17bc12aeb004e3f54e0df3528741e5cabb0d40925f6d80b875818a6a06868bcf

General

Target

0ee4cc4d4bdc5809b3fedb586b701493.exe
Size

298KB
MD5

0ee4cc4d4bdc5809b3fedb586b701493
SHA1

8714d966d358a9600a415dbf56927fe66340ae9e
SHA256

17bc12aeb004e3f54e0df3528741e5cabb0d40925f6d80b875818a6a06868bcf
SHA512

261192c259f0e41983effdf31d78944f2db323028dd2a423fafed5c5d2cf9362b3163a80293c8430c11261c6bef6612968c792929d2d8fa81b5a41c8a61d1958
SSDEEP

6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYQ:v6Wq4aaE6KwyF5L0Y2D1PqLD

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
2132	svhost.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2468-0-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-7-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/files/0x000c00000001224a-6.dat	upx
behavioral1/files/0x000c00000001224a-5.dat	upx
behavioral1/files/0x0007000000015361-67.dat	upx
behavioral1/memory/2468-815-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-1334-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-2397-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-3456-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-4775-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-5839-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-6898-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-7955-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-9278-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-10338-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-11395-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-12451-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-13779-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-14832-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2132-15890-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe

AutoIT Executable 16 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2132-7-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2468-815-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-1334-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-2397-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-3456-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-4775-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-5839-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-6898-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-7955-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-9278-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-10338-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-11395-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-12451-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-13779-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-14832-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2132-15890-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	0ee4cc4d4bdc5809b3fedb586b701493.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2132	svhost.exe
2132	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2132	svhost.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2132	svhost.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2468	0ee4cc4d4bdc5809b3fedb586b701493.exe
2132	svhost.exe
2132	svhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2132	2468	0ee4cc4d4bdc5809b3fedb586b701493.exe	17
PID 2468 wrote to memory of 2132	2468	0ee4cc4d4bdc5809b3fedb586b701493.exe	17
PID 2468 wrote to memory of 2132	2468	0ee4cc4d4bdc5809b3fedb586b701493.exe	17
PID 2468 wrote to memory of 2132	2468	0ee4cc4d4bdc5809b3fedb586b701493.exe	17

C:\Users\Admin\AppData\Local\Temp\0ee4cc4d4bdc5809b3fedb586b701493.exe
"C:\Users\Admin\AppData\Local\Temp\0ee4cc4d4bdc5809b3fedb586b701493.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings.exe

Filesize
42KB

MD5
e476c22733b6a14dcd84094845edff51

SHA1
8e7ed3d468d4fa5038e2a99a0ec6e697ad88956e

SHA256
c9a1947d61379215ff4dc2ce32e4300f561fffbc919533d3f1221f17b56074dc

SHA512
3a825c5da2c105020f35620e5119a4fbe3c76d2b46182a61bff7ccd60fa6243abf0250f2930794ce8448350b300c25da62593dae0e7a194069e28b8b88ced333

Download Submit
C:\Windows\Driver.db

Filesize
82B

MD5
c2d2dc50dca8a2bfdc8e2d59dfa5796d

SHA1
7a6150fc53244e28d1bcea437c0c9d276c41ccad

SHA256
b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

SHA512
6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

Download Submit
C:\Windows\svhost.exe

Filesize
7KB

MD5
36e73ac0a4109cf8d0dc1636c0d5285d

SHA1
04454f00351f7d9ced98482d412ce2d45bf9f4f1

SHA256
317fbee61bc696676bfe23d968957325611770f8b5527211f1ecfe84c9d33a16

SHA512
051f395d79dfda24caf2f1db58c1d18899c31d866e3a86c4eef7ad3b3ba6ca702768e4b81a167991ede3a9972da256e89f25a8f95682a2b187b5ab00a43c27e7

Download Submit
C:\Windows\svhost.exe

Filesize
67KB

MD5
bacd337a532d31d931c23fd54142ae46

SHA1
73eca801cb8a8a68974b903c4982cc768c47b3fb

SHA256
a114526147a0868223df0220addacff1b9984839a364aa1f162ff8faf0774ae9

SHA512
ab659ccd62f82880855692ca7d665a9552a3b5ecbf1c17b9775bfbd21bf4327bbc0ad9e2d5976768cc5efe068e6930ed7859ce3bfebe1cfe1a5fb765b770a50d

Download Submit
memory/2132-9278-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-6898-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-7-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-15890-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-1334-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-2397-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-3456-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-4775-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-5839-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-14832-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-7955-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-13779-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-10338-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-11395-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2132-12451-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2468-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2468-4-0x0000000003190000-0x0000000003252000-memory.dmp

Filesize
776KB

Download
memory/2468-815-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing