Overview

overview

10

Static

static

3

5ec15f5f6f...2c.exe

windows7-x64

10

5ec15f5f6f...2c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ec15f5f6fe64d7dcdaf5ac5efa5c34d4ec565485b41e3e6db6b2979b5ed642c.exe

  • Size

    135KB

  • MD5

    17b0b82c62c97a1615bff55c490a19ed

  • SHA1

    247800f9ef5d5a3b884cf1f16166ab337657073c

  • SHA256

    5ec15f5f6fe64d7dcdaf5ac5efa5c34d4ec565485b41e3e6db6b2979b5ed642c

  • SHA512

    992f5bdd97681f21804e908bec40a0c7a5c34a69a0eef4d3cbf88c041aaf5222258c247a4ac3fc9aed2ec7ad1728a290f8689609badeab68d57584d3d3edc9dc

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVwdz88888888888x:UVqoCl/YgjxEufVU0TbTyDDalWd+

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ec15f5f6fe64d7dcdaf5ac5efa5c34d4ec565485b41e3e6db6b2979b5ed642c.exe
    "C:\Users\Admin\AppData\Local\Temp\5ec15f5f6fe64d7dcdaf5ac5efa5c34d4ec565485b41e3e6db6b2979b5ed642c.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2052
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1936
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:212
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3844
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    a72756391a4c94310fb86dc8f554e251

    SHA1

    c9ca538cdd677c78bde512d92587fc6a56dcbd8e

    SHA256

    5b92147ddb9de5b0c8d3257be4a93f169bb5940646477dd1d74ddd4370d83998

    SHA512

    8f264ae165a4f9cac86b5f1ad96b181779075d2e2fa3efb16fe14729b92d51afe0bca95a065dee3eabc48a71bdb3d43c47367b64f88e3cef1093880dea1c823a

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    8f62bf0fafab4ae328c6457fc11b8213

    SHA1

    684226b01feb361ee487b4593ce0844ea8e2ef2b

    SHA256

    3e73a9a34c2007fe28012e2b635f363d07be93f0724a610c1da04402f69014f1

    SHA512

    58542751b02ae95cf6c624e5eec8934051ff2f2b67090d9c4322a14056a893c0531b5662c7a640e56dda97283bb6b21394eb140539cb97629870d93e0f9288e8

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    61217499a7670b53fa2d298875792ed9

    SHA1

    45671529f05d3551a47e2fdfa289d7ba48bda345

    SHA256

    85a6e2529587c71902d67fade679a308176aa2c0fefd1389bb4d3400d0af453f

    SHA512

    8db72039352cd57cc611360a40d2b5b91c258b90b0754bcbbf96cf2871b0e5fc8abf67a63d372ecd9bb6ed516bba0cd3cec26ae69edc16c0657405fb0b290a50

    Download Submit

  • memory/212-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1936-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2052-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2052-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3844-36-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3932-32-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download