Overview

overview

10

Static

static

3

temp.exe

windows7-x64

10

temp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 12:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    temp.exe

  • Size

    2.7MB

  • MD5

    80e3cf78b36403d94dc167fb157241a7

  • SHA1

    990c00b029bb0006968d5ff970257793a94e5429

  • SHA256

    64be767713553d9381add65aa62e302691a86257c087ddbaccdf56f7b905cb31

  • SHA512

    7eaf50cd1a18a77737522d85084f7bca394ac7f2e6afdef96a0fbc47ba33c3d7d543d12ce8cc106203ffeb3c20bee63f099f7ca2817d9ba2ff821ae342c023ad

  • SSDEEP

    49152:smuk6Flic1CcPANlX7c8TuQsRVg+HIbHczjzXThtYJtkE:+XCKfDNlsCE

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\temp.exe
    "C:\Users\Admin\AppData\Local\Temp\temp.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2332
    • \??\c:\users\admin\appdata\local\temp\temp.exe 
      c:\users\admin\appdata\local\temp\temp.exe 
      2⤵
      • Executes dropped EXE
      PID:3040
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3052
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4820
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1196
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2100
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    6e3625f2c270acc71f37d028535883a4

    SHA1

    be3e5870ca4d716e739211765c41327b9be2ae5b

    SHA256

    f0ec345cdafaf7dbd56a986a22f03fde47cbd71418173f34289f12ac6263f59e

    SHA512

    fdfc796f1414d3d67da1e14f72d8561d995e4354a5b927ad40c460917d7b31e55b38fc7b6e8083c2204b318c6bef66643a9ba5992beb98b13f0e7e2a6bc1509a

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    0df007d4164b36b476945aa3ee23b740

    SHA1

    8b8e30289b3d6878665196fdd4e5f69756323b6d

    SHA256

    54f4d8ea7768f201590f3532d6dcf1ad2d3bb0e8416a03a473dc94730db8223c

    SHA512

    c253c92e3ceec8929a7fc488df1f5f43e43aefb01febfa4aec88bd0a589bcc59690c81b5238d3e25226121eb2affab8056ecef99dd4a00de42a4a13e3eb794c9

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    18e03fcaa381713935c6e96c9c912a40

    SHA1

    67cd7d2303c9ecaf7a3c3b8818224db38fe4d186

    SHA256

    f98c6fe0ac661b26aea5add3b15e144b3172b5609c1ebc69335d60bcdaf3447b

    SHA512

    4717635e2e3eb406bf82693334037eda1e17c6aacaa8b7704d0c255d08a0e639e1e9e84ccfd30f3387e82de4829ba7842ffc4b46aa27ee8dbb582c5694ac17ab

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    4010770736ac8bfe7369ab467a5eab6f

    SHA1

    74ae347ef10fec1d2a7474605e8c8b498a3f8106

    SHA256

    edef7aa4cf774a50f359984233a75a9f2e2cd5a63649203fe18592785a4541d9

    SHA512

    7610cb6bb703d32712b91e2b92a7683cf81b050821d3fdbe76031ee4f432ec0c4870fd2c51df2d525a69995170e470e8089589614e4f3559964009043256f02d

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\temp.exe 
    Filesize

    2.6MB

    MD5

    f19e882a33d21b592907a8866d5a5ccc

    SHA1

    cdf3496e95505e93011d75832d756f679150fd87

    SHA256

    1b0843d77be37f4e6c54e8e0940bfe44bdd4c084c08f432b3cd4fc716f19f82a

    SHA512

    569971c96c8540d59a9cd2c472355ca2cca6be8c7cf25be531663e309ba24234b8aac4a1c8da0f631f2a785240618633c012ec87552768ccf6fe0612008cd30a

    Download Submit

  • memory/1196-120-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1196-158-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2100-449-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2332-160-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2332-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3040-43-0x00007FFDD3910000-0x00007FFDD3B05000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3040-76-0x00007FFDD3910000-0x00007FFDD3B05000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3040-85-0x00007FFDD3910000-0x00007FFDD3B05000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3040-64-0x00007FFDD3910000-0x00007FFDD3B05000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3040-54-0x00007FFDD3910000-0x00007FFDD3B05000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3040-30-0x00007FFDD3910000-0x00007FFDD3B05000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3040-16-0x00007FFDD3910000-0x00007FFDD3B05000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3040-15-0x00007FFDD3910000-0x00007FFDD3B05000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3052-163-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4016-150-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4820-448-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download