Overview

overview

10

Static

static

3

3c28db7d52...62.exe

windows7-x64

10

3c28db7d52...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62.exe

  • Size

    630KB

  • MD5

    de428e3a7d4d7ef369f524d81ab63f3b

  • SHA1

    175cf1088027980a6ea136487e0af8ef38d21e16

  • SHA256

    3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62

  • SHA512

    e46c3715e31f9c24454ccda981f1711128361e018f2dfbfe65ae0e9836f1313e52ecb6560c6d2bf84708f6a561dcdbf5a5905c788f76f48496eeb53aa52a0c21

  • SSDEEP

    12288:PFUNDaM85s/AxkQ4xdv3yNIGlSYjjlrg+aaUX:PFOahs4xkQ4DvCNIGl3jjZg+XK

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62.exe
    "C:\Users\Admin\AppData\Local\Temp\3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1760
    • \??\c:\users\admin\appdata\local\temp\3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62.exe 
      c:\users\admin\appdata\local\temp\3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62.exe 
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4176
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2868
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3016
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3612
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1200
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3c28db7d5274460189167458e4120cc0fd607e2a63d94b0e1004f37049f63a62.exe 
    Filesize

    495KB

    MD5

    d3205e595a423a7900ec8a368feaaafe

    SHA1

    98bf400147e6c93fe8399f7cecdfa09d4dedfc2e

    SHA256

    9d0b92f0257a6f3b99ced38d27b2db2fc7165c1f07d2fff656a0c87313a33a9c

    SHA512

    0732fd230c0420c987de7d54e6d5c3d79a8ccfa417c857d408dc8376d6a6e8b307cc9ed29ef15209c21addd91233155e4ed3fb203bde336aaf79cea816ede412

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    21c4fd611b503c6eaf2bd46bac9fe528

    SHA1

    85dd95b117e6084e72d701886de4babaadf3b3a1

    SHA256

    8766aba0bb965093c1ed397ee3f7be6e78c70b79d1b1ccc0ec636f4d053f4590

    SHA512

    fa0af5625252efcadf33c43226bca70a6143fdb1ab68a7503db3d464a8f69c8a97715a40e617e2891b18e3d8cf1b20a6ef525b906197e51dc318b72fe6e2da25

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    3733cf8be2beaf37b512c4b4fc95e607

    SHA1

    33963c28544c7df9ffac981db215c8096f9e0217

    SHA256

    e4ad273aab3d07096b40c228087565ecd911416735757db13e6d8b7b01619995

    SHA512

    6cd0f30af91c38630bdeb7d8797fc961a3814dcbd09ef18db72949c7e4d22ff5af758deaa9a7a363cc8559fa414f7c84c1eb83cc8d72028cd960ab367a6aa979

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    dcbd30309cf79d2d6bcab476fae81d34

    SHA1

    48d5c273930ca41688eb4da1c5b85cf0d0d9f612

    SHA256

    0a000de0874a8b5931d3fb0fda5c9bfc6ab6c4e575bd6d2cbae6e4f71573b743

    SHA512

    6f4dfbe2df61bfa55d7e6c990b695434a6216382ae1db722b3b63a7869a40cfcb721389a093038ca5f2b684fba674b9d97063b30809396f2d5aa3789ad93be2d

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    084935a66c61c28f2dee533a30cfbe7d

    SHA1

    f1e48a4fe1b008838f091b915d5e3356fa646c71

    SHA256

    c79f4392772c1ec1afea04af9c4f2f93bebff02aebdd8ea44e54f82afa2ec34b

    SHA512

    49fe22c5a23cab6f6ef1e43bb4be1c9ae4321c04c73e79d420ba09030afbe6987c26b3136f1508ca2776aee981b9efc23a7352f4bd119532be6e2b62ee9dd66d

    Download Submit

  • memory/1200-48-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1760-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1760-46-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2540-43-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2868-45-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3016-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3612-44-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download