44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c

Analysis

max time kernel
152s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
Size

298KB
MD5

133b166b1667f94bea35d8fba25810ca
SHA1

b369936e9f5daf3dfc3b2b1b6efdfb12552610b4
SHA256

44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c
SHA512

e2de71cb38d0f798fecbb0bb3a7dc668c84d4514d1b7d5862272a363b7b267dd5934aa910c0aa27b8f5cb4538a197f10437c9c84081382a1f0d89ad759a569e0
SSDEEP

6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIY/:v6Wq4aaE6KwyF5L0Y2D1PqL4

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 2 IoCs

pid	Process
2008	svhost.exe
1496	svhost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1648-54-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-57.dat	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/files/0x000c0000000054a8-61.dat	upx
behavioral1/memory/1496-65-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2008-64-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2008-66-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1648-67-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1496-68-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\f:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1496-65-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2008-64-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2008-66-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1648-67-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1496-68-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2008	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2008	svhost.exe
2008	svhost.exe
1496	svhost.exe
1496	svhost.exe
2008	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1496	svhost.exe
2008	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1496	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2008	svhost.exe
1496	svhost.exe
2008	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2008	svhost.exe
1496	svhost.exe
2008	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2008	svhost.exe
1496	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2008	svhost.exe
1496	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1496	svhost.exe
2008	svhost.exe
2008	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2008	svhost.exe
2008	svhost.exe
1496	svhost.exe
1496	svhost.exe
2008	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1496	svhost.exe
2008	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1496	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2008	svhost.exe
1496	svhost.exe
2008	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2008	svhost.exe
1496	svhost.exe
2008	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2008	svhost.exe
1496	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2008	svhost.exe
1496	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1496	svhost.exe
2008	svhost.exe
2008	svhost.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe
1496	svhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2008	1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe	28
PID 1648 wrote to memory of 2008	1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe	28
PID 1648 wrote to memory of 2008	1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe	28
PID 1648 wrote to memory of 2008	1648	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe	28
PID 2008 wrote to memory of 1496	2008	svhost.exe	29
PID 2008 wrote to memory of 1496	2008	svhost.exe	29
PID 2008 wrote to memory of 1496	2008	svhost.exe	29
PID 2008 wrote to memory of 1496	2008	svhost.exe	29

C:\Users\Admin\AppData\Local\Temp\44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
"C:\Users\Admin\AppData\Local\Temp\44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\svhost.exe
    C:\Windows\svhost.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svhost.exe

Filesize
298KB

MD5
4b5f5e2b0412d3dbbe3a765b28b474cb

SHA1
310c860b9573d19ced88d6e651814a6daaa0c1cd

SHA256
a7539d9c61664c973e58ec1749cbd8836fa0c32a3d27657107619c6370ae9665

SHA512
eced7ad401075e0d626158ebb1d823035db691f19217826685b45c42d47461780403f9c280e51ab90857be7553b70507e6b43e647a843bf72c7ba9f69bda5a22

Download Submit
C:\Windows\svhost.exe

Filesize
298KB

MD5
4b5f5e2b0412d3dbbe3a765b28b474cb

SHA1
310c860b9573d19ced88d6e651814a6daaa0c1cd

SHA256
a7539d9c61664c973e58ec1749cbd8836fa0c32a3d27657107619c6370ae9665

SHA512
eced7ad401075e0d626158ebb1d823035db691f19217826685b45c42d47461780403f9c280e51ab90857be7553b70507e6b43e647a843bf72c7ba9f69bda5a22

Download Submit
C:\Windows\svhost.exe

Filesize
298KB

MD5
4b5f5e2b0412d3dbbe3a765b28b474cb

SHA1
310c860b9573d19ced88d6e651814a6daaa0c1cd

SHA256
a7539d9c61664c973e58ec1749cbd8836fa0c32a3d27657107619c6370ae9665

SHA512
eced7ad401075e0d626158ebb1d823035db691f19217826685b45c42d47461780403f9c280e51ab90857be7553b70507e6b43e647a843bf72c7ba9f69bda5a22

Download Submit
memory/1496-68-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1496-65-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1648-63-0x0000000003720000-0x00000000037E2000-memory.dmp

Filesize
776KB

Download
memory/1648-54-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1648-67-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1648-55-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/2008-64-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2008-66-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download