Analysis
-
max time kernel
5s -
max time network
87s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 01:04
Behavioral task
behavioral1
Sample
1f117a8a2fd715cd521aa7f2c5de932a.exe
Resource
win7-20231215-en
windows7-x64
12 signatures
150 seconds
General
-
Target
1f117a8a2fd715cd521aa7f2c5de932a.exe
-
Size
298KB
-
MD5
1f117a8a2fd715cd521aa7f2c5de932a
-
SHA1
bf9f0cd355cd0265e3c9a80beb3353610c8c272e
-
SHA256
22a587d256340c0def11d094632a13442c6ee49de900eaff24438b83756128f1
-
SHA512
d54777d43caee7750f5c5c8e69601634a3a0358e994631962647032e0c3ff81c0b659264a9c174a1a81a8b71a6b0182ba8521837f0e18e5588b8d75493c1a950
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYZ:v6Wq4aaE6KwyF5L0Y2D1PqLS
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 724 svhost.exe -
resource yara_rule behavioral2/memory/920-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/files/0x00080000000231ea-4.dat upx behavioral2/memory/724-5-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/920-786-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/724-1325-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/724-2382-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/724-3446-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/724-4763-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/724-5820-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/724-6884-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/724-7944-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/724-9266-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/724-10321-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\v: svhost.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/724-5-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/920-786-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/724-1325-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/724-2382-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/724-3446-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/724-4763-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/724-5820-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/724-6884-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/724-7944-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/724-9266-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/724-10321-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 1f117a8a2fd715cd521aa7f2c5de932a.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 724 svhost.exe 724 svhost.exe 724 svhost.exe 724 svhost.exe 724 svhost.exe 724 svhost.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
pid Process 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 724 svhost.exe 724 svhost.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 724 svhost.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 724 svhost.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 724 svhost.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 724 svhost.exe 724 svhost.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 724 svhost.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 724 svhost.exe 724 svhost.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 724 svhost.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 724 svhost.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 724 svhost.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 724 svhost.exe 724 svhost.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 724 svhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 920 wrote to memory of 724 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 20 PID 920 wrote to memory of 724 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 20 PID 920 wrote to memory of 724 920 1f117a8a2fd715cd521aa7f2c5de932a.exe 20
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f117a8a2fd715cd521aa7f2c5de932a.exe"C:\Users\Admin\AppData\Local\Temp\1f117a8a2fd715cd521aa7f2c5de932a.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:724
-