38a9613f42496b14dc6ebfa6292394335bf288369edd95ec67125e5a66dcdd11

Analysis

max time kernel
162s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09083baad0ce15548499ff06b5988d7e.exe
Size

960KB
MD5

09083baad0ce15548499ff06b5988d7e
SHA1

4e5aea5bbf064e2b8549536b77f1ec2e8674d631
SHA256

38a9613f42496b14dc6ebfa6292394335bf288369edd95ec67125e5a66dcdd11
SHA512

389cfa45178005b10aaa91efd30d862668ea8547e3c43f11f1bb52e537ffa1299ae321e35902c2ef917ae1c10cd1bd8db0158b150de2a15185c41bb0fedab4ff
SSDEEP

12288:X6Wq4aaE6KwyF5L0Y2D1PqLb6Wq4aaE6KwyF5L0Y2D1PqLx6Wq4aaE6KwyF5L0Y1:1thEVaPqLBthEVaPqLHthEVaPqLTthj

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
5032	svhost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1760-0-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral2/memory/1760-2-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral2/files/0x000600000001e7dd-7.dat	upx
behavioral2/memory/5032-9-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral2/files/0x000500000001e7f0-108.dat	upx
behavioral2/memory/1760-820-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral2/memory/5032-933-0x0000000000400000-0x0000000000523000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1760-820-0x0000000000400000-0x0000000000523000-memory.dmp	autoit_exe
behavioral2/memory/5032-933-0x0000000000400000-0x0000000000523000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	09083baad0ce15548499ff06b5988d7e.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1760	09083baad0ce15548499ff06b5988d7e.exe
1760	09083baad0ce15548499ff06b5988d7e.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5032	svhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1760	09083baad0ce15548499ff06b5988d7e.exe
1760	09083baad0ce15548499ff06b5988d7e.exe
1760	09083baad0ce15548499ff06b5988d7e.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
1760	09083baad0ce15548499ff06b5988d7e.exe
1760	09083baad0ce15548499ff06b5988d7e.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1760	09083baad0ce15548499ff06b5988d7e.exe
1760	09083baad0ce15548499ff06b5988d7e.exe
1760	09083baad0ce15548499ff06b5988d7e.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
1760	09083baad0ce15548499ff06b5988d7e.exe
1760	09083baad0ce15548499ff06b5988d7e.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe
5032	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 5032	1760	09083baad0ce15548499ff06b5988d7e.exe	94
PID 1760 wrote to memory of 5032	1760	09083baad0ce15548499ff06b5988d7e.exe	94
PID 1760 wrote to memory of 5032	1760	09083baad0ce15548499ff06b5988d7e.exe	94

C:\Users\Admin\AppData\Local\Temp\09083baad0ce15548499ff06b5988d7e.exe
"C:\Users\Admin\AppData\Local\Temp\09083baad0ce15548499ff06b5988d7e.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Driver.db

Filesize
82B

MD5
c2d2dc50dca8a2bfdc8e2d59dfa5796d

SHA1
7a6150fc53244e28d1bcea437c0c9d276c41ccad

SHA256
b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

SHA512
6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

Download Submit
C:\Windows\svhost.exe

Filesize
960KB

MD5
a1b648e5cb7eaedaf1be7efc0aa3e616

SHA1
a4bf3ee72c5c6c20ae5fc3a370dac3b0beb66544

SHA256
0803592c34c6ebc4fd4d6841427fd2f82673a11cf98f008d77ffa6fbaccbe9cf

SHA512
9365d248024224d676ea81462a1a7d582111c3fc9296e1d8ca2b5abc7ef7727274d81e4d964f739b17155c63ddf6f67b1c3f815657bd12c318cd235b12363274

Download Submit
C:\odt.exe

Filesize
960KB

MD5
312f918223e0b60bdd649847e745226c

SHA1
8b0479ef81017f1e05d17dac34446f6982f9c43d

SHA256
7c07e15ba9b492ff7e4a04883f41aca68757647465d5f0ce6ee6c0040dc21e2d

SHA512
a9b6da3af10c3dc1e70c29f3c986d2ec19a066d4eb9a4ca34d9034404560f1385b83a5d2ab1f448013d9fd0919548d459b150a3bf0aed8c517a17aa9b79bd294

Download Submit
memory/1760-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1760-2-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1760-820-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/5032-9-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/5032-933-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download