51e1c5a89182675a3aa5e9190615ec3ac51d10773799dd680c775774efa34c20

Analysis

max time kernel
188s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 10:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16ebdd1379d6dca0b9aac2a536502bec.exe
Size

298KB
MD5

16ebdd1379d6dca0b9aac2a536502bec
SHA1

e4d809c5cf00b86b63ba5cebf63986d4f2a5094d
SHA256

51e1c5a89182675a3aa5e9190615ec3ac51d10773799dd680c775774efa34c20
SHA512

356d83a9672895fe9aed593d1d59e5a6bf76595dcfac9332f40a7d3553eff90d4549c43c7f0842fc625b2956d3dc5511398256b8d7c9c64eea8e996b89041d90
SSDEEP

6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYv:v6Wq4aaE6KwyF5L0Y2D1PqLa

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
3188	svhost.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/924-0-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/924-1-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/files/0x000900000002311a-4.dat	upx
behavioral2/files/0x000700000002322b-104.dat	upx
behavioral2/memory/924-359-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-360-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-362-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-363-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/924-383-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-384-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/924-386-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-949-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-2233-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-2830-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-3311-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-4293-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-5443-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-6040-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-7052-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-8079-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-9030-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3188-10059-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/924-359-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-360-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-362-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-363-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/924-383-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-384-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/924-386-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-949-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-2233-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-2830-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-3311-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-4293-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-5443-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-6040-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-7052-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-8079-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-9030-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3188-10059-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	16ebdd1379d6dca0b9aac2a536502bec.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
924	16ebdd1379d6dca0b9aac2a536502bec.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3188	svhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
924	16ebdd1379d6dca0b9aac2a536502bec.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
3188	svhost.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
924	16ebdd1379d6dca0b9aac2a536502bec.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
3188	svhost.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
924	16ebdd1379d6dca0b9aac2a536502bec.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe
3188	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 3188	924	16ebdd1379d6dca0b9aac2a536502bec.exe	91
PID 924 wrote to memory of 3188	924	16ebdd1379d6dca0b9aac2a536502bec.exe	91
PID 924 wrote to memory of 3188	924	16ebdd1379d6dca0b9aac2a536502bec.exe	91

C:\Users\Admin\AppData\Local\Temp\16ebdd1379d6dca0b9aac2a536502bec.exe
"C:\Users\Admin\AppData\Local\Temp\16ebdd1379d6dca0b9aac2a536502bec.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Driver.db

Filesize
82B

MD5
c2d2dc50dca8a2bfdc8e2d59dfa5796d

SHA1
7a6150fc53244e28d1bcea437c0c9d276c41ccad

SHA256
b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

SHA512
6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

Download Submit
C:\Windows\svhost.exe

Filesize
298KB

MD5
ef995e4a5b237cd13357e871aab5e4bc

SHA1
0747dc716877d7f50357253cca2589f3df4fc978

SHA256
dc7844e9bd40263fdacbd49127c9ec98caeb84c0eb1ca73fb3c4eb088f2e8672

SHA512
f882b56b0a60b9ce1eec2d3091efcc1e9a7087f7bedebd82b7893fb14dd37b4cf8ccdf929b979d64345e6227a80b66570dbc6d4d05dec756211021fc4c356d6e

Download Submit
C:\odt.exe

Filesize
298KB

MD5
c923c7d180c04de0523e24cca8106708

SHA1
2b19d2ba11de7215fd819e7f5335885722354c1a

SHA256
51705440d2b329422b64cb650619691f0d61d88cea4224eb752343cd16f45558

SHA512
64450a1e4049c88e71d23ced406b125aefd68b83ca255ab7963d2c67eb3895a84ad3243aa89b5b3892c107e564ca8dd409bae77ecf3639cd3bb2f190a4888019

Download Submit
memory/924-383-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/924-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/924-359-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/924-386-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/924-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-384-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-3311-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-362-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-360-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-949-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-2233-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-2830-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-363-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-4293-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-5443-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-6040-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-7052-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-8079-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-9030-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3188-10059-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download