Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 14:35
Behavioral task
behavioral1
Sample
260cde1a1cce95cdd88a529a10c4ee5e.exe
Resource
win7-20231215-en
windows7-x64
12 signatures
150 seconds
General
-
Target
260cde1a1cce95cdd88a529a10c4ee5e.exe
-
Size
298KB
-
MD5
260cde1a1cce95cdd88a529a10c4ee5e
-
SHA1
89039bc0dbdb50886faae1cf7f66108cf0ea9fc4
-
SHA256
45f0ef84d491eaea3da2d296d3ec0d3f8ad50c33f5f891da5d9e8d107ea4163c
-
SHA512
3528e8029e8e9a094e4d030b28ddbdfa0843e8c0e10a64f0acda061a679c797b6c5bb29751546dd68b05d1ba91faa089ac5744107b86a00ad7c4c11f81cd5cfa
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYS:v6Wq4aaE6KwyF5L0Y2D1PqLl
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 1644 svhost.exe -
resource yara_rule behavioral1/memory/2208-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x0008000000012267-4.dat upx behavioral1/files/0x0007000000018f72-65.dat upx behavioral1/memory/2208-492-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-761-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-1348-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-1621-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-2388-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-3705-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-4756-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-5814-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-6767-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-8056-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-9111-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-10155-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-11214-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-12536-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-13595-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1644-14648-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\s: svhost.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2208-492-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-761-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-1348-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-1621-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-2388-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-3705-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-4756-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-5814-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-6767-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-8056-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-9111-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-10155-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-11214-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-12536-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-13595-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1644-14648-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Driver.db svhost.exe File created C:\Windows\svhost.exe 260cde1a1cce95cdd88a529a10c4ee5e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1644 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe 1644 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2208 wrote to memory of 1644 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 28 PID 2208 wrote to memory of 1644 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 28 PID 2208 wrote to memory of 1644 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 28 PID 2208 wrote to memory of 1644 2208 260cde1a1cce95cdd88a529a10c4ee5e.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\260cde1a1cce95cdd88a529a10c4ee5e.exe"C:\Users\Admin\AppData\Local\Temp\260cde1a1cce95cdd88a529a10c4ee5e.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD5a7ce32f43cad075a256bc1c71008b41b
SHA17d0dc82b9d7fc8b43537806bbda7d1b5f7052faa
SHA2565c02328e0ff9d816b6e2080e1260df2205335eb4189f9bd5f36ba18dc4dce424
SHA512e50ede8cc6cb41254c7ccd103973a59ddb537a1ed632087705eb799e1199766cef4f22dc11d46520d7d4621857344fe5d5c2176c91756b5641db1bf55759e771
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
298KB
MD5e1faaf415d625a16f1224228b8d3e7fa
SHA12fd3fa27c85cc1aa0bcd39645a68fe9afe57bdb0
SHA25686c5791288f99bb409b582270c41d5fdb624bd471d72f4bc62590c1ce12e0d78
SHA512f4deaaec680e4fe98be009265fe610ae79b03d9295711c7ef0e100a6862ef37706fb3f96a439841c39ea8ac70d7debe61114c9b800e8bee2790980e03c0cb10f