6ce8f689c74722a039732db94db6f101694f9b2c749b484ede496ac58625aa65

Analysis

max time kernel
0s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0563f67d8ed40be2b17911c89cfb268f.exe
Size

182KB
MD5

0563f67d8ed40be2b17911c89cfb268f
SHA1

66a08b3735d997ad6285525a96ff8ba87956f9d4
SHA256

6ce8f689c74722a039732db94db6f101694f9b2c749b484ede496ac58625aa65
SHA512

7c9e17a7477a2e3977ad66f9ae31a4119045478ca9be130e8909eeb974dfe327cd40d9c91e773240e6c2423854f22c295b91cd5909a3f6246a1ce47b4e7ae6a6
SSDEEP

3072:ibpDCw1p3vmLvsZIaVwiwDcIbDHDCmzy8J1ywvBnAmsT:SDCwfG1bnxG8DBv7sT

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0563f67d8ed40be2b17911c89cfb268f.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0563f67d8ed40be2b17911c89cfb268f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	0563f67d8ed40be2b17911c89cfb268f.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	0563f67d8ed40be2b17911c89cfb268f.exe
File created	\??\c:\windows\W_X_C.bat	0563f67d8ed40be2b17911c89cfb268f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
2908	REG.exe
1176	REG.exe
116	REG.exe
4620	REG.exe
4204	REG.exe
4552	REG.exe
4360	REG.exe
2100	REG.exe
4244	REG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1872	0563f67d8ed40be2b17911c89cfb268f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1176	1872	0563f67d8ed40be2b17911c89cfb268f.exe	20
PID 1872 wrote to memory of 1176	1872	0563f67d8ed40be2b17911c89cfb268f.exe	20
PID 1872 wrote to memory of 1176	1872	0563f67d8ed40be2b17911c89cfb268f.exe	20

C:\Users\Admin\AppData\Local\Temp\0563f67d8ed40be2b17911c89cfb268f.exe
"C:\Users\Admin\AppData\Local\Temp\0563f67d8ed40be2b17911c89cfb268f.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  PID:3076
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  PID:3764
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2100
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2908
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4620
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4552

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
1⤵
PID:3636

C:\windows\hosts.exe
C:\windows\hosts.exe
1⤵
PID:3508

C:\windows\hosts.exe
C:\windows\hosts.exe
1⤵
PID:4008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  PID:4380
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:116
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:4244
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:4204
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:4360

C:\windows\hosts.exe
C:\windows\hosts.exe
1⤵
PID:2284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
1⤵
PID:2608

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
1⤵
PID:4864

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
1⤵
PID:1020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
1KB

MD5
f2983f806ab75863febf84455e65d175

SHA1
fe7d48ba34d3b18171a92c7dd8d6ddd2a14a8e98

SHA256
7803625f15c61d697d62ca93013e2ca4f01a0f5f7c1a2fe4718ad62813ad74af

SHA512
e7935ca203db27b7f6ec065ed7d7d5ce2601d74195d54c5418255ef26e272937774d205ec13690801ebcb0772cb010a614c4dafd4dae75eb96fcf96da3cf7338

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
14KB

MD5
75936e1035327b52f12991b3eff2b0f4

SHA1
ac91c03167f0f9c6ecbe99d6e4ad293c8c86ccba

SHA256
9e646ddf5f00455121ad530a9d3c2ec0bf0cf670d383d5f4dc60d1b110a72db3

SHA512
f124175ff840a6b9e3165cf72a4bdd044415c8150fc41f2cdaf657fca75337aa421a5a318404801eedb378092f718c85daba7335aa06938f4e6704460f21bf78

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
91KB

MD5
e40ac3a7766befcedaef2eb8b61cf035

SHA1
7882bd732f1990f24cadd7497335cc3332111e71

SHA256
55362df841f3c602e529fc6b4e94e66dfd1a0f0bdef5fdf0fdd7fe07d6c6ef54

SHA512
fcf927d8b6b720cadcdeba7b373ba52c6ca1a02700ce946c10ea1b29d690e3bc1fbb77cb8c4d180ab68dc07eb60aeaa52cf3095e475b2b5fb8fd3ae165762569

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
4KB

MD5
3ea66570cc53887abbc67631185b2da6

SHA1
cd61815e470449c82f7ddbbeaa5f7bc06ecdcd39

SHA256
96d9fca7d4a4619adb678832dbcade6919e4d005fa1bb6491af630f53345550f

SHA512
34ef294a0091ff53eb06581ece5a3d564323ca538c83612d005dc1e91658da382eda08e43b93128c7b350ad6beefda1fb993ebb194e8cf620692ae866e70dd84

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
b85188c6bd910874b1d4062810e3a960

SHA1
77888cd575a9a42bb6ae756ee143cfd1329f7c8f

SHA256
e75c765b83e783d5c42d187efbe68b457116d666207647b8806fa5ea4faeb539

SHA512
902d578733767d07d0944383281f4edbf0ccafa884713295780c73fa51fd6cb56f7cba31968700c18f2bd62c663093fc919e2f9251bbd898f3d23b5e824363d5

Download Submit
C:\Windows\hosts.exe

Filesize
6KB

MD5
ddbe6b47036a196004302e11ce2df61f

SHA1
77a66d148595a0fce81df4887f71efd25856bd4c

SHA256
ec5fb7ef8af4d1953cb501220082ec9a450d74473ea829a2c0aed0ddf4c4a5b4

SHA512
897f2369b370e82d142e0b9389e4fa0572d4f3ec2aad2f7a30d47d36670439dea632bba3d03ebe6103280338c7a4f5db14a89210b444c3280c42c31e3406fde7

Download Submit
C:\Windows\hosts.exe

Filesize
23KB

MD5
9bbd9656bd9dedbc031c659575db3d54

SHA1
2345de9454c1d4b8dc2eb4e8be64645cc13572a8

SHA256
db23899d8381b774c550f723cd4769c8ccb2fc141a5292c680894987f7d476e4

SHA512
d8c7c9da486a73156e613110b82643f4cb0f2121750eccca0a48764f748990f348bc4da049b0448e587cc4848f96c3e595164cf3a40d248bc1a01b690ad87505

Download Submit
C:\Windows\hosts.exe

Filesize
1KB

MD5
4e860a0a3bd15c3581f7cf334bae6c70

SHA1
0e0504a2ce97fee2b1d443d96d5e06ac503f91e9

SHA256
fffbb60081ee85d5f4cae75dc480be9079ad9fc7b19774e059415454f514741a

SHA512
9691d0d0a7108d25ec16a546e165b62cb1414719c30c9d5f3f9507a415464b04dd69d42db672b16227c66da0584b74fb83cf47bf51880e6a21c4f8831236abdb

Download Submit
C:\windows\hosts.exe

Filesize
3KB

MD5
ca31b2753a53f04ae65da109741f574e

SHA1
e2926deeb90101d897b39008fb65e0db5143fbe3

SHA256
9af7496662eb443b72332b89382a464a0b796c90e524a2017270aadb5b152bd0

SHA512
4515a227846e406fff3247db32bd7e5ef1430d17f46739db6c38f7cceffdf2a12ffbd0443bf1503e15ea27c0fedd4e197b5013167f0d97d45720270371db17a9

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads