b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314

Analysis

max time kernel
334s
max time network
414s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
Size

368KB
MD5

c766a6bb8dc3988bbaf92dd98be8aa6c
SHA1

f44ae2f9e62f00f0488c52cf913656a1db621457
SHA256

b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314
SHA512

cc4626fb40a4b41af57ae7c1ba32c2228066015eea7fb37b2e2860689756888296129ff0bc64ccdd4783d7923e41254638567f6c10a0331f1aefdb7583444996
SSDEEP

6144:gDCwfG1bnxLERR9sa/6XDCwfG1bnxLERR9sa/6f2:g72bntEL9//6X72bntEL9//6e

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Executes dropped EXE 6 IoCs

pid	Process
2556	avscan.exe
1416	avscan.exe
4524	hosts.exe
1220	hosts.exe
4772	avscan.exe
4672	hosts.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
File created	\??\c:\windows\W_X_C.bat	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
File opened for modification	C:\Windows\hosts.exe	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4748	REG.exe
1184	REG.exe
1492	REG.exe
3184	REG.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
2556	avscan.exe
4524	hosts.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
2556	avscan.exe
1416	avscan.exe
1220	hosts.exe
4524	hosts.exe
4772	avscan.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 1184	5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	80
PID 5084 wrote to memory of 1184	5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	80
PID 5084 wrote to memory of 1184	5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	80
PID 5084 wrote to memory of 1492	5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	83
PID 5084 wrote to memory of 1492	5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	83
PID 5084 wrote to memory of 1492	5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	83
PID 5084 wrote to memory of 2556	5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	86
PID 5084 wrote to memory of 2556	5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	86
PID 5084 wrote to memory of 2556	5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	86
PID 2556 wrote to memory of 1416	2556	avscan.exe	87
PID 2556 wrote to memory of 1416	2556	avscan.exe	87
PID 2556 wrote to memory of 1416	2556	avscan.exe	87
PID 5084 wrote to memory of 4656	5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	89
PID 5084 wrote to memory of 4656	5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	89
PID 5084 wrote to memory of 4656	5084	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	89
PID 2556 wrote to memory of 4164	2556	avscan.exe	88
PID 2556 wrote to memory of 4164	2556	avscan.exe	88
PID 2556 wrote to memory of 4164	2556	avscan.exe	88
PID 2556 wrote to memory of 3184	2556	avscan.exe	92
PID 2556 wrote to memory of 3184	2556	avscan.exe	92
PID 2556 wrote to memory of 3184	2556	avscan.exe	92
PID 2556 wrote to memory of 4748	2556	avscan.exe	94
PID 2556 wrote to memory of 4748	2556	avscan.exe	94
PID 2556 wrote to memory of 4748	2556	avscan.exe	94
PID 4164 wrote to memory of 1220	4164	cmd.exe	97
PID 4164 wrote to memory of 1220	4164	cmd.exe	97
PID 4164 wrote to memory of 1220	4164	cmd.exe	97
PID 4656 wrote to memory of 4524	4656	cmd.exe	98
PID 4656 wrote to memory of 4524	4656	cmd.exe	98
PID 4656 wrote to memory of 4524	4656	cmd.exe	98
PID 4524 wrote to memory of 4772	4524	hosts.exe	99
PID 4524 wrote to memory of 4772	4524	hosts.exe	99
PID 4524 wrote to memory of 4772	4524	hosts.exe	99
PID 4524 wrote to memory of 1224	4524	hosts.exe	100
PID 4524 wrote to memory of 1224	4524	hosts.exe	100
PID 4524 wrote to memory of 1224	4524	hosts.exe	100
PID 1224 wrote to memory of 4672	1224	cmd.exe	102
PID 1224 wrote to memory of 4672	1224	cmd.exe	102
PID 1224 wrote to memory of 4672	1224	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
"C:\Users\Admin\AppData\Local\Temp\b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1184
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1220
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3184
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1224
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        
        PID:4672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
368KB

MD5
f01a834f5f4ecbe668a52091d2d3f444

SHA1
210339304dc689de1202bdacc26e132fb05ab2cf

SHA256
5980ff755b1a0a8c29e4dff7ac27c88f9e27c464b7908ee1b450b171c460dba7

SHA512
c6d92271d86fa072b69a475eec54822ad80ae4851847208db3e01bfab1dade5eb70bcb6511c476b4bf4da49c464c7465d34673b19f5e9da693137e5d6c9a690d

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
368KB

MD5
f01a834f5f4ecbe668a52091d2d3f444

SHA1
210339304dc689de1202bdacc26e132fb05ab2cf

SHA256
5980ff755b1a0a8c29e4dff7ac27c88f9e27c464b7908ee1b450b171c460dba7

SHA512
c6d92271d86fa072b69a475eec54822ad80ae4851847208db3e01bfab1dade5eb70bcb6511c476b4bf4da49c464c7465d34673b19f5e9da693137e5d6c9a690d

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
368KB

MD5
f01a834f5f4ecbe668a52091d2d3f444

SHA1
210339304dc689de1202bdacc26e132fb05ab2cf

SHA256
5980ff755b1a0a8c29e4dff7ac27c88f9e27c464b7908ee1b450b171c460dba7

SHA512
c6d92271d86fa072b69a475eec54822ad80ae4851847208db3e01bfab1dade5eb70bcb6511c476b4bf4da49c464c7465d34673b19f5e9da693137e5d6c9a690d

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
368KB

MD5
f01a834f5f4ecbe668a52091d2d3f444

SHA1
210339304dc689de1202bdacc26e132fb05ab2cf

SHA256
5980ff755b1a0a8c29e4dff7ac27c88f9e27c464b7908ee1b450b171c460dba7

SHA512
c6d92271d86fa072b69a475eec54822ad80ae4851847208db3e01bfab1dade5eb70bcb6511c476b4bf4da49c464c7465d34673b19f5e9da693137e5d6c9a690d

Download Submit
C:\Windows\hosts.exe

Filesize
368KB

MD5
f01a834f5f4ecbe668a52091d2d3f444

SHA1
210339304dc689de1202bdacc26e132fb05ab2cf

SHA256
5980ff755b1a0a8c29e4dff7ac27c88f9e27c464b7908ee1b450b171c460dba7

SHA512
c6d92271d86fa072b69a475eec54822ad80ae4851847208db3e01bfab1dade5eb70bcb6511c476b4bf4da49c464c7465d34673b19f5e9da693137e5d6c9a690d

Download Submit
C:\Windows\hosts.exe

Filesize
368KB

MD5
71b72a18490b55272fd7827acfc0104f

SHA1
bdd379e1b595b00e30002d6c8a8bfa69e1845487

SHA256
81801689992ed3bf6b0f4db515f3057c709c9e73079988548c0ef81f9404457a

SHA512
3f2b30116d150d55ff1aab3a2b3b07a03fe0c11a3ce85a8e61c9d9b420c3d9869650951ea6515d5285f3d2aa8f4ed92998379a959eb15951b26b668299193413

Download Submit
C:\Windows\hosts.exe

Filesize
368KB

MD5
71b72a18490b55272fd7827acfc0104f

SHA1
bdd379e1b595b00e30002d6c8a8bfa69e1845487

SHA256
81801689992ed3bf6b0f4db515f3057c709c9e73079988548c0ef81f9404457a

SHA512
3f2b30116d150d55ff1aab3a2b3b07a03fe0c11a3ce85a8e61c9d9b420c3d9869650951ea6515d5285f3d2aa8f4ed92998379a959eb15951b26b668299193413

Download Submit
C:\Windows\hosts.exe

Filesize
368KB

MD5
71b72a18490b55272fd7827acfc0104f

SHA1
bdd379e1b595b00e30002d6c8a8bfa69e1845487

SHA256
81801689992ed3bf6b0f4db515f3057c709c9e73079988548c0ef81f9404457a

SHA512
3f2b30116d150d55ff1aab3a2b3b07a03fe0c11a3ce85a8e61c9d9b420c3d9869650951ea6515d5285f3d2aa8f4ed92998379a959eb15951b26b668299193413

Download Submit
C:\windows\hosts.exe

Filesize
368KB

MD5
71b72a18490b55272fd7827acfc0104f

SHA1
bdd379e1b595b00e30002d6c8a8bfa69e1845487

SHA256
81801689992ed3bf6b0f4db515f3057c709c9e73079988548c0ef81f9404457a

SHA512
3f2b30116d150d55ff1aab3a2b3b07a03fe0c11a3ce85a8e61c9d9b420c3d9869650951ea6515d5285f3d2aa8f4ed92998379a959eb15951b26b668299193413

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads