Overview

overview

10

Static

static

3

d49bc433cf...6e.exe

windows7-x64

10

d49bc433cf...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 08:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe

  • Size

    135KB

  • MD5

    6846d3a6156030f790645430397d3d65

  • SHA1

    be370f708018d3e34ef09b0199b3c93dac8304ac

  • SHA256

    d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e

  • SHA512

    9b55a1d95f8fb5316f66198e35f75d36f1026e7ad51e1ab9da3fa7e7732f58b87afeb69ad3fd6035ea7ed2ea9a7b83073c66d4ce8438646e9656e8586df6e8cb

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVhpalY:UVqoCl/YgjxEufVU0TbTyDDalQlY

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe
    "C:\Users\Admin\AppData\Local\Temp\d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2856
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3492
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1360
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:316
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    459fcc360b596f8c2416a89acddbb6ec

    SHA1

    c466763acdec9c972dc39b04f62be5008fe33db2

    SHA256

    ee25772fc956dad729ee78e488be3266f432af6876b27354ffb2d1642ea65ccd

    SHA512

    d77706e8ef495b8d7aa56bb3a911b5ce310a4b29bdb0c610d75f96908379ea6dd4ec275548a3ad793350a9969b945f6387e59a253f959411ef9b94c61b7166c7

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    dee45538560613bd79ba059243788c67

    SHA1

    9e169abdfd4d9eb61d1107d3584793833a375ac3

    SHA256

    fa32917933d0ec32e085c1be174366b0534c571ee66fa7633b15d436b2ceff62

    SHA512

    b370f293258474d34ef1b9da980e10dbd54709dd5102800c55c74839892d444cf7727c7b60e890dbe780fa4c1b42ee98811db39cd50293e77624aff0c0b5a2c3

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    f0bfe25427804268216cee2a66e369e1

    SHA1

    a2dca77c0ab0fe684f17c903644eee065b0679e2

    SHA256

    aee0b4bd10d79081e08cbbf89afc9cd9b31e9cb0f0e5efea851804ff65fc5fd7

    SHA512

    cf3d801aa9c9aa4b0dd1bb6e26f1cb6579d50e3f004fd2fe1f147885397ddb0cec89f3056abba14ae819c1f9de7099398ff2ee174afe17d5f6f7b350a9a482c0

    Download Submit

  • memory/316-36-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1316-32-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1360-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2856-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2856-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3492-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download