93f2621353ac918ab9adfaac4711a536025174864828f4ef738c45a3bdc28cb5

General

Target

08614fa7eccc14f39a2e5676d697cf2d.exe
Size

2.2MB
MD5

08614fa7eccc14f39a2e5676d697cf2d
SHA1

6474125a0cc6f37c2f9aa072b130b83d8301dc4a
SHA256

93f2621353ac918ab9adfaac4711a536025174864828f4ef738c45a3bdc28cb5
SHA512

8c3011004cca51ed6ae7a5008a5879d16f2e75138a05430207c02f4e3d75a1acf869d8706b0262796dc1d895adbb488ce16190f39a4c55a78e1bc836b2ef81f0
SSDEEP

49152:dEVUc5iEVUc5vEVUc5xEVUc5JEVUc5ZEVUc5cEZ:dE35iE35vE35xE35JE35ZE35cEZ

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
5112	svhost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4088-0-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral2/memory/5112-5-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral2/files/0x000600000001e5df-4.dat	upx
behavioral2/files/0x000600000001e5df-3.dat	upx
behavioral2/files/0x000700000002320c-104.dat	upx
behavioral2/memory/4088-727-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral2/memory/5112-2578-0x0000000000400000-0x0000000000523000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4088-727-0x0000000000400000-0x0000000000523000-memory.dmp	autoit_exe
behavioral2/memory/5112-2578-0x0000000000400000-0x0000000000523000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	08614fa7eccc14f39a2e5676d697cf2d.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe
5112	svhost.exe
5112	svhost.exe
5112	svhost.exe
5112	svhost.exe
5112	svhost.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe
5112	svhost.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe
5112	svhost.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe
4088	08614fa7eccc14f39a2e5676d697cf2d.exe
5112	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 5112	4088	08614fa7eccc14f39a2e5676d697cf2d.exe	20
PID 4088 wrote to memory of 5112	4088	08614fa7eccc14f39a2e5676d697cf2d.exe	20
PID 4088 wrote to memory of 5112	4088	08614fa7eccc14f39a2e5676d697cf2d.exe	20

C:\Users\Admin\AppData\Local\Temp\08614fa7eccc14f39a2e5676d697cf2d.exe
"C:\Users\Admin\AppData\Local\Temp\08614fa7eccc14f39a2e5676d697cf2d.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Driver.db

Filesize
82B

MD5
c2d2dc50dca8a2bfdc8e2d59dfa5796d

SHA1
7a6150fc53244e28d1bcea437c0c9d276c41ccad

SHA256
b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

SHA512
6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

Download Submit
C:\Windows\svhost.exe

Filesize
25KB

MD5
0bed7e13b5c8ec39eb585e15bf4c8275

SHA1
8018b6aab8bd9ba187abf92483a59a35fc62e9fe

SHA256
6a21832eb25a707e28de63389e711756e23f867a948c738ca286c74ccf1061aa

SHA512
ad79cd1cfc5456160ec39f2130c89acebfa0460a929dbdc3dc5e4231ed29e6b2b7cfcd01ced90e975f25a46a8aef78518e24a10d300acf56714dbd6caae6f115

Download Submit
C:\Windows\svhost.exe

Filesize
39KB

MD5
d2f1622dd18cc70f575425980d2e35cd

SHA1
ea30122c8944ed4c2f2d44a5f69b1a2c1947528e

SHA256
3d33546a768ac9709d4c2d8eaf1acdac8241e7dd3de45f5be9340d7e3060128a

SHA512
a354dc4702feb62e236ddf2aabfc62c16e7d6c3a1a1c6449fa326de2928fe7453387f4dfb785704a7d16913b339246ebd9a3fce5b4889477fbc098d1ccb68ad4

Download Submit
C:\odt.exe

Filesize
1KB

MD5
f809dd882b293918724cad539af73411

SHA1
89b2300abe68f8544f25c839f3e35145afb94ba2

SHA256
3ed247ef2cc324de01e2416104ecb6070a7a5eec70c594e82edd691c71b57684

SHA512
038d960d3a26fe94803f21f723f569c3e921671196c490034380878d86caa1d369377bb2b2891a83d543cb5f3b16494b6bc21bdd95d1a3709e5e88e8ecd26690

Download Submit
memory/4088-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/4088-727-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/5112-5-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/5112-2578-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing