Analysis
-
max time kernel
7s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 13:46
Behavioral task
behavioral1
Sample
1a7ae3f875f7ffc750bb01daf97e1c39.exe
Resource
win7-20231215-en
windows7-x64
12 signatures
150 seconds
General
-
Target
1a7ae3f875f7ffc750bb01daf97e1c39.exe
-
Size
298KB
-
MD5
1a7ae3f875f7ffc750bb01daf97e1c39
-
SHA1
e7f236aef2a9bcd32a337fecf5115ea31dc16b12
-
SHA256
38a76c957f6bbe2a33ef0847b65db45e50e070729f0b71c8f149c4d5668e4683
-
SHA512
97dc551cd5f1c33b8618217a47c7f3b0287bdad8c20b8ac4d1257ccd3645eeffd097836c848aa5f34eaac80eee33212d60dd93379c96c7d98e5a53de8bd8de29
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYu:v6Wq4aaE6KwyF5L0Y2D1PqLl
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 2528 svhost.exe -
resource yara_rule behavioral1/memory/2220-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x000a00000001226e-7.dat upx behavioral1/memory/2528-6-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2220-4-0x0000000003610000-0x00000000036D2000-memory.dmp upx behavioral1/files/0x000a00000001226e-5.dat upx behavioral1/memory/2220-718-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-1325-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-2389-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-3448-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-4768-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-5828-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-6886-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-7943-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-9269-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-10325-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-11383-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-12441-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-13768-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-14821-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2528-15875-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\u: svhost.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2220-718-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-1325-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-2389-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-3448-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-4768-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-5828-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-6886-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-7943-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-9269-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-10325-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-11383-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-12441-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-13768-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-14821-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2528-15875-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 1a7ae3f875f7ffc750bb01daf97e1c39.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2528 svhost.exe 2528 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2528 svhost.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
pid Process 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe -
Suspicious use of SendNotifyMessage 21 IoCs
pid Process 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 2528 svhost.exe 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2528 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 22 PID 2220 wrote to memory of 2528 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 22 PID 2220 wrote to memory of 2528 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 22 PID 2220 wrote to memory of 2528 2220 1a7ae3f875f7ffc750bb01daf97e1c39.exe 22
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a7ae3f875f7ffc750bb01daf97e1c39.exe"C:\Users\Admin\AppData\Local\Temp\1a7ae3f875f7ffc750bb01daf97e1c39.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD59fbdfc5b663c509a332449008d518fb8
SHA1525e07cc7aefc555ca7e3282576ef18bf5085903
SHA256acf385a3078a0bbace3a77ce8354cf801bf024468f1d15e2538130ec1bed8e7e
SHA51209922e6e75fb4cf5cbf682cd0840e88826c22983ca3fb41bfe5f96f098cfcf355221bd0c6163677552219819588d991a05be92a3578289c7f2366f4ebbb7de00