Overview
overview
7Static
static
1Speccy.exe
windows7-x64
6Speccy.exe
windows10-2004-x64
7Speccy64.exe
windows7-x64
7Speccy64.exe
windows10-2004-x64
7lang/lang-1026.dll
windows7-x64
1lang/lang-1026.dll
windows10-2004-x64
1lang/lang-1031.dll
windows7-x64
1lang/lang-1031.dll
windows10-2004-x64
1lang/lang-1033.dll
windows7-x64
1lang/lang-1033.dll
windows10-2004-x64
1lang/lang-1034.dll
windows7-x64
1lang/lang-1034.dll
windows10-2004-x64
1lang/lang-1035.dll
windows7-x64
1lang/lang-1035.dll
windows10-2004-x64
1lang/lang-1036.dll
windows7-x64
1lang/lang-1036.dll
windows10-2004-x64
1lang/lang-1037.dll
windows7-x64
1lang/lang-1037.dll
windows10-2004-x64
1lang/lang-1038.dll
windows7-x64
1lang/lang-1038.dll
windows10-2004-x64
1lang/lang-1040.dll
windows7-x64
1lang/lang-1040.dll
windows10-2004-x64
1lang/lang-1041.dll
windows7-x64
1lang/lang-1041.dll
windows10-2004-x64
1lang/lang-1043.dll
windows7-x64
1lang/lang-1043.dll
windows10-2004-x64
1lang/lang-1045.dll
windows7-x64
1lang/lang-1045.dll
windows10-2004-x64
1lang/lang-1046.dll
windows7-x64
1lang/lang-1046.dll
windows10-2004-x64
1lang/lang-1049.dll
windows7-x64
1lang/lang-1049.dll
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
07/11/2023, 14:38
Static task
static1
Behavioral task
behavioral1
Sample
Speccy.exe
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral2
Sample
Speccy.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Speccy64.exe
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral4
Sample
Speccy64.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
lang/lang-1026.dll
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral6
Sample
lang/lang-1026.dll
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
lang/lang-1031.dll
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral8
Sample
lang/lang-1031.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
lang/lang-1033.dll
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral10
Sample
lang/lang-1033.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
lang/lang-1034.dll
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral12
Sample
lang/lang-1034.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
lang/lang-1035.dll
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral14
Sample
lang/lang-1035.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
lang/lang-1036.dll
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral16
Sample
lang/lang-1036.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
lang/lang-1037.dll
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral18
Sample
lang/lang-1037.dll
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
lang/lang-1038.dll
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral20
Sample
lang/lang-1038.dll
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
lang/lang-1040.dll
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral22
Sample
lang/lang-1040.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
lang/lang-1041.dll
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral24
Sample
lang/lang-1041.dll
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
lang/lang-1043.dll
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral26
Sample
lang/lang-1043.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
lang/lang-1045.dll
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral28
Sample
lang/lang-1045.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
lang/lang-1046.dll
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral30
Sample
lang/lang-1046.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
lang/lang-1049.dll
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral32
Sample
lang/lang-1049.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
General
-
Target
Speccy.exe
-
Size
5.0MB
-
MD5
5ceba11afa3cb63e73320786dc0652ca
-
SHA1
d6d0971807f15b2c80d3164353edd00629c8ded5
-
SHA256
fdea8741ef3af7375ae7a10564b863a01b3646a8c427249e183646409f9166d2
-
SHA512
933d2b749e671745aae64fe29b0ec61c4070a3367f316fe78218e16ebcd3659f1ad46d17f543ac121d7c0c3140fd939b1aec0dca2883250f20ca69c00fe07c48
-
SSDEEP
98304:yHMNlpept3gSuDdFeznGkcBLwX1Pge/7yhg0:UMoptYDdFhkp7w
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: speccy64.exe File opened (read-only) \??\T: speccy64.exe File opened (read-only) \??\W: speccy64.exe File opened (read-only) \??\Z: speccy64.exe File opened (read-only) \??\I: speccy64.exe File opened (read-only) \??\L: speccy64.exe File opened (read-only) \??\M: speccy64.exe File opened (read-only) \??\O: speccy64.exe File opened (read-only) \??\V: speccy64.exe File opened (read-only) \??\A: speccy64.exe File opened (read-only) \??\G: speccy64.exe File opened (read-only) \??\J: speccy64.exe File opened (read-only) \??\N: speccy64.exe File opened (read-only) \??\X: speccy64.exe File opened (read-only) \??\K: speccy64.exe File opened (read-only) \??\P: speccy64.exe File opened (read-only) \??\S: speccy64.exe File opened (read-only) \??\U: speccy64.exe File opened (read-only) \??\Y: speccy64.exe File opened (read-only) \??\B: speccy64.exe File opened (read-only) \??\E: speccy64.exe File opened (read-only) \??\H: speccy64.exe File opened (read-only) \??\Q: speccy64.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 speccy64.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log speccy64.exe File opened for modification C:\Windows\setupact.log speccy64.exe File opened for modification C:\Windows\setuperr.log speccy64.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe 2828 speccy64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 2828 speccy64.exe Token: SeRestorePrivilege 2828 speccy64.exe Token: SeRestorePrivilege 2828 speccy64.exe Token: SeRestorePrivilege 2828 speccy64.exe Token: SeRestorePrivilege 2828 speccy64.exe Token: SeRestorePrivilege 2828 speccy64.exe Token: SeRestorePrivilege 2828 speccy64.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2828 speccy64.exe 2828 speccy64.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2828 speccy64.exe 2828 speccy64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2828 speccy64.exe 2828 speccy64.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2628 wrote to memory of 2828 2628 Speccy.exe 28 PID 2628 wrote to memory of 2828 2628 Speccy.exe 28 PID 2628 wrote to memory of 2828 2628 Speccy.exe 28 PID 2628 wrote to memory of 2828 2628 Speccy.exe 28 PID 2828 wrote to memory of 3040 2828 speccy64.exe 31 PID 2828 wrote to memory of 3040 2828 speccy64.exe 31 PID 2828 wrote to memory of 3040 2828 speccy64.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Speccy.exe"C:\Users\Admin\AppData\Local\Temp\Speccy.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\speccy64.exe"C:\Users\Admin\AppData\Local\Temp\Speccy.exe"2⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java" -version3⤵PID:3040
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1644