Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 09:14

General

  • Target

    b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe

  • Size

    206KB

  • MD5

    d9b79a2638e6b7f6df618ffc260a4f50

  • SHA1

    7f52dfd1a1c9d6cfd1b8b2b4eb30bef21d57fa81

  • SHA256

    b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09e

  • SHA512

    4f39e6407730520139e03ead2e1f8ad2d1d7ebb7bd1ddf304934b87937e4f6b274b002d4c9990754364187134e0b052100d0dd95b7224af332ca9cb8866977f1

  • SSDEEP

    1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdylllllllllllld:/VqoCl/YgjxEufVU0TbTyDDalbA

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe
    "C:\Users\Admin\AppData\Local\Temp\b940c9916cffd184e0f26b2e8c3c12e326f5c7bea8d1cd9fe5af68953ca4d09eN.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3196
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2284
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4176
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3696
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    206KB

    MD5

    9441b3381d789637a26ab24abaf7f912

    SHA1

    2565734dcb13bf18a05cf9b6d9071148732da49f

    SHA256

    86f8f31c21c840295d944cee0a4bedebb9a71b888e2ba4f80bd8cfa073013a35

    SHA512

    f678c77d73f3dc5191c2389e8c0d2ba7b806489da0f854f45328a9f0752b8200a85dcd7c6e946082cc903b543952543a906455981da3464d03ac6696cd87357f

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    206KB

    MD5

    2ac63a88abb43264725f90a7418f6521

    SHA1

    8f3b4a75155215fef0b1f0773f5ee8aec21900b0

    SHA256

    4fa86ddd0af3de58d64e38a198a0f81e22f4e908f28a0df3da17efcfe0dcd838

    SHA512

    aa40665ab25041bee259d939685bddc3e0a73b97fbbbf5b14321027e1122324580b033a85e842b8a5f6c860f4b02d4e7ef55564093e2d0017d3e5631d1cbee13

  • C:\Windows\Resources\svchost.exe

    Filesize

    206KB

    MD5

    0890c07cacf706094eb8eaaeadca26f1

    SHA1

    4e912d367430660830c56748c2826dae511b4f7b

    SHA256

    eab5d4aba5afd888de9c2e6353ba4f4d558dd1be6bdd5c396b2b2f0052d237de

    SHA512

    501fffe5224b1cd527a48d3af58534db195f69862206b3138bb53c5796bf31ce1f21c9c5411037b93e44e64b231b9a0b18668dfb2ade97558104c1d9eaf35dee

  • memory/408-32-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2284-35-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3196-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3196-34-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3696-36-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4176-33-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB