44a3096eef2141d7960b021af970dc20f65630abdf81d15320949c65384213b9

General

Target

2531958ed721a603248f6fe5a8386f53.exe
Size

298KB
MD5

2531958ed721a603248f6fe5a8386f53
SHA1

51fcfac84166288cc0dac187f0a8b918fdcd4621
SHA256

44a3096eef2141d7960b021af970dc20f65630abdf81d15320949c65384213b9
SHA512

4b2c60c0017015502f37372bad16745b153649b1c4c9ae9b68e67684cd8dc705ca2615794b98cc839c746f6eed749f79876ec53dc39440972385d6494a6f6eb5
SSDEEP

6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYX:v6Wq4aaE6KwyF5L0Y2D1PqLu

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
4984	svhost.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2912-0-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/files/0x000400000001e96f-3.dat	upx
behavioral2/memory/2912-769-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4984-1325-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4984-2385-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4984-3447-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4984-4769-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4984-5823-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4984-6888-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4984-7947-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4984-9270-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4984-10325-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4984-11388-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe

AutoIT Executable 11 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2912-769-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/4984-1325-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/4984-2385-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/4984-3447-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/4984-4769-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/4984-5823-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/4984-6888-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/4984-7947-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/4984-9270-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/4984-10325-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/4984-11388-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	2531958ed721a603248f6fe5a8386f53.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2912	2531958ed721a603248f6fe5a8386f53.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
4984	svhost.exe
4984	svhost.exe
4984	svhost.exe
4984	svhost.exe
4984	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4984	svhost.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
2912	2531958ed721a603248f6fe5a8386f53.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
4984	svhost.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2912	2531958ed721a603248f6fe5a8386f53.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
2912	2531958ed721a603248f6fe5a8386f53.exe
4984	svhost.exe
4984	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 4984	2912	2531958ed721a603248f6fe5a8386f53.exe	20
PID 2912 wrote to memory of 4984	2912	2531958ed721a603248f6fe5a8386f53.exe	20
PID 2912 wrote to memory of 4984	2912	2531958ed721a603248f6fe5a8386f53.exe	20

C:\Users\Admin\AppData\Local\Temp\2531958ed721a603248f6fe5a8386f53.exe
"C:\Users\Admin\AppData\Local\Temp\2531958ed721a603248f6fe5a8386f53.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2912-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2912-769-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-6888-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-9270-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-3447-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-4769-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-5823-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-1325-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-7947-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-2385-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-10325-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-11388-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-12447-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-13767-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-14827-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4984-15888-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing