Analysis
-
max time kernel
44s -
max time network
88s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 05:16
Behavioral task
behavioral1
Sample
0fcb352c0774261bf11d109698e80cdc.exe
Resource
win7-20231215-en
General
-
Target
0fcb352c0774261bf11d109698e80cdc.exe
-
Size
298KB
-
MD5
0fcb352c0774261bf11d109698e80cdc
-
SHA1
6d5d61e0d3aa52153f1e4ad1d274abc1f57283ad
-
SHA256
02e86a0308e4e37ded6bfc19461caffb6efe10a573e6921552d039d396090444
-
SHA512
26d75dce444fbc29c7dfb59b81cb863232e2b5ae9d18181c1d75a81ddbb31c8aa5c52d0b242eecc1588ab2ecc6bac28d6df48f3a35ba22a7a32353350eb9cb84
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYv:v6Wq4aaE6KwyF5L0Y2D1PqLC
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 4588 svhost.exe -
resource yara_rule behavioral2/memory/3920-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/files/0x000400000001e96f-3.dat upx behavioral2/memory/4588-5-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3920-783-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4588-1323-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4588-2380-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4588-2655-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4588-3446-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4588-4504-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4588-5820-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\y: svhost.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3920-783-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4588-1323-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4588-2380-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4588-2655-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4588-3446-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4588-4504-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4588-5820-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 0fcb352c0774261bf11d109698e80cdc.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3920 0fcb352c0774261bf11d109698e80cdc.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4588 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3920 0fcb352c0774261bf11d109698e80cdc.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3920 0fcb352c0774261bf11d109698e80cdc.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 3920 0fcb352c0774261bf11d109698e80cdc.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe 4588 svhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3920 wrote to memory of 4588 3920 0fcb352c0774261bf11d109698e80cdc.exe 92 PID 3920 wrote to memory of 4588 3920 0fcb352c0774261bf11d109698e80cdc.exe 92 PID 3920 wrote to memory of 4588 3920 0fcb352c0774261bf11d109698e80cdc.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fcb352c0774261bf11d109698e80cdc.exe"C:\Users\Admin\AppData\Local\Temp\0fcb352c0774261bf11d109698e80cdc.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD560b7fa75a167b920903b5dda5a8c359a
SHA17b85cc85d5eb90472910fd1547ef6c264be66d05
SHA256b39cc3473508cda062c07d9b8ac1357f4ec3d30ef7cbb046d0a53bfb7ff7c642
SHA512ae8b8b519c16a1a950299dfd91af0762687ed9004701a82a98306fc45b2392807ba7049db2d40fc07f0c2369d817759a7f89f0a12c69e6183dd81ae976b6bdd5