Overview

overview

10

Static

static

3

099e80aaed...03.exe

windows7-x64

10

099e80aaed...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2024, 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    099e80aaedb65f4b42706fcb3a1f81a85b81a49298b37052c6824c2284e06303.exe

  • Size

    121KB

  • MD5

    9d34f8189b83e6deaf9da815778d8fd3

  • SHA1

    ee1ba2f9c5266a46c5bfa2e8e0aaf557fddaa069

  • SHA256

    099e80aaedb65f4b42706fcb3a1f81a85b81a49298b37052c6824c2284e06303

  • SHA512

    9e702e5ddd3a7d8b7a2eb367367b823a9b04b3111f71608198b22c39f8e0d874c8cc6204cc1eb7e8f59d1855f5ecd55eaeba4a3b1c1a74e980c87c93728279e5

  • SSDEEP

    1536:9X9TaOt5OuXpBFZQUSvnsk+z/ypuOASsIc9XmkbxH3D:9X9TP3OuXpBkAz/yjvc9X/9XD

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\099e80aaedb65f4b42706fcb3a1f81a85b81a49298b37052c6824c2284e06303.exe
    "C:\Users\Admin\AppData\Local\Temp\099e80aaedb65f4b42706fcb3a1f81a85b81a49298b37052c6824c2284e06303.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3032
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2264
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3616
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4416
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    121KB

    MD5

    c5081a680194c8fd086be86a5b1f25bd

    SHA1

    aaa8b2683dc3b77a43a9519a6f29ffb96194b1ed

    SHA256

    a3748674beffc95db642121c5235ad12e456d4ca056ccdead5dec8365186f5bc

    SHA512

    2811af03df78b410bdf4c3d2852a4fceea662a89ffefac8db47e41f49a293b35af04e0122910e6d1edaf80d72f358ff88d0b5a43f13deb34e5c8a5136d51abb3

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    121KB

    MD5

    d2bb5687624018734900cab3007bc28d

    SHA1

    906d3884530bb78fe7d86145a58c51903b58cb06

    SHA256

    f8e99ec9bc2e5db7fd8aa95c146373bec99d7d617e42fe9b77f3837d0a54ccd1

    SHA512

    7ca1a7eb63d9d662a4fbc8ba538d26d9740992df5e3ef0c2e83367742486e410ab5afe8fdd3228ce220091fda7dd055b3486699df95c57a1c99c49441901bd8c

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    121KB

    MD5

    06f690a11051fe8060af463f156b3e79

    SHA1

    256132529de711ee5ad8b44f3677acca782675e0

    SHA256

    cebdb8c950af5295b43f86c0e12565b3358adc5c7b0e6c4c3e0522655cb5443a

    SHA512

    5ab2fd7d1f0c83494c2c0800dc171b9f28785f703278fe264415b82639221a5e839b1d7191fc8d22fdce7152aeda8c254728eeb2145acdeb566a85992e71ffb6

    Download Submit