Analysis

  • max time kernel
    118s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/11/2024, 08:42

General

  • Target

    36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe

  • Size

    82KB

  • MD5

    f9755557f27ae40511f601f4603e30e0

  • SHA1

    5874068fec9c0a057892c8c4c17c8a47cfde24ca

  • SHA256

    36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5

  • SHA512

    d5a39c664ef5f52806fecb54f1e0deeafc03b64a4bd80dee7b297fa4064f6b5e67d949b2abd9c45f554944f6672ce336563c53ec3b811f206f283ec7223824b9

  • SSDEEP

    768:8embNRqsuhlGOBrhgFwumSCbxTGy/BBGg4NKJJKqUThbJ32+ve7i40vN0TlT+XkB:Wnqdu3abBGy3G8V0iuo5qkSZZZ3q

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 27 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 36 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe
    "C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1680
    • \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe
      "c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2652

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\vcw.exe

          Filesize

          82KB

          MD5

          5567f115cf53f9f180a000676b23deb1

          SHA1

          d5dca6370eccd30fa9f4170b4ac678cef174e449

          SHA256

          b412f6aa47934aa162ebcc8e3a7569631734d90c15a8fea853af01120b16fff4

          SHA512

          ab53cdb2d5d01552e8c1e123e7904d98552daa27b4f6d36861df292e577ad57249e9df675e00261246fd2ded3afad0d7b4126a68b35711081d5db0434e35347d

        • \??\c:\windows\SysWOW64\Windows 3D.scr

          Filesize

          82KB

          MD5

          d7997f49f670d876e06d9b9b2e47b4b9

          SHA1

          bda4eadba89c0cd4b43e2c42772a58db8178076b

          SHA256

          3b01786c8166dc1e0596ea6a67e2367906eda66a8cb283de68d7a3f8b6fabd8e

          SHA512

          0e62b520084398a8fed73d6334689a48100d623f03c14356c06aaa76a0c9f815165cfc0007cedf57ec155c245320d78d6e720ffaf1a6ac0955152e5f7d6fd001

        • \??\c:\windows\SysWOW64\maxtrox.txt

          Filesize

          8B

          MD5

          24865ca220aa1936cbac0a57685217c5

          SHA1

          37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

          SHA256

          841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

          SHA512

          c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062