Analysis
-
max time kernel
300s -
max time network
269s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-07-2021 20:54
Static task
static1
Behavioral task
behavioral1
Sample
Speccy64.exe
Resource
win10v20210410
General
-
Target
Speccy64.exe
-
Size
6.8MB
-
MD5
a6a655d719159feb5a472ce1d387a366
-
SHA1
e62769f77cae8b30fbcb58f490f42cd07a24aef6
-
SHA256
80e5d5327d1376c6a2fa142e8ed7772622f5d2ec29411e000e072e7aa716f004
-
SHA512
d086bca22c6d1505be8a2c7e1cf0c3747738fccba1af3bf143f84b67b88f888a23f58e751bc58a5d47dee40a6cfe6d9106222776e58b57963474175dfadab57f
Malware Config
Signatures
-
Processes:
Speccy64.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Speccy64.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Speccy64.exedescription ioc process File opened (read-only) \??\Q: Speccy64.exe File opened (read-only) \??\Y: Speccy64.exe File opened (read-only) \??\A: Speccy64.exe File opened (read-only) \??\E: Speccy64.exe File opened (read-only) \??\G: Speccy64.exe File opened (read-only) \??\H: Speccy64.exe File opened (read-only) \??\J: Speccy64.exe File opened (read-only) \??\T: Speccy64.exe File opened (read-only) \??\U: Speccy64.exe File opened (read-only) \??\X: Speccy64.exe File opened (read-only) \??\K: Speccy64.exe File opened (read-only) \??\P: Speccy64.exe File opened (read-only) \??\R: Speccy64.exe File opened (read-only) \??\V: Speccy64.exe File opened (read-only) \??\W: Speccy64.exe File opened (read-only) \??\B: Speccy64.exe File opened (read-only) \??\F: Speccy64.exe File opened (read-only) \??\I: Speccy64.exe File opened (read-only) \??\L: Speccy64.exe File opened (read-only) \??\M: Speccy64.exe File opened (read-only) \??\N: Speccy64.exe File opened (read-only) \??\O: Speccy64.exe File opened (read-only) \??\S: Speccy64.exe File opened (read-only) \??\Z: Speccy64.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Speccy64.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 Speccy64.exe -
Drops file in System32 directory 4 IoCs
Processes:
Speccy64.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_82738beb7b514250\keyboard.PNF Speccy64.exe File created \??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_82738beb7b514250\keyboard.PNF Speccy64.exe File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF Speccy64.exe File created \??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF Speccy64.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 636 3368 WerFault.exe java.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Speccy64.exetaskmgr.exeWerFault.exepid process 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3796 taskmgr.exe 3796 taskmgr.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3236 Speccy64.exe 3796 taskmgr.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3796 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exetaskmgr.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 2556 svchost.exe Token: SeCreatePagefilePrivilege 2556 svchost.exe Token: SeDebugPrivilege 3796 taskmgr.exe Token: SeSystemProfilePrivilege 3796 taskmgr.exe Token: SeCreateGlobalPrivilege 3796 taskmgr.exe Token: SeDebugPrivilege 636 WerFault.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Speccy64.exetaskmgr.exeWerFault.exepid process 3236 Speccy64.exe 3236 Speccy64.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3236 Speccy64.exe 3796 taskmgr.exe 636 WerFault.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3236 Speccy64.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Speccy64.exetaskmgr.exepid process 3236 Speccy64.exe 3236 Speccy64.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe 3796 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Speccy64.exepid process 3236 Speccy64.exe 3236 Speccy64.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Speccy64.exedescription pid process target process PID 3236 wrote to memory of 3368 3236 Speccy64.exe java.exe PID 3236 wrote to memory of 3368 3236 Speccy64.exe java.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Speccy64.exe"C:\Users\Admin\AppData\Local\Temp\Speccy64.exe"1⤵
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java" -version2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3368 -s 3643⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3368-114-0x0000000000000000-mapping.dmp