85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145

Analysis

max time kernel
156s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
Size

298KB
MD5

6e9cdc0efec19ff6fb0f6cb52ad25da0
SHA1

5c1dceb6a99fcc322d9efb4377c0b65725bcef52
SHA256

85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145
SHA512

2094aaa7f0aebed0a24b427419a2439db84e6e73242902360ec17164efd29b5d3bd4b75a5b6e9fe9f5daa1bbfccc23b946e8a4be2c85a68ff9c99cfec4e3c831
SSDEEP

6144:suIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYz:H6Wq4aaE6KwyF5L0Y2D1PqLk

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
4316	svhost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4752-132-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/files/0x0006000000022db6-134.dat	upx
behavioral2/files/0x0006000000022db6-135.dat	upx
behavioral2/memory/4316-136-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4752-137-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4316-138-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\f:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4316-136-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/4752-137-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/4316-138-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4316	svhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4316	svhost.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4316	svhost.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe
4316	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4316	4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe	84
PID 4752 wrote to memory of 4316	4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe	84
PID 4752 wrote to memory of 4316	4752	85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe	84

C:\Users\Admin\AppData\Local\Temp\85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe
"C:\Users\Admin\AppData\Local\Temp\85baadad3c48a2c19164a1e3a9f28f7b7cdbe8955d981e0c8ab2e0c064d78145.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svhost.exe

Filesize
298KB

MD5
e72daa71c94fd034e4b293c8b03f8aac

SHA1
d5a34a9ac2566d75f89148ff71f4a000f70dadb7

SHA256
0261f240b5a682a989cd87fe4e18dcbe69a8c16b39de433d39b4c58e7705720d

SHA512
f54e64b0afa5e12f6413529e4db98d6a6a8fb8f45ec321146938ec30d968ae4268ba06725c9d5f61898d163dad615991bfe930398a7782662a093b19cf6a2576

Download Submit
C:\Windows\svhost.exe

Filesize
298KB

MD5
e72daa71c94fd034e4b293c8b03f8aac

SHA1
d5a34a9ac2566d75f89148ff71f4a000f70dadb7

SHA256
0261f240b5a682a989cd87fe4e18dcbe69a8c16b39de433d39b4c58e7705720d

SHA512
f54e64b0afa5e12f6413529e4db98d6a6a8fb8f45ec321146938ec30d968ae4268ba06725c9d5f61898d163dad615991bfe930398a7782662a093b19cf6a2576

Download Submit
memory/4316-136-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4316-138-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4752-132-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4752-137-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download