44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c

Analysis

max time kernel
154s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
Size

298KB
MD5

133b166b1667f94bea35d8fba25810ca
SHA1

b369936e9f5daf3dfc3b2b1b6efdfb12552610b4
SHA256

44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c
SHA512

e2de71cb38d0f798fecbb0bb3a7dc668c84d4514d1b7d5862272a363b7b267dd5934aa910c0aa27b8f5cb4538a197f10437c9c84081382a1f0d89ad759a569e0
SSDEEP

6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIY/:v6Wq4aaE6KwyF5L0Y2D1PqL4

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
2268	svhost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3436-132-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/files/0x0009000000022e12-135.dat	upx
behavioral2/files/0x0009000000022e12-134.dat	upx
behavioral2/memory/2268-136-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3436-137-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/2268-138-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\f:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3436-132-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/2268-136-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3436-137-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/2268-138-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2268	svhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2268	svhost.exe
2268	svhost.exe
3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2268	svhost.exe
3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2268	svhost.exe
3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2268	svhost.exe
3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2268	svhost.exe
3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe
2268	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 2268	3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe	80
PID 3436 wrote to memory of 2268	3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe	80
PID 3436 wrote to memory of 2268	3436	44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe	80

C:\Users\Admin\AppData\Local\Temp\44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe
"C:\Users\Admin\AppData\Local\Temp\44f7f5eebe86e97a18204ec017165c640ff47b3bcb68ed1c736d0f17624c848c.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svhost.exe

Filesize
298KB

MD5
6f4b8c396846f3a1592f8944ca44097b

SHA1
121143d8cb95366f596250e5b5e1bea300e8e144

SHA256
19128d4edd410d2247a19d5046da6cea00bddc970dd8e13a0e9090ff604bf9ce

SHA512
716db6bf558a079b411f0d8f081f48bfbc03e62b808d3eb69f20cfaa0a235aeb555ee3f88fa74e789dd60fe309aa86b9d36f29c1e62be2b5cc506ad6f70b7a8a

Download Submit
C:\Windows\svhost.exe

Filesize
298KB

MD5
6f4b8c396846f3a1592f8944ca44097b

SHA1
121143d8cb95366f596250e5b5e1bea300e8e144

SHA256
19128d4edd410d2247a19d5046da6cea00bddc970dd8e13a0e9090ff604bf9ce

SHA512
716db6bf558a079b411f0d8f081f48bfbc03e62b808d3eb69f20cfaa0a235aeb555ee3f88fa74e789dd60fe309aa86b9d36f29c1e62be2b5cc506ad6f70b7a8a

Download Submit
memory/2268-136-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2268-138-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3436-132-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3436-137-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download