28f8b5f89ad7d768a542793ec6788e182a5be2d13c27819f0a778cdba7951f1b

Analysis

max time kernel
194s
max time network
30s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2669bcf7c0017f24ae73072ce64db9b6.exe
Size

298KB
MD5

2669bcf7c0017f24ae73072ce64db9b6
SHA1

0292296d1591ad7b2072eb78b207190f206a03b5
SHA256

28f8b5f89ad7d768a542793ec6788e182a5be2d13c27819f0a778cdba7951f1b
SHA512

9131325f849ba9e91ad2d702f33a6fd91b55847683453346fc6d76a322bcd0b1aaa2b8c47375d542309e889ce2196e2d7ae766e22a48e784dca9bf5fd37580c3
SSDEEP

6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYP:v6Wq4aaE6KwyF5L0Y2D1PqLa

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
1236	svhost.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2872-0-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2872-1-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/files/0x001000000000b1f5-5.dat	upx
behavioral1/memory/1236-6-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/files/0x001000000000b1f5-7.dat	upx
behavioral1/files/0x0034000000012337-67.dat	upx
behavioral1/memory/2872-687-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1236-707-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2872-714-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1236-1304-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1236-1480-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1236-2076-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1236-2918-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1236-3833-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1236-4627-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1236-5608-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1236-6548-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1236-7547-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1236-8876-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1236-9797-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1236-10818-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2872-687-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1236-707-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2872-714-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1236-1304-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1236-1480-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1236-2076-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1236-2918-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1236-3833-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1236-4627-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1236-5608-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1236-6548-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1236-7547-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1236-8876-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1236-9797-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1236-10818-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	2669bcf7c0017f24ae73072ce64db9b6.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1236	svhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
2872	2669bcf7c0017f24ae73072ce64db9b6.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe
1236	svhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1236	2872	2669bcf7c0017f24ae73072ce64db9b6.exe	29
PID 2872 wrote to memory of 1236	2872	2669bcf7c0017f24ae73072ce64db9b6.exe	29
PID 2872 wrote to memory of 1236	2872	2669bcf7c0017f24ae73072ce64db9b6.exe	29
PID 2872 wrote to memory of 1236	2872	2669bcf7c0017f24ae73072ce64db9b6.exe	29

C:\Users\Admin\AppData\Local\Temp\2669bcf7c0017f24ae73072ce64db9b6.exe
"C:\Users\Admin\AppData\Local\Temp\2669bcf7c0017f24ae73072ce64db9b6.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings.exe

Filesize
298KB

MD5
66c91a45c55291d076c7f97b7182c09f

SHA1
f9d9326c8e8c18ede4d7c4d4484313bf31af3d6c

SHA256
3f48586b0fbcf0a697415fa37f777831eee288edcceca9aa9f7023a5e5b844f7

SHA512
22cfb08bf33a5cddd4c80628e27ce4ccd30825582d4c69132f183c57b178b681708c37a17560a6d4bbb2428289e1f47c94fda850560741eea19544807575b8ba

Download Submit
C:\Windows\Driver.db

Filesize
82B

MD5
c2d2dc50dca8a2bfdc8e2d59dfa5796d

SHA1
7a6150fc53244e28d1bcea437c0c9d276c41ccad

SHA256
b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

SHA512
6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

Download Submit
C:\Windows\svhost.exe

Filesize
298KB

MD5
171e4a295b7160a99ca9ec1613d4a24d

SHA1
77c896ee903df2e1927eb08195750bd17c26cbc9

SHA256
4d149968b7ef94990fb36ca605a9238a4dfe534ac3199124074ac312b40c2389

SHA512
3a4b310a60f3db30a2baa015142fd9bec84df77af440e584d4e3890aa06ee230783a78ad52b66623bfec35e656725886b6004f60b896c1a1407f34d1d837b6f2

Download Submit
memory/1236-1304-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1236-6548-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1236-10818-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1236-9797-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1236-707-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1236-8876-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1236-7547-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1236-1480-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1236-2076-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1236-2918-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1236-3833-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1236-4627-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1236-5608-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1236-6-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2872-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2872-714-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2872-687-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2872-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download