35c22d46b0e4a81188ed98fddd6cbdbb017cc08ebbe8daca4548751be063bc46

Analysis

max time kernel
33s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1df7b467d13f9bb7288702af93f915e1.exe
Size

298KB
MD5

1df7b467d13f9bb7288702af93f915e1
SHA1

dad82faac263f54da50dd622de7ca5e507561d59
SHA256

35c22d46b0e4a81188ed98fddd6cbdbb017cc08ebbe8daca4548751be063bc46
SHA512

63c241c20d0e2ee404c282dfd8cd1cbd7931c5540f5edb7b7a8b0f022b07fca62601642b746765b1e69f6a38fe288be48da77e6f63bfd0ac8d125a13e824d492
SSDEEP

6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYv:v6Wq4aaE6KwyF5L0Y2D1PqLs

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
728	svhost.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2180-0-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/files/0x000d000000023151-4.dat	upx
behavioral2/memory/728-5-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/files/0x000d000000023151-3.dat	upx
behavioral2/files/0x00090000000231fa-104.dat	upx
behavioral2/memory/2180-778-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-1323-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-2382-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-3445-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-4503-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-5820-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-6882-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-7940-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-8998-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-10315-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-11379-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-12438-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-13493-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-14810-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/728-15868-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2180-778-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-1323-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-2382-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-3445-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-4503-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-5820-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-6882-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-7940-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-8998-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-10315-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-11379-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-12438-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-13493-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-14810-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/728-15868-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Driver.db	svhost.exe
File created	C:\Windows\svhost.exe	1df7b467d13f9bb7288702af93f915e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2180	1df7b467d13f9bb7288702af93f915e1.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
728	svhost.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
2180	1df7b467d13f9bb7288702af93f915e1.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
2180	1df7b467d13f9bb7288702af93f915e1.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
2180	1df7b467d13f9bb7288702af93f915e1.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe
728	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 728	2180	1df7b467d13f9bb7288702af93f915e1.exe	18
PID 2180 wrote to memory of 728	2180	1df7b467d13f9bb7288702af93f915e1.exe	18
PID 2180 wrote to memory of 728	2180	1df7b467d13f9bb7288702af93f915e1.exe	18

C:\Users\Admin\AppData\Local\Temp\1df7b467d13f9bb7288702af93f915e1.exe
"C:\Users\Admin\AppData\Local\Temp\1df7b467d13f9bb7288702af93f915e1.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Driver.db

Filesize
82B

MD5
c2d2dc50dca8a2bfdc8e2d59dfa5796d

SHA1
7a6150fc53244e28d1bcea437c0c9d276c41ccad

SHA256
b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

SHA512
6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

Download Submit
C:\Windows\svhost.exe

Filesize
204KB

MD5
f6f21e95bf085f2dcae426cd84d69a14

SHA1
efd23222c138b18996b62a1b3a0cfe64f79c5b4f

SHA256
0c4d8e783423ca5f5ac416465033253586b052fad1c7bcf4881db218e3649e14

SHA512
3457dd56c0419c55cf25967f5f24657406eb042e8f2fa8f352946666ea8059e32628827d33dfdf1ea51fc769c85da9aded7fe7d74d3e5f37434ef521fa0957be

Download Submit
C:\Windows\svhost.exe

Filesize
187KB

MD5
bbef5b18ffdc36f2eb1fb35b43719eac

SHA1
b764c640ef2eef784f0435667b8eace163f2f9e9

SHA256
814351ab2d3c8d0e3dadfd3bd8ce98cb6cc0d5246a675051b1dde18da8279d71

SHA512
8f1bbd35f79d079f40a578810ab1e0d21ca6dc5d96984d2af3072c068fed8278213ff41a9a6182393cd22d754165cb8a9a051d0771a71288faca23a624382fb0

Download Submit
C:\odt.exe

Filesize
125KB

MD5
47a9f530fc8c3957e6dad262ada46ec9

SHA1
5026ea9deacdc13480fc874e8b851cd249633e08

SHA256
ba5d0cf2faa15ce9627f4062fc35c7e513d83b1cab36d7127d0c8f04ddf2238c

SHA512
e15ef4f8ad8daa94b39196c4a3d32a7575cd9084a62afa7f6321c4511865e048b3765f9aa248ae83d60fce33c40bac7f22f483816106a097b25ea372ab3cfbf7

Download Submit
memory/728-4503-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-7940-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-15868-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-1323-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-2382-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-3445-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-14810-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-5820-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-6882-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-5-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-8998-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-10315-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-11379-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-12438-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/728-13493-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2180-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2180-778-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download