Analysis
-
max time kernel
76s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 21:46
Behavioral task
behavioral1
Sample
13a2c3eba44d5c15e8e1a519b362e86d.exe
Resource
win7-20231215-en
General
-
Target
13a2c3eba44d5c15e8e1a519b362e86d.exe
-
Size
298KB
-
MD5
13a2c3eba44d5c15e8e1a519b362e86d
-
SHA1
c48a14effdedfbfd95d4c35771741a02317fc242
-
SHA256
5a1edf05692bf694ebec3300e6e78a0ba22b5df735f8e323b0bb4e59cab4c092
-
SHA512
5e12aab0ec83150125384b29500244248fbafe716715b184a2a95fc1f6c0e2343e1ee574d46aea4e7cd5f5c52f4c10ebf6854a295c0f623a1ae3033c91e651e5
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIY1:v6Wq4aaE6KwyF5L0Y2D1PqLk
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 2116 svhost.exe -
resource yara_rule behavioral1/memory/2608-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x000c000000012261-3.dat upx behavioral1/memory/2116-7-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x000c000000012261-6.dat upx behavioral1/files/0x0007000000016d2e-67.dat upx behavioral1/memory/2608-710-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-1324-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-2386-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-2561-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-3153-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-4168-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-5186-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-6238-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-7294-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-8622-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-9639-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-10590-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-11650-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-12979-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-14035-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2116-15097-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\r: svhost.exe -
AutoIT Executable 17 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2116-7-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2608-710-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-1324-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-2386-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-2561-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-3153-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-4168-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-5186-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-6238-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-7294-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-8622-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-9639-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-10590-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-11650-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-12979-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-14035-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2116-15097-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 13a2c3eba44d5c15e8e1a519b362e86d.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2116 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe 2116 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2608 wrote to memory of 2116 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 28 PID 2608 wrote to memory of 2116 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 28 PID 2608 wrote to memory of 2116 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 28 PID 2608 wrote to memory of 2116 2608 13a2c3eba44d5c15e8e1a519b362e86d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\13a2c3eba44d5c15e8e1a519b362e86d.exe"C:\Users\Admin\AppData\Local\Temp\13a2c3eba44d5c15e8e1a519b362e86d.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226KB
MD5af57f8c7c3b206fdeb5c5970757faf17
SHA130b4885b1940f1418e9a234f6727938515c6ae36
SHA25608e457cba47326140018081588462cd9482d6a1fc08e9098b43c9bad088c7433
SHA5129aa088cf069b85595530baa5b490daaf79dc06fb5af284c26e3fa607125c275414fe6fa1bf9c8bbd5353ccc75d502dd8fc44dcfc47fc75bff4263233f57423a9
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
225KB
MD50fc7b819a185d9367ea6333138231878
SHA17bfe95cead344ca2250e3bb53aa00c1b39a08736
SHA25618dc6526596e5e27ad0c01d7b0d5f75ae4d9684f56bde72313a0705c9b140f1d
SHA512b4fb358bad2beb58d26b7ddbb75c348fbe9c7578f1ac19a147be56e6d81771bfe0c12c173d2594aa1bdce226dbe6ddd4bbd0c353049856baed0c3ea737a479fc
-
Filesize
199KB
MD5eea0b8a8f06f2d649534f14d3e3f5e70
SHA15dd653dbd75a501ddd97ed36913fad5aefb15058
SHA256858de4ddea3e9800924d7ad17ba3b0038fa5a730c277ba683e6d62a85e8404f3
SHA512196676ea50bc29561e369101b30e9f2fb23d05780574f6541a828dffc0953dbf299961c29711d0d3a52e25b28d224a459a96cd607d532b38111c5606aa99d2aa