Analysis
-
max time kernel
133s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 08:49
Behavioral task
behavioral1
Sample
611fb380f100e09a3a9e8921095cec69.exe
Resource
win7-20231215-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral2
Sample
611fb380f100e09a3a9e8921095cec69.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
611fb380f100e09a3a9e8921095cec69.exe
-
Size
313KB
-
MD5
611fb380f100e09a3a9e8921095cec69
-
SHA1
01f14d2f38b4bc1ba3ff7102d9be6a50a896dd30
-
SHA256
757a0048a1d896a4c04a16ba7548d4bc47d36ac1de950af48c159a41d4068b6b
-
SHA512
9179e81da3650b23447bf70639e615bc86497508268d03c2b123e6060b8fe4b8e5da5189c15c714f349ae6adaca294d5d3d6990534f25ec645b851a93f1be040
-
SSDEEP
6144:8YDhB6ActM8FbPt6a15RGkPNJAcb+k2WzoPiML3AYRYAe5mYkllxpyqfSJzZ:/9BvctM85t35JPNJj2WzoRLQYRYzmYm2
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\userinit.exe,C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\userinit.exe,C:\\Windows\\SysWOW64\\fdisk.com" svchost.com -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2" svchost.com Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2" svchost.com -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.com Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.com -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svchost.com Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svchost.com -
Disables Task Manager via registry modification
-
Sets file execution options in registry 2 TTPs 48 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe svchost.com -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe svchost.com File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe svchost.com -
Executes dropped EXE 4 IoCs
pid Process 2968 svchost.com 2980 cftmon.exe 2656 svchost.com 2732 cftmon.exe -
Loads dropped DLL 64 IoCs
pid Process 2512 611fb380f100e09a3a9e8921095cec69.exe 2512 611fb380f100e09a3a9e8921095cec69.exe 2512 611fb380f100e09a3a9e8921095cec69.exe 2512 611fb380f100e09a3a9e8921095cec69.exe 2968 svchost.com 2968 svchost.com 2968 svchost.com 2968 svchost.com 2968 svchost.com 2980 cftmon.exe 2980 cftmon.exe 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com 2656 svchost.com -
resource yara_rule behavioral1/memory/2512-0-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-73-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-69-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2980-68-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2980-55-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2968-21-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2512-19-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2968-131-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-148-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-147-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2968-146-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-166-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-165-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-189-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-188-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-243-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-242-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-259-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-258-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2968-257-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-312-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-311-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-358-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-357-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-369-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-368-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-383-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-382-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2968-381-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-388-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-387-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-391-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-390-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-393-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-394-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-397-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-396-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2732-404-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-403-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2968-402-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral1/memory/2656-408-0x0000000000400000-0x00000000004BF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif" svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif" svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com" svchost.com -
Drops desktop.ini file(s) 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini svchost.com File opened for modification C:\Users\Admin\Templates\cache\desktop.ini svchost.com File opened for modification \??\c:\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini svchost.com File opened for modification \??\f:\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini svchost.com File opened for modification C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini 611fb380f100e09a3a9e8921095cec69.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: svchost.com File opened (read-only) \??\n: svchost.com File opened (read-only) \??\p: svchost.com File opened (read-only) \??\v: svchost.com File opened (read-only) \??\i: svchost.com File opened (read-only) \??\j: svchost.com File opened (read-only) \??\e: svchost.com File opened (read-only) \??\h: svchost.com File opened (read-only) \??\o: svchost.com File opened (read-only) \??\s: svchost.com File opened (read-only) \??\l: svchost.com File opened (read-only) \??\m: svchost.com File opened (read-only) \??\v: svchost.com File opened (read-only) \??\s: svchost.com File opened (read-only) \??\k: svchost.com File opened (read-only) \??\y: svchost.com File opened (read-only) \??\e: svchost.com File opened (read-only) \??\p: svchost.com File opened (read-only) \??\u: svchost.com File opened (read-only) \??\w: svchost.com File opened (read-only) \??\y: svchost.com File opened (read-only) \??\k: svchost.com File opened (read-only) \??\w: svchost.com File opened (read-only) \??\q: svchost.com File opened (read-only) \??\x: svchost.com File opened (read-only) \??\h: svchost.com File opened (read-only) \??\q: svchost.com File opened (read-only) \??\g: svchost.com File opened (read-only) \??\l: svchost.com File opened (read-only) \??\o: svchost.com File opened (read-only) \??\g: svchost.com File opened (read-only) \??\r: svchost.com File opened (read-only) \??\t: svchost.com File opened (read-only) \??\u: svchost.com File opened (read-only) \??\a: svchost.com File opened (read-only) \??\t: svchost.com File opened (read-only) \??\z: svchost.com File opened (read-only) \??\j: svchost.com File opened (read-only) \??\m: svchost.com File opened (read-only) \??\z: svchost.com File opened (read-only) \??\a: svchost.com File opened (read-only) \??\b: svchost.com File opened (read-only) \??\r: svchost.com File opened (read-only) \??\x: svchost.com File opened (read-only) \??\b: svchost.com File opened (read-only) \??\n: svchost.com -
AutoIT Executable 40 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2732-73-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-69-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2980-68-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2980-55-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2968-21-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2512-19-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2968-131-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-148-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-147-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2968-146-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-166-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-165-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-189-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-188-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-243-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-242-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-259-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-258-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2968-257-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-312-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-311-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-358-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-357-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-369-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-368-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-383-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-382-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2968-381-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-388-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-387-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-391-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-390-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-393-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-394-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-397-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-396-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2732-404-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-403-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2968-402-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe behavioral1/memory/2656-408-0x0000000000400000-0x00000000004BF000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\\autorun.inf svchost.com File opened for modification \??\f:\autorun.inf svchost.com File opened for modification F:\\autorun.inf svchost.com File opened for modification \??\c:\autorun.inf svchost.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\fdisk.com svchost.com File opened for modification C:\Windows\SysWOW64\fdisk.com svchost.com -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\System\cftmon.exe svchost.com -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Help\cliconf.chm svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2512 611fb380f100e09a3a9e8921095cec69.exe 2968 svchost.com 2968 svchost.com 2968 svchost.com 2968 svchost.com 2968 svchost.com 2968 svchost.com 2968 svchost.com 2968 svchost.com 2968 svchost.com 2968 svchost.com 2968 svchost.com 2968 svchost.com 2968 svchost.com 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2656 svchost.com 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe 2732 cftmon.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2968 2512 611fb380f100e09a3a9e8921095cec69.exe 23 PID 2512 wrote to memory of 2968 2512 611fb380f100e09a3a9e8921095cec69.exe 23 PID 2512 wrote to memory of 2968 2512 611fb380f100e09a3a9e8921095cec69.exe 23 PID 2512 wrote to memory of 2968 2512 611fb380f100e09a3a9e8921095cec69.exe 23 PID 2968 wrote to memory of 2980 2968 svchost.com 21 PID 2968 wrote to memory of 2980 2968 svchost.com 21 PID 2968 wrote to memory of 2980 2968 svchost.com 21 PID 2968 wrote to memory of 2980 2968 svchost.com 21 PID 2968 wrote to memory of 2656 2968 svchost.com 20 PID 2968 wrote to memory of 2656 2968 svchost.com 20 PID 2968 wrote to memory of 2656 2968 svchost.com 20 PID 2968 wrote to memory of 2656 2968 svchost.com 20 PID 2980 wrote to memory of 2732 2980 cftmon.exe 19 PID 2980 wrote to memory of 2732 2980 cftmon.exe 19 PID 2980 wrote to memory of 2732 2980 cftmon.exe 19 PID 2980 wrote to memory of 2732 2980 cftmon.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\611fb380f100e09a3a9e8921095cec69.exe"C:\Users\Admin\AppData\Local\Temp\611fb380f100e09a3a9e8921095cec69.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\svchost.com"C:\Users\Admin\AppData\Local\Temp\svchost.com"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" user /add Network_Service3⤵PID:1532
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user /add Network_Service4⤵PID:2080
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" user Network_Service 10167603⤵PID:1720
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Network_Service 10167604⤵PID:2516
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" localgroup administrators Network_Service /add3⤵PID:2720
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" user guest guest3⤵PID:696
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" share SYS_f=f:\3⤵PID:1696
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" share SYS_c=c:\3⤵PID:1680
-
-
-
C:\Program Files (x86)\Common Files\System\cftmon.exe"C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -r1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2732
-
C:\Users\Admin\AppData\Local\Temp\svchost.comC:\Users\Admin\AppData\Local\Temp\svchost.com keep_fucking1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2656
-
C:\Program Files (x86)\Common Files\System\cftmon.exe"C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -in1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share SYS_c=c:\1⤵PID:2596
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators Network_Service /add1⤵PID:2520
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user guest guest1⤵PID:1760
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share SYS_f=f:\1⤵PID:2660
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5