6ce8f689c74722a039732db94db6f101694f9b2c749b484ede496ac58625aa65

Analysis

max time kernel
0s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0563f67d8ed40be2b17911c89cfb268f.exe
Size

182KB
MD5

0563f67d8ed40be2b17911c89cfb268f
SHA1

66a08b3735d997ad6285525a96ff8ba87956f9d4
SHA256

6ce8f689c74722a039732db94db6f101694f9b2c749b484ede496ac58625aa65
SHA512

7c9e17a7477a2e3977ad66f9ae31a4119045478ca9be130e8909eeb974dfe327cd40d9c91e773240e6c2423854f22c295b91cd5909a3f6246a1ce47b4e7ae6a6
SSDEEP

3072:ibpDCw1p3vmLvsZIaVwiwDcIbDHDCmzy8J1ywvBnAmsT:SDCwfG1bnxG8DBv7sT

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0563f67d8ed40be2b17911c89cfb268f.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0563f67d8ed40be2b17911c89cfb268f.exe

Executes dropped EXE 2 IoCs

pid	Process
1980	avscan.exe
2576	avscan.exe

Loads dropped DLL 3 IoCs

pid	Process
2216	0563f67d8ed40be2b17911c89cfb268f.exe
2216	0563f67d8ed40be2b17911c89cfb268f.exe
1980	avscan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	0563f67d8ed40be2b17911c89cfb268f.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	0563f67d8ed40be2b17911c89cfb268f.exe
File created	\??\c:\windows\W_X_C.bat	0563f67d8ed40be2b17911c89cfb268f.exe
File opened for modification	C:\Windows\hosts.exe	0563f67d8ed40be2b17911c89cfb268f.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
572	REG.exe
776	REG.exe
2924	REG.exe
2384	REG.exe
1648	REG.exe
864	REG.exe
2104	REG.exe
2032	REG.exe
1536	REG.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2216	0563f67d8ed40be2b17911c89cfb268f.exe
1980	avscan.exe
2576	avscan.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2384	2216	0563f67d8ed40be2b17911c89cfb268f.exe	33
PID 2216 wrote to memory of 2384	2216	0563f67d8ed40be2b17911c89cfb268f.exe	33
PID 2216 wrote to memory of 2384	2216	0563f67d8ed40be2b17911c89cfb268f.exe	33
PID 2216 wrote to memory of 2384	2216	0563f67d8ed40be2b17911c89cfb268f.exe	33
PID 2216 wrote to memory of 1980	2216	0563f67d8ed40be2b17911c89cfb268f.exe	32
PID 2216 wrote to memory of 1980	2216	0563f67d8ed40be2b17911c89cfb268f.exe	32
PID 2216 wrote to memory of 1980	2216	0563f67d8ed40be2b17911c89cfb268f.exe	32
PID 2216 wrote to memory of 1980	2216	0563f67d8ed40be2b17911c89cfb268f.exe	32
PID 1980 wrote to memory of 2576	1980	avscan.exe	24
PID 1980 wrote to memory of 2576	1980	avscan.exe	24
PID 1980 wrote to memory of 2576	1980	avscan.exe	24
PID 1980 wrote to memory of 2576	1980	avscan.exe	24

C:\Users\Admin\AppData\Local\Temp\0563f67d8ed40be2b17911c89cfb268f.exe
"C:\Users\Admin\AppData\Local\Temp\0563f67d8ed40be2b17911c89cfb268f.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    PID:2848
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2032
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:572
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:776
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:864
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:2384

C:\windows\hosts.exe
C:\windows\hosts.exe
1⤵
PID:2564

C:\windows\hosts.exe
C:\windows\hosts.exe
1⤵
PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  PID:944
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  PID:1632
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1648
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1536
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:2924
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
1⤵
PID:2672
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
  2⤵
  PID:2952

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2576

C:\windows\hosts.exe
C:\windows\hosts.exe
1⤵
PID:2316

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
1⤵
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
53KB

MD5
d8687b86622ddf1a12f539b123ec9a57

SHA1
e85978480b22570594207e936b939369e7684bf7

SHA256
c12df631dd6741e27bfbe76f98f21d9bae989abfcaba5ad9315d3962cec740e6

SHA512
d62f0bd6e38a42fdd881eedb32f42887269166e0d5123c4b0a342b4748d58a5e91a17bbd7ed16ea7ad8bea93e8d68559e08d3ccffbbf873a88536b0024447553

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
67KB

MD5
c57b72c930f9824f495c840ac6126afa

SHA1
1cf8fde65f9776e043aef0106d5248dcb84815af

SHA256
82fc84134952fe66c8477a6209b47e83c7dd130b526d4fd38ccd143e14e54a74

SHA512
c3a3b61f116f9ece993640ace79c3f3a68121b0f7d165a30bf190dd049029fa8090e8966f0b631a5a4f879face291f882f3459b0949aee6a8f78edc7cef75228

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
44KB

MD5
6e6d7060c95af7d321e8d9849ff6a5f4

SHA1
24d43b606466e4c4c6a1a068e0bc4c716d275344

SHA256
fb0a426235f1bb103ce373610ed6eed7e58cfc5529edf5f73151b39946ab97b6

SHA512
2fcf64084314267eb58364429b9c9901e5be674358cd44bfffcddb62c82f9ddbeecd485d87ba68b065e1c9d64a7807128b9752b39d7f0d45a0d2fd4fd81a3995

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
45KB

MD5
0494da9080b3761b0481614b7f264236

SHA1
fe368299614281fde16ed4a6e8a2c544a6a3e34f

SHA256
24bfc9c1f5fbc659bc407a5e05ed5b2a8bc6976c20fbae8af04ef0c9749a4a41

SHA512
54a410f8dfb2918debac3009c3ed0850ae64f757240ca3b208d85092d0a9b7685d8be4fcbf034d713f50244b1095b665858861fb39fe6a136d1a8769a8c6b86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
67KB

MD5
a3d634026a94cf53433ea7b9c64f7404

SHA1
2dd34f4061c4cefb16de67b6f50cdb50a32a76e9

SHA256
6ad7d69e7481f204ea03f00a742d779322a470472e53561fd38ba5c911d689e8

SHA512
1bc696c724431c9367ae943d7ba942bcbdf618e730fd07ee5ce52eda756908cfd09f6bc4d414a891740c126e44d40752cc294c7fe2c421c6807f4cd1ac5fc203

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
15KB

MD5
bebc409c0a25ba702b735aeba00444a3

SHA1
1e7eb9d1479eb1b243e5f994318cfcb7b1b04396

SHA256
80749e6eb450fb5090ff665d063fce3202103ce025cc1cea33d4a0b01fead2db

SHA512
e445acf0b1d738410e3862f2807efa1da868ba16d1a13a40d27aedfa104f0f9835302b6620d136c7fbe155ee43ec9c32f2fb42d010d0656c24c048f93e503c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
77KB

MD5
89d874381880863f92f4122c6ba17431

SHA1
9711dca366b603c8bcc49e78c101cd025e665cc9

SHA256
80f01e004b47b6b0e8478ef33b50692feafcc33dd5aed9fa024ef6211b6ecba4

SHA512
d9689359b351771a31ae9ad27394eb81d5a2f2075de9ec7ef32d2e6563ad54f51cd763d2997f5b683fdf49dfc423ecdfcaf377d17a8bdfc8ed449320a74ff87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
37KB

MD5
83f934ec7ca79f070753faec00e74f5b

SHA1
a629aabd6a8f3e9f2718d6dd9c37b87a60dcafd7

SHA256
95eec74143967801aa9f0888ab7da5fd1469ab7ef172c0bcec8a029d2c7feda6

SHA512
ca57d2c9f99f7ad0ec71fd18240b1949488b4042f05fd0e4a13c299c9b3964381587c44dff3d3d0708bc243bf2b002f420263335d3bf28f7f3e1ad3d187c0d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
39KB

MD5
97b755e6d5c722fbae2b79ea6998b646

SHA1
1962c942633952d21431a59334d5886412eb0f46

SHA256
b311d1f2afe814688879e5256e4f45d14d70a1f1085b54554ffca0d8fa625b78

SHA512
1a7b5b0a9553e568ed250a647e5fb509c8d1772475bd39fcd1eaa2ac9caa83cbb18683e4a650c82b6a30f12ea514d2f5669896590dea3a9a90fec0810b722c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
46KB

MD5
05f8b1e6745b41296b14a62be087552a

SHA1
41866549a09e00d305db8d2063d1958d3555ae45

SHA256
35c1ddb5ee6f58e6a95a54a7c1ff9c4d56f22468f5d1dea971b05a38f192513b

SHA512
c0d086d77824665aec18fb9e5c62879a95bf34b26ab038ef3cac2cff0ddec31a2236983b3887e4226942a068fabdba7eba0e9f0a7866e5ebc5e9fad92ef2c8ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
26KB

MD5
55f91bf99ad4eb069e175e29e72c7204

SHA1
b6658c6527bdfc8db90eba24b63a541d7912b1a0

SHA256
c690fa9f5e52b629b89b90807c56761232161d539742bd21a87c78fae40a19e2

SHA512
94ae16342dae4a74dc6de4d107299c5465d33c87af147fcf4fef8358b4297ee7d90dbabfe2ed3129896ccfbfb82ff15bbb3557c6da4175fb6da5f4ea14774514

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
213eeee0bf55b5002060609a41f54dda

SHA1
e4dcd3878c2ac69345e22c405dfe1035b6817dcd

SHA256
84e5623c8426cf9f7501e1fb0f83c4c3b1d55b56ea0502ef304fb711c84d42f2

SHA512
5ce9e9e476998b84805d76f45fcc1422f777061f7338c01b4f4cae71c0d0265b6fa55dfffe2eb5c37bc796b9ae6455bcb6a992e43add400bbb75f5056e311c44

Download Submit
C:\Windows\hosts.exe

Filesize
43KB

MD5
81575993f23c3ae0b23e690603bb71f4

SHA1
2eb2252a6e7b0a8c6755ea32ef04d0f0a56d9c1c

SHA256
d320b26f8b61cf1684544c8937237915fb4496e263f6db0fb0bce5217418ba31

SHA512
9df849195b84cf04712ecbd393a5d33c893116957e83273cac2211843ea485b8f38d6c2da4679e001d16fe1137a8dfba70bf3011778e0cb71a2803f2907afdf0

Download Submit
C:\Windows\hosts.exe

Filesize
67KB

MD5
916fce579f186002ad7de1646fdfb79e

SHA1
f3fc07d67ea6dafbd8a3768bea648bed0bb92fe6

SHA256
3221c8f71910ea846537621d96f39f6a03e4944772d644b638e663ce9af52946

SHA512
2ea72c9cf0528dfb56fc1b104b69c43db6639eaa6b84ca7ebfea297ee0c92b2cd8c9a3af4c5418c5f0129412ab2e232cb6401c2382c1f09b6b8e2c9591e936a8

Download Submit
C:\Windows\hosts.exe

Filesize
12KB

MD5
9841c90bc969a9760121a32908913729

SHA1
8ae425ef15fb1fcdda42f6f2f6850344622e2262

SHA256
c700526538603144b139ec5c16a61d9c98e122e82ec0c7658ef9b7db8bce3cdb

SHA512
0176d6caa965de50cb78866670186509e12729f5f6fcbf71f05afb827147c2c9cc41b664b079dabb840a56cd6e0d32257fb98a6a9250a4f9d6cc3d72948edb7e

Download Submit
C:\Windows\hosts.exe

Filesize
52KB

MD5
af0c8425c9d99c65f4958452754a8067

SHA1
3e2e94ffda822531aa84fe4d2eb84e034674e91b

SHA256
641dcd77240c6ca524f5c5c662f46111f0dc47cccb51daf5438c3166453dbf3c

SHA512
ef54e9326f9f94cd29fda577a8824c39338460a89d564ae54e2dab4e17f529925de2e0509f2a1572ad1b8b6d14356da8c39165163f8318360fb729a4433ed125

Download Submit
C:\windows\hosts.exe

Filesize
34KB

MD5
573c494110dfba7e8c3c411b1384b109

SHA1
faf7e872321991c8ad3fe37730ac9661c035fd68

SHA256
56cd21a46e566536b00330d92f117ec369ae2d938a24488719cba341ccfe8fce

SHA512
04191cf4fe5d63f73086decd776eab05222e4800bdaa464544b1e79d39deb2e58cad64997810b976dd6f32e5d54e9ace1123924c712b968ac607aa8f67e82b1b

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
12KB

MD5
f4caaa654b41d1c6de1674dc80a6f715

SHA1
b765f3d3d2bdc2748a2ac85cf88a712fd051acc8

SHA256
e132c888a6e69555ef5def480522e86fb250358cfdfd2629296ec5f1c6de9671

SHA512
c93f6ec5e30eebc84d3d704f82138eca7c6a4d66b7eca1ca4739c71e7f9abcf0d9d279e588a7f66b244431c932ade99086dafc47e4a05cfdf5a28b9bfc163203

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
17KB

MD5
6851cf19d307ca83facde85422271121

SHA1
6e2a48243f6dfa39be97f1eeb9903ea9e7a8b5d4

SHA256
794525d2a80f521bb8fceb0b632689aac47d356d65566fdd3a31e67e084be4ce

SHA512
c5719f1b8b0b22c2e0a10b502bb45bba6089c6f64ab66dd366ba0f25438973423cf7ccc8fae4881c2967004881c3e21495b4805c3e2584627d115dc496c87b44

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
77KB

MD5
f12c92e780896de75fc6646c768aecb6

SHA1
e20438e0e5ea86303026c149ca64d1b5a338328b

SHA256
0634546e1a7d3327cd97b85894b7acb8d07793be3f49023606e34e50c8222516

SHA512
85f2c7404f91a5de9ef4cd6041e2dd1a0e129bc004ad1d83d8d4e72f5151323127718d97b61022ddb5fa99bfe4eb2309b0035da95d0828adc7f4263e54f1c284

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
39KB

MD5
c78ab6ca9a13f49241a150262d2dbf89

SHA1
2d6d47d46ee250d8bd620defbbd84e5abddfea64

SHA256
89e89945d7cf098d3f497da0b4a0f4ca1118e966f6770a593a412f6e871c0c56

SHA512
b697da1f604fcf089d6749e0e59ce5e9e28474defd6247c4d7a99d1ebed38c37774d98cec5439326e4552c26387f02fc5a73364c357f1f30b66bb00089c7c1ad

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
6KB

MD5
0e6d12e52c210804f67ffe5f46e0259e

SHA1
49c787f9c958b0dba7c5affd08e5e5203d7f6ef6

SHA256
68388fe11594fd56148469edb2a72116457ac21e30c9ea610fa1825e672a149a

SHA512
c9fa64da4cf046d8756388618ef00896723bef0a6561320a13247d1613c6ce152b06803a60d4f3053de964c63b2b4445d42a42272d3faef5b268ae9bdc8a8ff4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads