Analysis
-
max time kernel
142s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 01:44
Behavioral task
behavioral1
Sample
ad608ab178c9a8c65cab94afee5c0d4b.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
ad608ab178c9a8c65cab94afee5c0d4b.exe
Resource
win10v2004-20240226-en
General
-
Target
ad608ab178c9a8c65cab94afee5c0d4b.exe
-
Size
216KB
-
MD5
ad608ab178c9a8c65cab94afee5c0d4b
-
SHA1
7d7fc641574f82c6cd83a1fa52fcffe29169889b
-
SHA256
c1b321e20412cb39fecc341752b686333c4afc0847d4506da546a1e8435d48df
-
SHA512
652dbfeebbd3f497981847c4bce3cf078cf218fe340874a63858804830d13be8691f90227293d42c79a1fd172dc3dd3ee2031649fd4d7d05b6c5b7f2293ecfd6
-
SSDEEP
6144:qb9iXkv6DOSCyJFDVhtc9HZlXqBLLXP1MxH:qb9EkKFFXtIHCje
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000a0000000231c4-9.dat aspack_v212_v242 behavioral2/files/0x0007000000023211-20.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 4388 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 4760 Regsvr32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MKFX.EXE = "C:\\PerfLogs\\svchost.exe" ad608ab178c9a8c65cab94afee5c0d4b.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\J: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\N: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\R: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\L: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\P: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\S: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\U: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\E: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\G: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\T: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\H: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\K: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\M: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\O: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\Q: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\V: ad608ab178c9a8c65cab94afee5c0d4b.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\AHEXWA.EXE ad608ab178c9a8c65cab94afee5c0d4b.exe File created C:\Windows\SysWOW64\Ms7002.dll ad608ab178c9a8c65cab94afee5c0d4b.exe -
Modifies registry class 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\AHEXWA.EXE" ad608ab178c9a8c65cab94afee5c0d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Users\\AHEXWA.EXE \"%1\"" ad608ab178c9a8c65cab94afee5c0d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command ad608ab178c9a8c65cab94afee5c0d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\AHEXWA.EXE %1" ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell ad608ab178c9a8c65cab94afee5c0d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\AHEXWA.EXE %1" ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile ad608ab178c9a8c65cab94afee5c0d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Users\\AHEXWA.EXE \"%1\"" ad608ab178c9a8c65cab94afee5c0d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" Regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2260 ad608ab178c9a8c65cab94afee5c0d4b.exe 2260 ad608ab178c9a8c65cab94afee5c0d4b.exe 2260 ad608ab178c9a8c65cab94afee5c0d4b.exe 2260 ad608ab178c9a8c65cab94afee5c0d4b.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4388 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2260 wrote to memory of 4760 2260 ad608ab178c9a8c65cab94afee5c0d4b.exe 92 PID 2260 wrote to memory of 4760 2260 ad608ab178c9a8c65cab94afee5c0d4b.exe 92 PID 2260 wrote to memory of 4760 2260 ad608ab178c9a8c65cab94afee5c0d4b.exe 92 PID 2260 wrote to memory of 4388 2260 ad608ab178c9a8c65cab94afee5c0d4b.exe 93 PID 2260 wrote to memory of 4388 2260 ad608ab178c9a8c65cab94afee5c0d4b.exe 93 PID 2260 wrote to memory of 4388 2260 ad608ab178c9a8c65cab94afee5c0d4b.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe"C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Regsvr32.exeRegsvr32.exe C:\Windows\system32\Ms7002.dll /s2⤵
- Loads dropped DLL
- Modifies registry class
PID:4760
-
-
C:\Users\svchost.exeC:\Users\svchost.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217KB
MD5b7e146ae5c14da75a4ff97661114e228
SHA1230cfbc778cba01f13d1d926d72d02f5c2225aaa
SHA25621c5c1682498a03f24c1ac2e837895505fd577cbec8749a2f4d5729ca5c2b3ba
SHA51230a872633bbbb21809b5d77dc0cbee596447af5c2f3068d22a71c6ec26601e56560f68dc7686fe1c8c339544652e6e3e07de30f76150e43c68a2b031f5f30d55
-
Filesize
52KB
MD5876a2a99b81968f5b26e3cbe12063d2b
SHA17afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1
-
Filesize
205B
MD5b86c8a6a00f21ca1af8d56cdedf2987b
SHA1ab4f2967c3bb442ea2725f9e41510f05a0776726
SHA256c941fada3cd19d790b77a5a47a56701157e5e862ca46f0efc6e7259d645d967a
SHA5120d4a3f818d9e5f86a8f49b1aae3a9b5a921dbf1663e85de5368c141133d0e19d19bd218d86cc36a1a299d82c6172acce226b3e75e4aaaa8a6fde92bf28cd9520