5c2e081d44a4f1bec60709490708f263caa2757dda8659812f9b7a45e114d298

Analysis

max time kernel
138s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 18:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

359b68351d21c4e22ee5b3f651b723cd.exe
Size

214KB
MD5

359b68351d21c4e22ee5b3f651b723cd
SHA1

ac205f4300745b049d20ee7b8140817232492847
SHA256

5c2e081d44a4f1bec60709490708f263caa2757dda8659812f9b7a45e114d298
SHA512

ee86c0ce982b781515480950d885c6af6ea5c1583fba4baec93149758113254c1df883b60a5e8a419443fd4ec8674067adfe638976f38348572a6b9d409b58fe
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DELU31fIcjMWoe0c8TilDcq1x:gDCwfG1bnxLEDu5yc8TO91x

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	359b68351d21c4e22ee5b3f651b723cd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	359b68351d21c4e22ee5b3f651b723cd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IXMQMCCR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IXMQMCCR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IXMQMCCR = "W_X_C.bat"	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
1804	avscan.exe
1636	avscan.exe
2288	hosts.exe
4972	hosts.exe
4940	avscan.exe
4316	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	359b68351d21c4e22ee5b3f651b723cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	359b68351d21c4e22ee5b3f651b723cd.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	359b68351d21c4e22ee5b3f651b723cd.exe
File created	\??\c:\windows\W_X_C.bat	359b68351d21c4e22ee5b3f651b723cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	359b68351d21c4e22ee5b3f651b723cd.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
4860	REG.exe
2120	REG.exe
4420	REG.exe
4284	REG.exe
2244	REG.exe
2080	REG.exe
636	REG.exe
2152	REG.exe
2960	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1804	avscan.exe
2288	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2828	359b68351d21c4e22ee5b3f651b723cd.exe
1804	avscan.exe
1636	avscan.exe
2288	hosts.exe
4972	hosts.exe
4940	avscan.exe
4316	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 4860	2828	359b68351d21c4e22ee5b3f651b723cd.exe	90
PID 2828 wrote to memory of 4860	2828	359b68351d21c4e22ee5b3f651b723cd.exe	90
PID 2828 wrote to memory of 4860	2828	359b68351d21c4e22ee5b3f651b723cd.exe	90
PID 2828 wrote to memory of 1804	2828	359b68351d21c4e22ee5b3f651b723cd.exe	93
PID 2828 wrote to memory of 1804	2828	359b68351d21c4e22ee5b3f651b723cd.exe	93
PID 2828 wrote to memory of 1804	2828	359b68351d21c4e22ee5b3f651b723cd.exe	93
PID 1804 wrote to memory of 1636	1804	avscan.exe	108
PID 1804 wrote to memory of 1636	1804	avscan.exe	108
PID 1804 wrote to memory of 1636	1804	avscan.exe	108
PID 1804 wrote to memory of 3280	1804	avscan.exe	94
PID 1804 wrote to memory of 3280	1804	avscan.exe	94
PID 1804 wrote to memory of 3280	1804	avscan.exe	94
PID 2828 wrote to memory of 4452	2828	359b68351d21c4e22ee5b3f651b723cd.exe	107
PID 2828 wrote to memory of 4452	2828	359b68351d21c4e22ee5b3f651b723cd.exe	107
PID 2828 wrote to memory of 4452	2828	359b68351d21c4e22ee5b3f651b723cd.exe	107
PID 4452 wrote to memory of 4972	4452	cmd.exe	97
PID 4452 wrote to memory of 4972	4452	cmd.exe	97
PID 4452 wrote to memory of 4972	4452	cmd.exe	97
PID 3280 wrote to memory of 2288	3280	cmd.exe	103
PID 3280 wrote to memory of 2288	3280	cmd.exe	103
PID 3280 wrote to memory of 2288	3280	cmd.exe	103
PID 2288 wrote to memory of 4940	2288	hosts.exe	101
PID 2288 wrote to memory of 4940	2288	hosts.exe	101
PID 2288 wrote to memory of 4940	2288	hosts.exe	101
PID 2288 wrote to memory of 1948	2288	hosts.exe	98
PID 2288 wrote to memory of 1948	2288	hosts.exe	98
PID 2288 wrote to memory of 1948	2288	hosts.exe	98
PID 1948 wrote to memory of 4316	1948	cmd.exe	102
PID 1948 wrote to memory of 4316	1948	cmd.exe	102
PID 1948 wrote to memory of 4316	1948	cmd.exe	102
PID 4452 wrote to memory of 4172	4452	cmd.exe	104
PID 4452 wrote to memory of 4172	4452	cmd.exe	104
PID 4452 wrote to memory of 4172	4452	cmd.exe	104
PID 3280 wrote to memory of 3972	3280	cmd.exe	106
PID 3280 wrote to memory of 3972	3280	cmd.exe	106
PID 3280 wrote to memory of 3972	3280	cmd.exe	106
PID 1948 wrote to memory of 3560	1948	cmd.exe	105
PID 1948 wrote to memory of 3560	1948	cmd.exe	105
PID 1948 wrote to memory of 3560	1948	cmd.exe	105
PID 1804 wrote to memory of 2080	1804	avscan.exe	117
PID 1804 wrote to memory of 2080	1804	avscan.exe	117
PID 1804 wrote to memory of 2080	1804	avscan.exe	117
PID 2288 wrote to memory of 2120	2288	hosts.exe	119
PID 2288 wrote to memory of 2120	2288	hosts.exe	119
PID 2288 wrote to memory of 2120	2288	hosts.exe	119
PID 2288 wrote to memory of 2152	2288	hosts.exe	126
PID 2288 wrote to memory of 2152	2288	hosts.exe	126
PID 2288 wrote to memory of 2152	2288	hosts.exe	126
PID 1804 wrote to memory of 636	1804	avscan.exe	125
PID 1804 wrote to memory of 636	1804	avscan.exe	125
PID 1804 wrote to memory of 636	1804	avscan.exe	125
PID 2288 wrote to memory of 2960	2288	hosts.exe	130
PID 2288 wrote to memory of 2960	2288	hosts.exe	130
PID 2288 wrote to memory of 2960	2288	hosts.exe	130
PID 1804 wrote to memory of 4420	1804	avscan.exe	132
PID 1804 wrote to memory of 4420	1804	avscan.exe	132
PID 1804 wrote to memory of 4420	1804	avscan.exe	132
PID 2288 wrote to memory of 4284	2288	hosts.exe	139
PID 2288 wrote to memory of 4284	2288	hosts.exe	139
PID 2288 wrote to memory of 4284	2288	hosts.exe	139
PID 1804 wrote to memory of 2244	1804	avscan.exe	138
PID 1804 wrote to memory of 2244	1804	avscan.exe	138
PID 1804 wrote to memory of 2244	1804	avscan.exe	138

C:\Users\Admin\AppData\Local\Temp\359b68351d21c4e22ee5b3f651b723cd.exe
"C:\Users\Admin\AppData\Local\Temp\359b68351d21c4e22ee5b3f651b723cd.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:4860
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2120
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2152
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2960
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4284
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:3972
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1636
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2080
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:636
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4420
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4452

C:\windows\hosts.exe
C:\windows\hosts.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948
- C:\windows\hosts.exe
  C:\windows\hosts.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4316
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
  2⤵
  - Adds policy Run key to start application
  PID:3560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
1⤵
- Adds policy Run key to start application
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
214KB

MD5
43beccdaf50eed86f5c318631c6cf59d

SHA1
9e7fac29b2fc46882384d075914493fce2f18425

SHA256
111ab073849d239938a1a1baebdd43d8729fcdb7437617263469adbded85e964

SHA512
43c132443e0688b27d1c38d0e1051e13ed59efea68cd5565824925ee6f592414b4de97f7bcaf586e7418abe03599e44ddd89401765defa13b7552daa774506dc

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
2493f4ae056cfcf649111e3f94e2db10

SHA1
1b4bfa3781c3b37f36bb73eca97b44b71a3c3439

SHA256
0a7796fefed00994ac3eef02a1dd003d746fa8ca8b4e7c80a43e80ba05958565

SHA512
2d2db08e83170d3ac2bc1cce06e283e8e8d5a8f4b9d06289c9e9ff0d576a189723bc4cf823698a7d9e8f211b2442f0049cdeb69d3f4d5f008c933a23f3c6346e

Download Submit
C:\windows\hosts.exe

Filesize
214KB

MD5
0df1ca709bdc67999c6c25b13fbbef31

SHA1
6b848c69f9870bf78e48606bb9549985d9614b8e

SHA256
29bb8d7ee627e35cbd2c19703f44e08f4202424f64d9c541f6b0f82fbb098181

SHA512
38298b94cbd6b5089b99d664b513374fe4ff1208e011874f00f63f4dd62576ffd8f2cb01dcb1bf0509cf7692cab17b76bbbe08ce41aa3753b74a2a1ca9f1dbbc

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads