\Resources\svchost.exe

          Filesize

          135KB

          MD5

          688c873ec3c8192a5a3bbd189ddcfe25

          SHA1

          2b95e73333b38f0239298ea3e4fc85ba717456bf

          SHA256

          4a4373bc4138f91b2967845717a453c3743afe809bdd384a9feb6690bf48c27c

          SHA512

          5ba4b2e15691d700bf68578acbca5866dd841d76801dd01e0ab42f3d6466105b115ff6b07cfaa5a1c5936a30605cac198c9ed840be2753c62860d88b93ba66c2

        • memory/228-33-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/448-0-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/448-34-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2016-32-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/3808-36-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/5060-35-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB