Overview

overview

10

Static

static

3

d49bc433cf...6e.exe

windows7-x64

10

d49bc433cf...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe

  • Size

    135KB

  • MD5

    6846d3a6156030f790645430397d3d65

  • SHA1

    be370f708018d3e34ef09b0199b3c93dac8304ac

  • SHA256

    d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e

  • SHA512

    9b55a1d95f8fb5316f66198e35f75d36f1026e7ad51e1ab9da3fa7e7732f58b87afeb69ad3fd6035ea7ed2ea9a7b83073c66d4ce8438646e9656e8586df6e8cb

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVhpalY:UVqoCl/YgjxEufVU0TbTyDDalQlY

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe
    "C:\Users\Admin\AppData\Local\Temp\d49bc433cf5da708864084ac81fd540db14a92ed57971e4b9a45bfee15439a6e.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2308
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:688
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4352
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2756
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    c4a17eeb03f51fd95fe7c376d4ca03d9

    SHA1

    a691683c78f92b96ebdaab708572f67a4438b326

    SHA256

    6d01e94b7eeb8c643c6dbb077b994d9a829cda56c59b015cefddf5c682e10b89

    SHA512

    f1169d981c10436ac477fcd3850c0e1b7ec8fe7d5152a8559e52100aa8769ba370c01847da5858b8ef6154a5541943d10228540b6e205c3da6151aa238dea058

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    5c52cd78e9d4d76ef6ae8dc25de5c6fa

    SHA1

    4f22eba83509c1605b579a68840facb60c8ac33a

    SHA256

    6d448cdbc73a8069e1b5db81c7ca85c98c077df98e6b92e826bf5f4dfc278bb2

    SHA512

    be2a7ad4ed4a227cccc3a9389f920367ab64a120d705c1bfe16a2171f99d9d69d4dd075d3b853afcaa9cd49c9cdae2651ba91839e60cb877350d81b2335515e9

    Download Submit

  • \??\c:\windows\resources\themes\explorer.exe
    Filesize

    135KB

    MD5

    6555807d53d1248d2d4a20290175be29

    SHA1

    b7b615714aed2d0f48fea4724503b071c4a3e176

    SHA256

    725f92c3df407716fb6e2dc5c013f6c7046f3241d4759d4687235d7e1c51b1cf

    SHA512

    e2defc4cfe5070325c726da502f2730c176201408a6ecfb7036c2ee828963a1cd26bfa07e13dfeca124c5cfc17946dd6ee928c96f08bd174fa026fe8211acf90

    Download Submit

  • memory/688-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2308-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2308-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2756-36-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4352-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4580-32-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download