Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04-02-2024 15:10
Static task
static1
Behavioral task
behavioral1
Sample
8f78832d0481f5a37990941ca2c78ed1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8f78832d0481f5a37990941ca2c78ed1.exe
Resource
win10v2004-20231215-en
General
-
Target
8f78832d0481f5a37990941ca2c78ed1.exe
-
Size
21KB
-
MD5
8f78832d0481f5a37990941ca2c78ed1
-
SHA1
d2d951940a5633ae594c05fbe4ccb9a544bd457d
-
SHA256
16abb80e73599e6bbcb353667a743ff48b87a68ee2fb7489562325d6acd1d95a
-
SHA512
a7fdb2979b24675131a7a1385f695cd70db58d0720544e97decc3db744b6cbf31ad3e9102e73ef5367cbc81a981cc521c14d5f8691e8f4d1410a14672f08422b
-
SSDEEP
384:Z8sCHeP5IEA2ZUBTFSrR1ufAtUXNfQE7:ZlCH7EVZUBTFK1uZXNT
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlog.com\"" 8f78832d0481f5a37990941ca2c78ed1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlog.com\"" scvhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlog.com\"" Scan.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlog.com\"" Scan.com -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" scvhost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" scvhost.exe -
Disables RegEdit via registry modification 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8f78832d0481f5a37990941ca2c78ed1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" scvhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Scan.com Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Scan.com -
Disables Task Manager via registry modification
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan.com 8f78832d0481f5a37990941ca2c78ed1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan.com 8f78832d0481f5a37990941ca2c78ed1.exe -
Executes dropped EXE 11 IoCs
pid Process 2900 scvhost.exe 2732 scvhost.exe 1900 Scan.com 1852 Scan.com 1952 scvhost.exe 2168 scvhost.exe 1700 Scan.com 2792 Scan.com 2056 scvhost.exe 1292 scvhost.exe 2116 scvhost.exe -
Loads dropped DLL 23 IoCs
pid Process 2184 8f78832d0481f5a37990941ca2c78ed1.exe 2184 8f78832d0481f5a37990941ca2c78ed1.exe 2900 scvhost.exe 2900 scvhost.exe 2900 scvhost.exe 2184 8f78832d0481f5a37990941ca2c78ed1.exe 2900 scvhost.exe 2900 scvhost.exe 2184 8f78832d0481f5a37990941ca2c78ed1.exe 1900 Scan.com 1852 Scan.com 1900 Scan.com 1852 Scan.com 1900 Scan.com 1900 Scan.com 1852 Scan.com 1852 Scan.com 2184 8f78832d0481f5a37990941ca2c78ed1.exe 2184 8f78832d0481f5a37990941ca2c78ed1.exe 1900 Scan.com 1852 Scan.com 1852 Scan.com 1900 Scan.com -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Logon = "C:\\Windows\\winlog.com" scvhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ccApp = "C:\\Windows\\system\\winexec.com" scvhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audio = "C:\\Windows\\system32\\caudio.exe" Scan.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Logon = "C:\\Windows\\winlog.com" Scan.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ccApp = "C:\\Windows\\system\\winexec.com" Scan.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Logon = "C:\\Windows\\winlog.com" Scan.com Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audio = "C:\\Windows\\system32\\caudio.exe" 8f78832d0481f5a37990941ca2c78ed1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ccApp = "C:\\Windows\\system\\winexec.com" 8f78832d0481f5a37990941ca2c78ed1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audio = "C:\\Windows\\system32\\caudio.exe" Scan.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ccApp = "C:\\Windows\\system\\winexec.com" Scan.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Logon = "C:\\Windows\\winlog.com" 8f78832d0481f5a37990941ca2c78ed1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audio = "C:\\Windows\\system32\\caudio.exe" scvhost.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\Startup\Scan.com Scan.com File created C:\Windows\SysWOW64\Startup\scvhost.exe Scan.com File created C:\Windows\SysWOW64\Startup\scvhost.exe scvhost.exe File opened for modification C:\Windows\SysWOW64\Startup\Scan.com Scan.com File opened for modification C:\Windows\SysWOW64\Startup\scvhost.exe scvhost.exe File opened for modification C:\Windows\SysWOW64\Startup\Scan.com Scan.com File created C:\Windows\SysWOW64\Startup\Scan.com Scan.com File created C:\Windows\SysWOW64\Startup\scvhost.exe Scan.com File opened for modification C:\Windows\SysWOW64\Startup\scvhost.exe Scan.com File opened for modification C:\Windows\SysWOW64\Startup\scvhost.exe 8f78832d0481f5a37990941ca2c78ed1.exe File opened for modification C:\Windows\SysWOW64\Startup\Scan.com scvhost.exe File opened for modification C:\Windows\SysWOW64\caudio.exe scvhost.exe File created C:\Windows\SysWOW64\Startup\Scan.com scvhost.exe File opened for modification C:\Windows\SysWOW64\caudio.exe Scan.com File opened for modification C:\Windows\SysWOW64\caudio.exe Scan.com File created C:\Windows\SysWOW64\caudio.exe Scan.com File opened for modification C:\Windows\SysWOW64\caudio.exe 8f78832d0481f5a37990941ca2c78ed1.exe File created C:\Windows\SysWOW64\Startup\scvhost.exe 8f78832d0481f5a37990941ca2c78ed1.exe File created C:\Windows\SysWOW64\caudio.exe Scan.com File opened for modification C:\Windows\SysWOW64\Startup\scvhost.exe Scan.com File created C:\Windows\SysWOW64\caudio.exe 8f78832d0481f5a37990941ca2c78ed1.exe File created C:\Windows\SysWOW64\caudio.exe scvhost.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File opened for modification C:\Windows\system\winexec.com scvhost.exe File opened for modification C:\Windows\system\winexec.com Scan.com File created C:\Windows\system\winexec.com Scan.com File opened for modification C:\Windows\system\winexec.com 8f78832d0481f5a37990941ca2c78ed1.exe File created C:\Windows\system\winexec.com 8f78832d0481f5a37990941ca2c78ed1.exe File created C:\Windows\system\winexec.com scvhost.exe File opened for modification C:\Windows\winlog.com Scan.com File created C:\Windows\winlog.com Scan.com File created C:\Windows\winlog.com Scan.com File created C:\Windows\system\winexec.com Scan.com File opened for modification C:\Windows\winlog.com 8f78832d0481f5a37990941ca2c78ed1.exe File created C:\Windows\winlog.com 8f78832d0481f5a37990941ca2c78ed1.exe File opened for modification C:\Windows\winlog.com scvhost.exe File created C:\Windows\winlog.com scvhost.exe File opened for modification C:\Windows\winlog.com Scan.com File opened for modification C:\Windows\system\winexec.com Scan.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2184 8f78832d0481f5a37990941ca2c78ed1.exe 2900 scvhost.exe 2732 scvhost.exe 1900 Scan.com 1852 Scan.com 2168 scvhost.exe 1952 scvhost.exe 2792 Scan.com 1700 Scan.com 2056 scvhost.exe 1292 scvhost.exe 2116 scvhost.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2900 2184 8f78832d0481f5a37990941ca2c78ed1.exe 28 PID 2184 wrote to memory of 2900 2184 8f78832d0481f5a37990941ca2c78ed1.exe 28 PID 2184 wrote to memory of 2900 2184 8f78832d0481f5a37990941ca2c78ed1.exe 28 PID 2184 wrote to memory of 2900 2184 8f78832d0481f5a37990941ca2c78ed1.exe 28 PID 2900 wrote to memory of 2732 2900 scvhost.exe 29 PID 2900 wrote to memory of 2732 2900 scvhost.exe 29 PID 2900 wrote to memory of 2732 2900 scvhost.exe 29 PID 2900 wrote to memory of 2732 2900 scvhost.exe 29 PID 2900 wrote to memory of 1900 2900 scvhost.exe 30 PID 2900 wrote to memory of 1900 2900 scvhost.exe 30 PID 2900 wrote to memory of 1900 2900 scvhost.exe 30 PID 2900 wrote to memory of 1900 2900 scvhost.exe 30 PID 2184 wrote to memory of 1852 2184 8f78832d0481f5a37990941ca2c78ed1.exe 31 PID 2184 wrote to memory of 1852 2184 8f78832d0481f5a37990941ca2c78ed1.exe 31 PID 2184 wrote to memory of 1852 2184 8f78832d0481f5a37990941ca2c78ed1.exe 31 PID 2184 wrote to memory of 1852 2184 8f78832d0481f5a37990941ca2c78ed1.exe 31 PID 1900 wrote to memory of 1952 1900 Scan.com 32 PID 1900 wrote to memory of 1952 1900 Scan.com 32 PID 1900 wrote to memory of 1952 1900 Scan.com 32 PID 1900 wrote to memory of 1952 1900 Scan.com 32 PID 1852 wrote to memory of 2168 1852 Scan.com 33 PID 1852 wrote to memory of 2168 1852 Scan.com 33 PID 1852 wrote to memory of 2168 1852 Scan.com 33 PID 1852 wrote to memory of 2168 1852 Scan.com 33 PID 1900 wrote to memory of 1700 1900 Scan.com 35 PID 1900 wrote to memory of 1700 1900 Scan.com 35 PID 1900 wrote to memory of 1700 1900 Scan.com 35 PID 1900 wrote to memory of 1700 1900 Scan.com 35 PID 1852 wrote to memory of 2792 1852 Scan.com 34 PID 1852 wrote to memory of 2792 1852 Scan.com 34 PID 1852 wrote to memory of 2792 1852 Scan.com 34 PID 1852 wrote to memory of 2792 1852 Scan.com 34 PID 2184 wrote to memory of 2056 2184 8f78832d0481f5a37990941ca2c78ed1.exe 36 PID 2184 wrote to memory of 2056 2184 8f78832d0481f5a37990941ca2c78ed1.exe 36 PID 2184 wrote to memory of 2056 2184 8f78832d0481f5a37990941ca2c78ed1.exe 36 PID 2184 wrote to memory of 2056 2184 8f78832d0481f5a37990941ca2c78ed1.exe 36 PID 1852 wrote to memory of 1292 1852 Scan.com 38 PID 1852 wrote to memory of 1292 1852 Scan.com 38 PID 1852 wrote to memory of 1292 1852 Scan.com 38 PID 1852 wrote to memory of 1292 1852 Scan.com 38 PID 1900 wrote to memory of 2116 1900 Scan.com 39 PID 1900 wrote to memory of 2116 1900 Scan.com 39 PID 1900 wrote to memory of 2116 1900 Scan.com 39 PID 1900 wrote to memory of 2116 1900 Scan.com 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f78832d0481f5a37990941ca2c78ed1.exe"C:\Users\Admin\AppData\Local\Temp\8f78832d0481f5a37990941ca2c78ed1.exe"1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Startup\scvhost.exe"C:\Windows\system32\Startup\scvhost.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Startup\scvhost.exe"C:\Windows\system32\Startup\scvhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Windows\SysWOW64\Startup\Scan.com"C:\Windows\System32\Startup\Scan.com"3⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Startup\scvhost.exe"C:\Windows\system32\Startup\scvhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
C:\Windows\SysWOW64\Startup\Scan.com"C:\Windows\System32\Startup\Scan.com"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
C:\Windows\SysWOW64\Startup\scvhost.exe"C:\Windows\system32\Startup\scvhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2116
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan.com"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan.com"2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Startup\scvhost.exe"C:\Windows\system32\Startup\scvhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2168
-
-
C:\Windows\SysWOW64\Startup\Scan.com"C:\Windows\System32\Startup\Scan.com"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2792
-
-
C:\Windows\SysWOW64\Startup\scvhost.exe"C:\Windows\system32\Startup\scvhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1292
-
-
-
C:\Windows\SysWOW64\Startup\scvhost.exe"C:\Windows\system32\Startup\scvhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2056
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD5b28b76dd27531fb71240e74117201437
SHA1128f5be3f1d22da817cf5bded45c59360447de38
SHA256f8931c13a85927c02d741e619b9f3d9a97366a7ba5b5abc2903e6986a647c53d
SHA5127377f74e81c42f3bf4d4ba8bb593801d0e049a63b800e7cce5ad055107fcd4aa754cb73a387b0eb61f4a9b6787532ba0672c5aa280b73231fe1d8b86f30b5e98
-
Filesize
21KB
MD58f78832d0481f5a37990941ca2c78ed1
SHA1d2d951940a5633ae594c05fbe4ccb9a544bd457d
SHA25616abb80e73599e6bbcb353667a743ff48b87a68ee2fb7489562325d6acd1d95a
SHA512a7fdb2979b24675131a7a1385f695cd70db58d0720544e97decc3db744b6cbf31ad3e9102e73ef5367cbc81a981cc521c14d5f8691e8f4d1410a14672f08422b