85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145

Analysis

max time kernel
151s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
Size

298KB
MD5

6e9cdc0efec19ff6fb0f6cb52ad25da0
SHA1

5c1dceb6a99fcc322d9efb4377c0b65725bcef52
SHA256

85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145
SHA512

2094aaa7f0aebed0a24b427419a2439db84e6e73242902360ec17164efd29b5d3bd4b75a5b6e9fe9f5daa1bbfccc23b946e8a4be2c85a68ff9c99cfec4e3c831
SSDEEP

6144:suIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYz:H6Wq4aaE6KwyF5L0Y2D1PqLk

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 2 IoCs

pid	Process
108	svhost.exe
1708	svhost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000005c50-56.dat	upx
behavioral1/files/0x0007000000005c50-58.dat	upx
behavioral1/files/0x0007000000005c50-60.dat	upx
behavioral1/memory/1384-62-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/108-64-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1708-65-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1384-66-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/108-67-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1708-68-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\f:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1384-62-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/108-64-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1708-65-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1384-66-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/108-67-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1708-68-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
108	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
108	svhost.exe
108	svhost.exe
1708	svhost.exe
1708	svhost.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
1708	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
108	svhost.exe
1708	svhost.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
1708	svhost.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
1708	svhost.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
1708	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
1708	svhost.exe
108	svhost.exe
1708	svhost.exe
108	svhost.exe
1708	svhost.exe
1708	svhost.exe
108	svhost.exe
108	svhost.exe
1708	svhost.exe
108	svhost.exe
108	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
108	svhost.exe
108	svhost.exe
1708	svhost.exe
1708	svhost.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
1708	svhost.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
1708	svhost.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
1708	svhost.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
1708	svhost.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
1708	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
108	svhost.exe
1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
1708	svhost.exe
108	svhost.exe
1708	svhost.exe
108	svhost.exe
1708	svhost.exe
1708	svhost.exe
108	svhost.exe
108	svhost.exe
1708	svhost.exe
108	svhost.exe
108	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe
1708	svhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 108	1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe	27
PID 1384 wrote to memory of 108	1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe	27
PID 1384 wrote to memory of 108	1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe	27
PID 1384 wrote to memory of 108	1384	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe	27
PID 108 wrote to memory of 1708	108	svhost.exe	28
PID 108 wrote to memory of 1708	108	svhost.exe	28
PID 108 wrote to memory of 1708	108	svhost.exe	28
PID 108 wrote to memory of 1708	108	svhost.exe	28

C:\Users\Admin\AppData\Local\Temp\85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
"C:\Users\Admin\AppData\Local\Temp\85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Windows\svhost.exe
    C:\Windows\svhost.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svhost.exe

Filesize
298KB

MD5
5c93758dca5aaef277149cb22c0039e8

SHA1
2e182851ea11a5863a83997003ab73ad7aa454fd

SHA256
09b86ea14b560e871303d9ec0c1215e646497425cc9b6e54cab779ae70a946b2

SHA512
05d8dedf486b9aff2c96e29c9776a672aaa3f2637a8793fa6e6ad5ae1fec0e6276c7d2f26d6dab87533a337192c5dd083c9cca4d495ac15050aa1442f8c69763

Download Submit
C:\Windows\svhost.exe

Filesize
298KB

MD5
5c93758dca5aaef277149cb22c0039e8

SHA1
2e182851ea11a5863a83997003ab73ad7aa454fd

SHA256
09b86ea14b560e871303d9ec0c1215e646497425cc9b6e54cab779ae70a946b2

SHA512
05d8dedf486b9aff2c96e29c9776a672aaa3f2637a8793fa6e6ad5ae1fec0e6276c7d2f26d6dab87533a337192c5dd083c9cca4d495ac15050aa1442f8c69763

Download Submit
C:\Windows\svhost.exe

Filesize
298KB

MD5
5c93758dca5aaef277149cb22c0039e8

SHA1
2e182851ea11a5863a83997003ab73ad7aa454fd

SHA256
09b86ea14b560e871303d9ec0c1215e646497425cc9b6e54cab779ae70a946b2

SHA512
05d8dedf486b9aff2c96e29c9776a672aaa3f2637a8793fa6e6ad5ae1fec0e6276c7d2f26d6dab87533a337192c5dd083c9cca4d495ac15050aa1442f8c69763

Download Submit
memory/108-64-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/108-67-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1384-62-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1384-63-0x00000000032B0000-0x0000000003372000-memory.dmp

Filesize
776KB

Download
memory/1384-54-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1384-66-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1708-65-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1708-68-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download