Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 19:39
Behavioral task
behavioral1
Sample
7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe
Resource
win7-20220812-en
General
-
Target
7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe
-
Size
298KB
-
MD5
53db222e1470ecce6b3674332e5ad640
-
SHA1
2c83599d0ad705113fbb846824c2e9e7f184540b
-
SHA256
7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8
-
SHA512
18106643c9dac22b95f683f67e20b2d16a203a75d23cf4fb4aee994bad8df43b9e4ab93befb961edc3353afe4353b2761017457eacd672f58819f4015ca0e9b7
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYd:v6Wq4aaE6KwyF5L0Y2D1PqLG
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 2 IoCs
pid Process 1936 svhost.exe 1908 svhost.exe -
resource yara_rule behavioral1/files/0x000c0000000054a8-56.dat upx behavioral1/files/0x000c0000000054a8-58.dat upx behavioral1/files/0x000c0000000054a8-60.dat upx behavioral1/memory/240-62-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1936-64-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1908-65-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1936-66-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/240-67-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1908-68-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\f: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\u: svhost.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/240-62-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1936-64-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1908-65-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1936-66-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/240-67-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1908-68-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 1936 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1936 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 1908 svhost.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 1936 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 1908 svhost.exe 1936 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 1936 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 1936 svhost.exe 1908 svhost.exe 1908 svhost.exe 1936 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 1936 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 1908 svhost.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 1936 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 1908 svhost.exe 1936 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1936 svhost.exe 1936 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe 1908 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 240 wrote to memory of 1936 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 28 PID 240 wrote to memory of 1936 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 28 PID 240 wrote to memory of 1936 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 28 PID 240 wrote to memory of 1936 240 7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe 28 PID 1936 wrote to memory of 1908 1936 svhost.exe 29 PID 1936 wrote to memory of 1908 1936 svhost.exe 29 PID 1936 wrote to memory of 1908 1936 svhost.exe 29 PID 1936 wrote to memory of 1908 1936 svhost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe"C:\Users\Admin\AppData\Local\Temp\7a8d1e05b50a7224a6e30e9a5011689e9e5f4f7687dfd915953e66635abb93e8.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\svhost.exeC:\Windows\svhost.exe3⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1908
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD5f8afa6fdb12238979f54312c60c5f021
SHA1b0c59c538343693720dfbaefdfa8748163b21d3a
SHA2563eb95a541f1181cc586f93e22f80138fdb6564ed997fef5827b11ee5b719eb70
SHA51209e13e731fb11e73180fa2a918e533e195f0a30180807371877643eddb5f13362dce073c529ba7919fdb9da6f4d4a2541a796c39746dbf691dbf1c96071b68c5
-
Filesize
298KB
MD5f8afa6fdb12238979f54312c60c5f021
SHA1b0c59c538343693720dfbaefdfa8748163b21d3a
SHA2563eb95a541f1181cc586f93e22f80138fdb6564ed997fef5827b11ee5b719eb70
SHA51209e13e731fb11e73180fa2a918e533e195f0a30180807371877643eddb5f13362dce073c529ba7919fdb9da6f4d4a2541a796c39746dbf691dbf1c96071b68c5
-
Filesize
298KB
MD5f8afa6fdb12238979f54312c60c5f021
SHA1b0c59c538343693720dfbaefdfa8748163b21d3a
SHA2563eb95a541f1181cc586f93e22f80138fdb6564ed997fef5827b11ee5b719eb70
SHA51209e13e731fb11e73180fa2a918e533e195f0a30180807371877643eddb5f13362dce073c529ba7919fdb9da6f4d4a2541a796c39746dbf691dbf1c96071b68c5