Analysis

  • max time kernel
    76s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2023 21:46

General

  • Target

    13a2c3eba44d5c15e8e1a519b362e86d.exe

  • Size

    298KB

  • MD5

    13a2c3eba44d5c15e8e1a519b362e86d

  • SHA1

    c48a14effdedfbfd95d4c35771741a02317fc242

  • SHA256

    5a1edf05692bf694ebec3300e6e78a0ba22b5df735f8e323b0bb4e59cab4c092

  • SHA512

    5e12aab0ec83150125384b29500244248fbafe716715b184a2a95fc1f6c0e2343e1ee574d46aea4e7cd5f5c52f4c10ebf6854a295c0f623a1ae3033c91e651e5

  • SSDEEP

    6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIY1:v6Wq4aaE6KwyF5L0Y2D1PqLk

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13a2c3eba44d5c15e8e1a519b362e86d.exe
    "C:\Users\Admin\AppData\Local\Temp\13a2c3eba44d5c15e8e1a519b362e86d.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\svhost.exe
      C:\Windows\svhost.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Documents and Settings.exe

    Filesize

    226KB

    MD5

    af57f8c7c3b206fdeb5c5970757faf17

    SHA1

    30b4885b1940f1418e9a234f6727938515c6ae36

    SHA256

    08e457cba47326140018081588462cd9482d6a1fc08e9098b43c9bad088c7433

    SHA512

    9aa088cf069b85595530baa5b490daaf79dc06fb5af284c26e3fa607125c275414fe6fa1bf9c8bbd5353ccc75d502dd8fc44dcfc47fc75bff4263233f57423a9

  • C:\Windows\Driver.db

    Filesize

    82B

    MD5

    c2d2dc50dca8a2bfdc8e2d59dfa5796d

    SHA1

    7a6150fc53244e28d1bcea437c0c9d276c41ccad

    SHA256

    b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

    SHA512

    6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

  • C:\Windows\svhost.exe

    Filesize

    225KB

    MD5

    0fc7b819a185d9367ea6333138231878

    SHA1

    7bfe95cead344ca2250e3bb53aa00c1b39a08736

    SHA256

    18dc6526596e5e27ad0c01d7b0d5f75ae4d9684f56bde72313a0705c9b140f1d

    SHA512

    b4fb358bad2beb58d26b7ddbb75c348fbe9c7578f1ac19a147be56e6d81771bfe0c12c173d2594aa1bdce226dbe6ddd4bbd0c353049856baed0c3ea737a479fc

  • C:\Windows\svhost.exe

    Filesize

    199KB

    MD5

    eea0b8a8f06f2d649534f14d3e3f5e70

    SHA1

    5dd653dbd75a501ddd97ed36913fad5aefb15058

    SHA256

    858de4ddea3e9800924d7ad17ba3b0038fa5a730c277ba683e6d62a85e8404f3

    SHA512

    196676ea50bc29561e369101b30e9f2fb23d05780574f6541a828dffc0953dbf299961c29711d0d3a52e25b28d224a459a96cd607d532b38111c5606aa99d2aa

  • memory/2116-2561-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-5186-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-7-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-15097-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-1324-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-2386-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-14035-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-3153-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-4168-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-12979-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-6238-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-7294-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-8622-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-9639-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-10590-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2116-11650-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2608-5-0x00000000035F0000-0x00000000036B2000-memory.dmp

    Filesize

    776KB

  • memory/2608-0-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2608-710-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.