Overview

overview

10

Static

static

3

3c28db7d52...62.exe

windows7-x64

10

3c28db7d52...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 22:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62.exe

  • Size

    630KB

  • MD5

    de428e3a7d4d7ef369f524d81ab63f3b

  • SHA1

    175cf1088027980a6ea136487e0af8ef38d21e16

  • SHA256

    3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62

  • SHA512

    e46c3715e31f9c24454ccda981f1711128361e018f2dfbfe65ae0e9836f1313e52ecb6560c6d2bf84708f6a561dcdbf5a5905c788f76f48496eeb53aa52a0c21

  • SSDEEP

    12288:PFUNDaM85s/AxkQ4xdv3yNIGlSYjjlrg+aaUX:PFOahs4xkQ4DvCNIGl3jjZg+XK

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62.exe
    "C:\Users\Admin\AppData\Local\Temp\3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3008
    • \??\c:\users\admin\appdata\local\temp\3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62.exe 
      c:\users\admin\appdata\local\temp\3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62.exe 
      2⤵
      • Executes dropped EXE
      PID:1732
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2524
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2464
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2428
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2800
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2716
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:59 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2764
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:00 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1348
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:01 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1456
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      2ef8dbd6519572164a6e44ae12ab260d

      SHA1

      a71e07bd472f1f7fa8833ed6afc959884f398333

      SHA256

      bea70387ce5f610f600d818256cd999759084c6dba0754639302c1e89162b0af

      SHA512

      9c1a12508d2872cea942827193dd73705f77aa1c70579301050ac4ff0f4acd24287cf74ca05ac51149b069af9b53b6ee919204500d14b3f90da3a012fb9840f4

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62.exe 
      Filesize

      495KB

      MD5

      d3205e595a423a7900ec8a368feaaafe

      SHA1

      98bf400147e6c93fe8399f7cecdfa09d4dedfc2e

      SHA256

      9d0b92f0257a6f3b99ced38d27b2db2fc7165c1f07d2fff656a0c87313a33a9c

      SHA512

      0732fd230c0420c987de7d54e6d5c3d79a8ccfa417c857d408dc8376d6a6e8b307cc9ed29ef15209c21addd91233155e4ed3fb203bde336aaf79cea816ede412

      Download Submit

    • \Windows\Resources\Themes\icsys.icn.exe
      Filesize

      135KB

      MD5

      3733cf8be2beaf37b512c4b4fc95e607

      SHA1

      33963c28544c7df9ffac981db215c8096f9e0217

      SHA256

      e4ad273aab3d07096b40c228087565ecd911416735757db13e6d8b7b01619995

      SHA512

      6cd0f30af91c38630bdeb7d8797fc961a3814dcbd09ef18db72949c7e4d22ff5af758deaa9a7a363cc8559fa414f7c84c1eb83cc8d72028cd960ab367a6aa979

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      cbf39381c3f26c71cf04a2bf58222901

      SHA1

      096c7c04f987a72859e7d5f30e6ff33243884717

      SHA256

      33e032de2c949831756d2172bbfcbbc94392593044af51bca9d8fa51fd9101e1

      SHA512

      34f4e0efac1b427b81644fcb7efe7d8248c2affc8853c64dcdce38a79869eeec9e8b6f2da1a1244c299d588fca8b5afef550bbc4924c61ebb6990c97203e4291

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      9b9f31ba45bb40fe75986843dc7efa9b

      SHA1

      19c387cf097b75648e8ae340bf750b29d689038c

      SHA256

      48adaef6a7e6861c331443ffee3d61172bdb6f91326e023784d0f4bad92928a2

      SHA512

      c85ce9de9f2c1ce2cbb6df6d81bd1ba743ab6274dacc4bd2014f6b0086fea45c19e4b8bf79604fb41655cb6e40d3d0da1aefdae8594fde4498d6f6d9218d1685

      Download Submit

    • memory/2428-55-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2464-58-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2524-56-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2716-54-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2800-49-0x0000000000270000-0x000000000028F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2800-59-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3008-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3008-57-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download