ffb05df07cd40865a7afb667c897854f2f632075939ebf842f36a18d0daa1567

Analysis

max time kernel
167s
max time network
143s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
Size

454KB
MD5

318012ce38bc507935ed981bd6e89cc0
SHA1

a45a43cc3df626254cbb607f53e0f6019fafa8a7
SHA256

ffb05df07cd40865a7afb667c897854f2f632075939ebf842f36a18d0daa1567
SHA512

6f8136512c5d99b67c04ab08a31f5a7bd1190eb7669b01b8e670d91bb3a68650f3b7f814f50780cfceb29f55490d196f490ec7c12b48f160cb078256769204e8
SSDEEP

12288:X6Wq4aaE6KwyF5L0Y2D1PqLb6Wq4aan6Wq4aaE6KD:1thEVaPqLBthFthEb

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
1896	svhost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2852-0-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/files/0x000e00000001200a-4.dat	upx
behavioral1/files/0x000e00000001200a-5.dat	upx
behavioral1/files/0x0007000000016621-65.dat	upx
behavioral1/memory/2852-265-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/1896-1152-0x0000000000400000-0x0000000000523000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2852-265-0x0000000000400000-0x0000000000523000-memory.dmp	autoit_exe
behavioral1/memory/1896-1152-0x0000000000400000-0x0000000000523000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1896	svhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
1896	svhost.exe
1896	svhost.exe
2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
1896	svhost.exe
2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
1896	svhost.exe
2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
1896	svhost.exe
1896	svhost.exe
2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
1896	svhost.exe
2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
1896	svhost.exe
2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe
1896	svhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1896	2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe	28
PID 2852 wrote to memory of 1896	2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe	28
PID 2852 wrote to memory of 1896	2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe	28
PID 2852 wrote to memory of 1896	2852	318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe
"C:\Users\Admin\AppData\Local\Temp\318012ce38bc507935ed981bd6e89cc0_exe32_JC.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings.exe

Filesize
454KB

MD5
316f24f6cc37883884dc3bd51ecdcc9c

SHA1
905a9260e48406406223802a3b7fba9459a29cae

SHA256
9a95804ffc7abd90507902c01374d3ea4d141815c29c1eaeb7f88be088f89706

SHA512
d97c13a2bb641310f0230b974adcb2e2daaa34a5541818f0e5b15f3f29d5a7937149248b6503f8c0a72904714a9af17fb8a994ea150c16c5014901b6fea94cd6

Download Submit
C:\Windows\Driver.db

Filesize
82B

MD5
c2d2dc50dca8a2bfdc8e2d59dfa5796d

SHA1
7a6150fc53244e28d1bcea437c0c9d276c41ccad

SHA256
b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

SHA512
6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

Download Submit
C:\Windows\svhost.exe

Filesize
454KB

MD5
cf72f662e80d7b30403a47bc2b281fff

SHA1
0e451527d9acc0abda11bde0be15cd186cb90c94

SHA256
39469e0015e0d2d83955d5c84c60c5c95f518892990c2a0ab334f0cd019b6072

SHA512
c135a02bfe8922f4c0fa4010167380cf8e77a49c2031b563fff4fe20301790a0f2a095f1d09a27c6109fd79669a33efafffeead7b19dc68209336fa93a13476d

Download Submit
C:\Windows\svhost.exe

Filesize
454KB

MD5
cf72f662e80d7b30403a47bc2b281fff

SHA1
0e451527d9acc0abda11bde0be15cd186cb90c94

SHA256
39469e0015e0d2d83955d5c84c60c5c95f518892990c2a0ab334f0cd019b6072

SHA512
c135a02bfe8922f4c0fa4010167380cf8e77a49c2031b563fff4fe20301790a0f2a095f1d09a27c6109fd79669a33efafffeead7b19dc68209336fa93a13476d

Download Submit
memory/1896-1152-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2852-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2852-265-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2852-273-0x0000000003B30000-0x0000000003C53000-memory.dmp

Filesize
1.1MB

Download