6dbbe86be4a70e91a8b8f1e21202b6e733dec8d35f535cd81643fcd02e8e263b

Analysis

max time kernel
134s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03785c361c90be52900c5136081911e6.exe
Size

249KB
MD5

03785c361c90be52900c5136081911e6
SHA1

c44b7caedf38bcabb8813f8a7f2720782c66e161
SHA256

6dbbe86be4a70e91a8b8f1e21202b6e733dec8d35f535cd81643fcd02e8e263b
SHA512

dbf4bb452dd50f6743edad031be99f47f003c6bebbd675c656ab6836f9b064d68599d64d70aa4d08ecff39416d4b274deca952fb8eaf9ff5550a67ba3bd02a84
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQSq54p1YYhD/6KgXz:gDCwfG1bnxLERRLT3YYhLrgXz

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	03785c361c90be52900c5136081911e6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	03785c361c90be52900c5136081911e6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DJLAPDMX = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DJLAPDMX = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DJLAPDMX = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2140	avscan.exe
2836	avscan.exe
2580	hosts.exe
2400	avscan.exe
2776	hosts.exe
2240	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
2064	03785c361c90be52900c5136081911e6.exe
2064	03785c361c90be52900c5136081911e6.exe
2140	avscan.exe
2580	hosts.exe
2580	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	03785c361c90be52900c5136081911e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\windows\W_X_C.bat	03785c361c90be52900c5136081911e6.exe
File opened for modification	C:\Windows\hosts.exe	03785c361c90be52900c5136081911e6.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	03785c361c90be52900c5136081911e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1976	REG.exe
2368	REG.exe
1764	REG.exe
2312	REG.exe
2264	REG.exe
1564	REG.exe
1816	REG.exe
2548	REG.exe
1224	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2140	avscan.exe
2580	hosts.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2064	03785c361c90be52900c5136081911e6.exe
2140	avscan.exe
2580	hosts.exe
2400	avscan.exe
2776	hosts.exe
2240	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2548	2064	03785c361c90be52900c5136081911e6.exe	28
PID 2064 wrote to memory of 2548	2064	03785c361c90be52900c5136081911e6.exe	28
PID 2064 wrote to memory of 2548	2064	03785c361c90be52900c5136081911e6.exe	28
PID 2064 wrote to memory of 2548	2064	03785c361c90be52900c5136081911e6.exe	28
PID 2064 wrote to memory of 2140	2064	03785c361c90be52900c5136081911e6.exe	30
PID 2064 wrote to memory of 2140	2064	03785c361c90be52900c5136081911e6.exe	30
PID 2064 wrote to memory of 2140	2064	03785c361c90be52900c5136081911e6.exe	30
PID 2064 wrote to memory of 2140	2064	03785c361c90be52900c5136081911e6.exe	30
PID 2140 wrote to memory of 2836	2140	avscan.exe	31
PID 2140 wrote to memory of 2836	2140	avscan.exe	31
PID 2140 wrote to memory of 2836	2140	avscan.exe	31
PID 2140 wrote to memory of 2836	2140	avscan.exe	31
PID 2064 wrote to memory of 2804	2064	03785c361c90be52900c5136081911e6.exe	32
PID 2064 wrote to memory of 2804	2064	03785c361c90be52900c5136081911e6.exe	32
PID 2064 wrote to memory of 2804	2064	03785c361c90be52900c5136081911e6.exe	32
PID 2064 wrote to memory of 2804	2064	03785c361c90be52900c5136081911e6.exe	32
PID 2804 wrote to memory of 2580	2804	cmd.exe	35
PID 2804 wrote to memory of 2580	2804	cmd.exe	35
PID 2804 wrote to memory of 2580	2804	cmd.exe	35
PID 2804 wrote to memory of 2580	2804	cmd.exe	35
PID 2140 wrote to memory of 2608	2140	avscan.exe	34
PID 2140 wrote to memory of 2608	2140	avscan.exe	34
PID 2140 wrote to memory of 2608	2140	avscan.exe	34
PID 2140 wrote to memory of 2608	2140	avscan.exe	34
PID 2608 wrote to memory of 2776	2608	cmd.exe	38
PID 2608 wrote to memory of 2776	2608	cmd.exe	38
PID 2608 wrote to memory of 2776	2608	cmd.exe	38
PID 2608 wrote to memory of 2776	2608	cmd.exe	38
PID 2580 wrote to memory of 2400	2580	hosts.exe	37
PID 2580 wrote to memory of 2400	2580	hosts.exe	37
PID 2580 wrote to memory of 2400	2580	hosts.exe	37
PID 2580 wrote to memory of 2400	2580	hosts.exe	37
PID 2804 wrote to memory of 2936	2804	cmd.exe	39
PID 2804 wrote to memory of 2936	2804	cmd.exe	39
PID 2804 wrote to memory of 2936	2804	cmd.exe	39
PID 2804 wrote to memory of 2936	2804	cmd.exe	39
PID 2608 wrote to memory of 2644	2608	cmd.exe	40
PID 2608 wrote to memory of 2644	2608	cmd.exe	40
PID 2608 wrote to memory of 2644	2608	cmd.exe	40
PID 2608 wrote to memory of 2644	2608	cmd.exe	40
PID 2580 wrote to memory of 1080	2580	hosts.exe	41
PID 2580 wrote to memory of 1080	2580	hosts.exe	41
PID 2580 wrote to memory of 1080	2580	hosts.exe	41
PID 2580 wrote to memory of 1080	2580	hosts.exe	41
PID 1080 wrote to memory of 2240	1080	cmd.exe	43
PID 1080 wrote to memory of 2240	1080	cmd.exe	43
PID 1080 wrote to memory of 2240	1080	cmd.exe	43
PID 1080 wrote to memory of 2240	1080	cmd.exe	43
PID 1080 wrote to memory of 484	1080	cmd.exe	44
PID 1080 wrote to memory of 484	1080	cmd.exe	44
PID 1080 wrote to memory of 484	1080	cmd.exe	44
PID 1080 wrote to memory of 484	1080	cmd.exe	44
PID 2140 wrote to memory of 1224	2140	avscan.exe	47
PID 2140 wrote to memory of 1224	2140	avscan.exe	47
PID 2140 wrote to memory of 1224	2140	avscan.exe	47
PID 2140 wrote to memory of 1224	2140	avscan.exe	47
PID 2580 wrote to memory of 1764	2580	hosts.exe	49
PID 2580 wrote to memory of 1764	2580	hosts.exe	49
PID 2580 wrote to memory of 1764	2580	hosts.exe	49
PID 2580 wrote to memory of 1764	2580	hosts.exe	49
PID 2140 wrote to memory of 2264	2140	avscan.exe	51
PID 2140 wrote to memory of 2264	2140	avscan.exe	51
PID 2140 wrote to memory of 2264	2140	avscan.exe	51
PID 2140 wrote to memory of 2264	2140	avscan.exe	51

C:\Users\Admin\AppData\Local\Temp\03785c361c90be52900c5136081911e6.exe
"C:\Users\Admin\AppData\Local\Temp\03785c361c90be52900c5136081911e6.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2776
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:2644
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1224
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2264
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1564
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2240
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:484
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1764
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2312
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1816
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2368
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
547KB

MD5
e481594d5dc008525a424d94442b99b8

SHA1
f83a63bd6d3d5dff5dffe5fec97e4c4280163189

SHA256
a5ffa38752f3ab799f7a769fca635d9784a6f1b58a183e58aaa0acc6b3d210c4

SHA512
43c6f21b253de549c3ac1415af03feb3b35a087c1e0c0c572281df48c9ffac9d740fe8ad44f6b3738cda540047282faeb2c3876c68165a132105c775c3919f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
797KB

MD5
6ef769bbe12775b035b51344f71c4721

SHA1
55b990a6d65a7c765ccf84a7bdd9c6efc8847bc7

SHA256
ad53cea4576b3668dbaf11978c2fe5210b7f6a67810832ee4303c625060f486e

SHA512
5f70b006c95120ca0c82343d44d7a370ee9b24420a14670dfd888811bfbffb8d8064aa5155dc7c89434c71a064fdc7380e9b138d8ece567349722238384359b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.0MB

MD5
8879d59b94344a79644e2602a8bf1569

SHA1
14b64c29314285cba1b179684326b2792789b239

SHA256
4a8c60f264eb418f67f682301df9f13db3f2415b94c860a2805559d249f471fa

SHA512
e293a472dd6dfa18fa34e2ccc43cb2d6b0b74152a5c4d2a1a25923730170f952018422f8435d2ced4ac64c669c0a47b4e75058a4fcc550ac004170d13de75076

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
47d9a0501be64d936d498f129f198179

SHA1
d09956f920c6e4d65e2dcaed6db3d3a7a1729f89

SHA256
5c5e3c6ac3a03e81ff233aff377d8fda5b978e91bdc94dbdb8b28907e9ce934c

SHA512
bb5336742da2826272bf5a9e07cba215cd582dd5eae5a58aa6d8bcab02229a2b6e8f249a95d372df0e1d55119f3b191c75375cf484df7fe5527c6b032f151719

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.5MB

MD5
a6c9601580043ded493dc0e6817d0819

SHA1
4f1971d7ec128a90ebf0299fd27dae3256626077

SHA256
bb2e95e9bc7c7dee9ac4ee22250fc63cb31ad779671f49ccf4928feca9f69891

SHA512
ac05cfc6c5e09e978ae04448be0ee5a625066e383ad795dfa2011a4e0839d67be36bb1bc565bcf4ffa008315bd34440616d4143871cdffb20308290ad3998c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.8MB

MD5
50670a1fc27c6ac715ee663219057445

SHA1
0025f6fb89c429d5c78b3bb779dddb87f8587ae8

SHA256
47466cac2f1b91a946d8da22aa82c976ef89b4388b0f2098d637dd4a4678ebe2

SHA512
4e83ab3d19ff15f1cb087c3e5ab5fa5e6ed725153e5688d13b5a28a4f58dca106f22e34810f8f99101e03ed8047ec8e6990cd84495df4cc343beb211084f38ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.0MB

MD5
fc6901d571009c228467b436e0fa39fc

SHA1
8ccff1d5d23400825b5795ac2819859ac4d98689

SHA256
0ecb5bb5b1b64f364b7c4a7653bca6af6b3045fa731a6ac2745571f699b16956

SHA512
a2444f054ddb3fb7cf7573e590b677ce8d774370c8f54f9fae0aa033ddb79bbbe71e7519015ec0a8bb6dec6c4cc74f0164df5d9d467d4ba27b3f6e78d800a147

Download Submit
C:\Windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
22f1fd14fe325764dab227173a9f41dd

SHA1
c261874cfc4188ca7143ab388abd013c75ee025a

SHA256
02c1c47b6a5a4d22b04d36f9f34e3f2f0a1c3153512f8e7aa115c4f60fe7f1ae

SHA512
1522c988877c80f38833b8fac45ed36850be2eeb6c9d06d00a4baa67c7f85157dd11553ff82ee4cdf38172cffee841e30ca6c93d090bf608b060222549646ed9

Download Submit
C:\Windows\hosts.exe

Filesize
249KB

MD5
f5a162d0a8f97fe703169e8f4721f87a

SHA1
968be97c92f7dfdfd855b1231647a3979a438c8b

SHA256
ffc5ceac8f1fbdb224b91b33d536b78aaa4afd8725ffc622950db368059babdf

SHA512
331b3eb4fdbb98afc1e8e52cc0d8f9ad77d8d2b524a00aa20b3a731e0a9b684046a8752ac1aeaa7348813a334891af65af30ffe850710d6db8bb69ad7bd71ea6

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
249KB

MD5
206f5c6a44a62e3bd068cebf0ecf4b86

SHA1
b75942123859f310e27d35ad7ca8b8e3461072e5

SHA256
670b2dc3bbf345c068f6b784c6ef1706d6b758a68d9440750a143b029a5c467e

SHA512
56154ce7ef9ea668c833d893a7213101f25f3d3ca5e8d6bd26157bbdf10015e00c9076333d476b8c79fe24268d86a3fe8bb8a80f5d01743b9ac5a4fe514dbb77

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads