Analysis
-
max time kernel
19s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03-01-2024 15:22
Behavioral task
behavioral1
Sample
1e707431e8e5175d240134f8877b5222.exe
Resource
win7-20231215-en
windows7-x64
12 signatures
150 seconds
General
-
Target
1e707431e8e5175d240134f8877b5222.exe
-
Size
298KB
-
MD5
1e707431e8e5175d240134f8877b5222
-
SHA1
d459f2ccca18584e7861ed7af393b185b416ce35
-
SHA256
29f75f441b9fe700d62f0b8ca1aa6027517b161c2c9674533925af3fe1d4e246
-
SHA512
1ad3a8f1441496135c4151dab757c6e13271c35c73b4ac24f96431dadc759648a6d0999b789cc7784785c22c875d887ffd08d15c36a1775e04d7c442eaa14aad
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYF:v6Wq4aaE6KwyF5L0Y2D1PqLU
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 3004 svhost.exe -
resource yara_rule behavioral1/memory/1972-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-7-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x000c000000012242-4.dat upx behavioral1/files/0x0007000000015658-67.dat upx behavioral1/memory/1972-818-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-1334-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-2392-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-3454-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-4776-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-5831-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-6890-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-7950-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-9269-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-10326-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-11388-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-12709-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-13763-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-14821-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/3004-15882-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\v: svhost.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3004-7-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1972-818-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-1334-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-2392-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-3454-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-4776-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-5831-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-6890-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-7950-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-9269-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-10326-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-11388-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-12709-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-13763-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-14821-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/3004-15882-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 1e707431e8e5175d240134f8877b5222.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3004 svhost.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 1972 1e707431e8e5175d240134f8877b5222.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe -
Suspicious use of SendNotifyMessage 39 IoCs
pid Process 1972 1e707431e8e5175d240134f8877b5222.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 1972 1e707431e8e5175d240134f8877b5222.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe 3004 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1972 wrote to memory of 3004 1972 1e707431e8e5175d240134f8877b5222.exe 14 PID 1972 wrote to memory of 3004 1972 1e707431e8e5175d240134f8877b5222.exe 14 PID 1972 wrote to memory of 3004 1972 1e707431e8e5175d240134f8877b5222.exe 14 PID 1972 wrote to memory of 3004 1972 1e707431e8e5175d240134f8877b5222.exe 14
Processes
-
C:\Windows\svhost.exeC:\Windows\svhost.exe1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3004
-
C:\Users\Admin\AppData\Local\Temp\1e707431e8e5175d240134f8877b5222.exe"C:\Users\Admin\AppData\Local\Temp\1e707431e8e5175d240134f8877b5222.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD599c43aa89f42041f0be2a14c87e7afe7
SHA1fb678009595ca421a39608eabec2d545d8e1b920
SHA2560a3dcc44675a58d6cd3f077d298a2b6c96c5ae7b0970448934d71244f453730e
SHA512fbe9aa85e9fdeeea70ea062aef5351694ca05408cf5ebc3eb505504c694d7fd313579976f531ccf773ff9b00e1815cb260244195ad244dae93f02ace6d0d1acf
-
Filesize
298KB
MD564e4a247edb5b716c4439505c57783e3
SHA1f771b7ca759ca57ff7f8d174c9dd6738aba11c13
SHA25681cd788acadd5405715bfed31742836a2908e417e5e2c3f197ea2eeda3103333
SHA5127fc30ec094034669d69e59b62c56c4421a5254668e23556c29f5a4a35b7f5c9b26aa0443d07db36fea8ca5bf429f427021638c54b08cdd2cdb64ba8ea5a0f2ae