6dbbe86be4a70e91a8b8f1e21202b6e733dec8d35f535cd81643fcd02e8e263b

Analysis

max time kernel
152s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03785c361c90be52900c5136081911e6.exe
Size

249KB
MD5

03785c361c90be52900c5136081911e6
SHA1

c44b7caedf38bcabb8813f8a7f2720782c66e161
SHA256

6dbbe86be4a70e91a8b8f1e21202b6e733dec8d35f535cd81643fcd02e8e263b
SHA512

dbf4bb452dd50f6743edad031be99f47f003c6bebbd675c656ab6836f9b064d68599d64d70aa4d08ecff39416d4b274deca952fb8eaf9ff5550a67ba3bd02a84
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQSq54p1YYhD/6KgXz:gDCwfG1bnxLERRLT3YYhLrgXz

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	03785c361c90be52900c5136081911e6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	03785c361c90be52900c5136081911e6.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EYHRDPTG = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EYHRDPTG = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EYHRDPTG = "W_X_C.bat"	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
2396	avscan.exe
912	avscan.exe
2704	hosts.exe
2280	hosts.exe
760	avscan.exe
1760	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	03785c361c90be52900c5136081911e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	03785c361c90be52900c5136081911e6.exe
File created	\??\c:\windows\W_X_C.bat	03785c361c90be52900c5136081911e6.exe
File opened for modification	C:\Windows\hosts.exe	03785c361c90be52900c5136081911e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	03785c361c90be52900c5136081911e6.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
4832	REG.exe
4148	REG.exe
2348	REG.exe
3992	REG.exe
1344	REG.exe
760	REG.exe
2624	REG.exe
4504	REG.exe
720	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2396	avscan.exe
2704	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4848	03785c361c90be52900c5136081911e6.exe
2396	avscan.exe
912	avscan.exe
2704	hosts.exe
2280	hosts.exe
760	avscan.exe
1760	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2348	4848	03785c361c90be52900c5136081911e6.exe	88
PID 4848 wrote to memory of 2348	4848	03785c361c90be52900c5136081911e6.exe	88
PID 4848 wrote to memory of 2348	4848	03785c361c90be52900c5136081911e6.exe	88
PID 4848 wrote to memory of 2396	4848	03785c361c90be52900c5136081911e6.exe	93
PID 4848 wrote to memory of 2396	4848	03785c361c90be52900c5136081911e6.exe	93
PID 4848 wrote to memory of 2396	4848	03785c361c90be52900c5136081911e6.exe	93
PID 2396 wrote to memory of 912	2396	avscan.exe	94
PID 2396 wrote to memory of 912	2396	avscan.exe	94
PID 2396 wrote to memory of 912	2396	avscan.exe	94
PID 2396 wrote to memory of 4720	2396	avscan.exe	95
PID 2396 wrote to memory of 4720	2396	avscan.exe	95
PID 2396 wrote to memory of 4720	2396	avscan.exe	95
PID 4848 wrote to memory of 4972	4848	03785c361c90be52900c5136081911e6.exe	98
PID 4848 wrote to memory of 4972	4848	03785c361c90be52900c5136081911e6.exe	98
PID 4848 wrote to memory of 4972	4848	03785c361c90be52900c5136081911e6.exe	98
PID 4720 wrote to memory of 2704	4720	cmd.exe	100
PID 4720 wrote to memory of 2704	4720	cmd.exe	100
PID 4720 wrote to memory of 2704	4720	cmd.exe	100
PID 4972 wrote to memory of 2280	4972	cmd.exe	99
PID 4972 wrote to memory of 2280	4972	cmd.exe	99
PID 4972 wrote to memory of 2280	4972	cmd.exe	99
PID 2704 wrote to memory of 760	2704	hosts.exe	101
PID 2704 wrote to memory of 760	2704	hosts.exe	101
PID 2704 wrote to memory of 760	2704	hosts.exe	101
PID 2704 wrote to memory of 1620	2704	hosts.exe	103
PID 2704 wrote to memory of 1620	2704	hosts.exe	103
PID 2704 wrote to memory of 1620	2704	hosts.exe	103
PID 1620 wrote to memory of 1760	1620	cmd.exe	105
PID 1620 wrote to memory of 1760	1620	cmd.exe	105
PID 1620 wrote to memory of 1760	1620	cmd.exe	105
PID 4972 wrote to memory of 4444	4972	cmd.exe	107
PID 4972 wrote to memory of 4444	4972	cmd.exe	107
PID 4972 wrote to memory of 4444	4972	cmd.exe	107
PID 4720 wrote to memory of 4448	4720	cmd.exe	106
PID 4720 wrote to memory of 4448	4720	cmd.exe	106
PID 4720 wrote to memory of 4448	4720	cmd.exe	106
PID 1620 wrote to memory of 4032	1620	cmd.exe	108
PID 1620 wrote to memory of 4032	1620	cmd.exe	108
PID 1620 wrote to memory of 4032	1620	cmd.exe	108
PID 2396 wrote to memory of 720	2396	avscan.exe	117
PID 2396 wrote to memory of 720	2396	avscan.exe	117
PID 2396 wrote to memory of 720	2396	avscan.exe	117
PID 2704 wrote to memory of 3992	2704	hosts.exe	119
PID 2704 wrote to memory of 3992	2704	hosts.exe	119
PID 2704 wrote to memory of 3992	2704	hosts.exe	119
PID 2704 wrote to memory of 760	2704	hosts.exe	126
PID 2704 wrote to memory of 760	2704	hosts.exe	126
PID 2704 wrote to memory of 760	2704	hosts.exe	126
PID 2396 wrote to memory of 1344	2396	avscan.exe	125
PID 2396 wrote to memory of 1344	2396	avscan.exe	125
PID 2396 wrote to memory of 1344	2396	avscan.exe	125
PID 2704 wrote to memory of 4832	2704	hosts.exe	134
PID 2704 wrote to memory of 4832	2704	hosts.exe	134
PID 2704 wrote to memory of 4832	2704	hosts.exe	134
PID 2396 wrote to memory of 2624	2396	avscan.exe	133
PID 2396 wrote to memory of 2624	2396	avscan.exe	133
PID 2396 wrote to memory of 2624	2396	avscan.exe	133
PID 2704 wrote to memory of 4148	2704	hosts.exe	141
PID 2704 wrote to memory of 4148	2704	hosts.exe	141
PID 2704 wrote to memory of 4148	2704	hosts.exe	141
PID 2396 wrote to memory of 4504	2396	avscan.exe	140
PID 2396 wrote to memory of 4504	2396	avscan.exe	140
PID 2396 wrote to memory of 4504	2396	avscan.exe	140

C:\Users\Admin\AppData\Local\Temp\03785c361c90be52900c5136081911e6.exe
"C:\Users\Admin\AppData\Local\Temp\03785c361c90be52900c5136081911e6.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:4032
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:3992
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:760
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4832
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4148
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:4448
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:720
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1344
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2624
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2280
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:4444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
249KB

MD5
b78409a9632475f1bbf03d4a26b5bb7a

SHA1
0f7ffef6647196917476e59217b3f10df36fa7a3

SHA256
82a18c6926b6064f9b8510d7e68f62a12738f995671395c0df9114ead9ddf8ff

SHA512
917cc1602d5cb602bf6efafb07e05b191749b3106967bdc72b4640cb1b3dd0de25a32264a33aedba369399dbaa49be8727864665429bc368ccd6fd60a45c5308

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
bbe2a4f9c5f03cc9f8c396245506b870

SHA1
a96fa0c0076d37429ccd626140662617db13a795

SHA256
4f18d3d3feb09ea28f39a71491141ed8ff45f3ec6cdbdd23968ee0a0161c9abe

SHA512
0ada79690cc95fa7812eaacf75de83b1365d12912bf573f61691afec7cb6f8b53e321602e787ab30a5216240a0536873d59bbfb09d5fee2a05d83b28822c605e

Download Submit
C:\Windows\hosts.exe

Filesize
249KB

MD5
af8f487c6080ad2aedded45d1551697d

SHA1
da88f70fc7a0359118a219f3b136128683c2dc75

SHA256
347f980224a17aa54500ffba8d3a21ad76c7f0ce593f71a4c013d13e4c94b921

SHA512
d189a9a2a84e95ef2d7445f47e0f3cf45a61c5eaacf50096269e40febb840ebe4fb698ded2eba6e4c66681b566180a3f93c8a92f65ed574ddb4d8c1653ab52fc

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads