06f2d85207547bebab88214e1e8ca0bd346c71d37a4bf20866db1ab64e508545

Analysis

max time kernel
98s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

285109884a3ceb26ce01a1dbf032d3c1.exe
Size

298KB
MD5

285109884a3ceb26ce01a1dbf032d3c1
SHA1

6a5e686261ea0a2ec9783376884cf816bd1b7537
SHA256

06f2d85207547bebab88214e1e8ca0bd346c71d37a4bf20866db1ab64e508545
SHA512

adf07cab2a6f180b6f733fab8c5a17de734dab850de1c468a229aed7228a7687fbad224dfad70508339743a42737869531da8fe937b99b3085b0c95c5272795d
SSDEEP

6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYk:v6Wq4aaE6KwyF5L0Y2D1PqLn

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	svhost.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2688-0-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/files/0x0009000000012281-4.dat	upx
behavioral1/memory/2840-7-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2688-5-0x00000000035A0000-0x0000000003662000-memory.dmp	upx
behavioral1/files/0x0007000000014f08-67.dat	upx
behavioral1/memory/2688-591-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-1314-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-1752-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-2147-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-3207-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-4124-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-4760-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-5547-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-6599-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-7658-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-8693-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-9749-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-11077-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-12132-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-13186-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe

AutoIT Executable 16 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2840-7-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2688-591-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-1314-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-1752-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-2147-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-3207-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-4124-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-4760-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-5547-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-6599-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-7658-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-8693-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-9749-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-11077-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-12132-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2840-13186-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	285109884a3ceb26ce01a1dbf032d3c1.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2840	svhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2688	285109884a3ceb26ce01a1dbf032d3c1.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe
2840	svhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2840	2688	285109884a3ceb26ce01a1dbf032d3c1.exe	16
PID 2688 wrote to memory of 2840	2688	285109884a3ceb26ce01a1dbf032d3c1.exe	16
PID 2688 wrote to memory of 2840	2688	285109884a3ceb26ce01a1dbf032d3c1.exe	16
PID 2688 wrote to memory of 2840	2688	285109884a3ceb26ce01a1dbf032d3c1.exe	16

C:\Users\Admin\AppData\Local\Temp\285109884a3ceb26ce01a1dbf032d3c1.exe
"C:\Users\Admin\AppData\Local\Temp\285109884a3ceb26ce01a1dbf032d3c1.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings.exe

Filesize
92KB

MD5
60b7fa75a167b920903b5dda5a8c359a

SHA1
7b85cc85d5eb90472910fd1547ef6c264be66d05

SHA256
b39cc3473508cda062c07d9b8ac1357f4ec3d30ef7cbb046d0a53bfb7ff7c642

SHA512
ae8b8b519c16a1a950299dfd91af0762687ed9004701a82a98306fc45b2392807ba7049db2d40fc07f0c2369d817759a7f89f0a12c69e6183dd81ae976b6bdd5

Download Submit
C:\Windows\Driver.db

Filesize
82B

MD5
c2d2dc50dca8a2bfdc8e2d59dfa5796d

SHA1
7a6150fc53244e28d1bcea437c0c9d276c41ccad

SHA256
b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

SHA512
6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

Download Submit
C:\Windows\svhost.exe

Filesize
298KB

MD5
22fcf34fab55adbd128528267a3d860c

SHA1
46825e15fb7fd35d7f5f788982896409f0114c39

SHA256
a62975e5858f0abcf86359ee0dfff7e2384e0990682c7df6bd81a0ead5ca89ab

SHA512
901ad6446bf8212ad2909169926bdfae97e69b7d12d3a59a3f39a3b56ed44fde03b2504e918617c85ca0392308fd5017ae965d6f2e9d9ad6357206a30b17d572

Download Submit
memory/2688-595-0x00000000035A0000-0x0000000003662000-memory.dmp

Filesize
776KB

Download
memory/2688-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2688-5-0x00000000035A0000-0x0000000003662000-memory.dmp

Filesize
776KB

Download
memory/2688-591-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-2147-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-5547-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-1752-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-7-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-3207-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-4124-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-4760-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-1314-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-6599-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-7658-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-8693-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-9749-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-11077-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-12132-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-13186-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download