Overview
overview
10Static
static
10sss/Install/Del3.bat
windows7-x64
1sss/Install/Del3.bat
windows10-2004-x64
1sss/Instal...te.bat
windows7-x64
1sss/Instal...te.bat
windows10-2004-x64
1sss/Install/del.bat
windows7-x64
1sss/Install/del.bat
windows10-2004-x64
1sss/Install/smss.exe
windows7-x64
10sss/Install/smss.exe
windows10-2004-x64
10sss/RDPWinst.exe
windows7-x64
1sss/RDPWinst.exe
windows10-2004-x64
1sss/ReaIte...st.exe
windows7-x64
10sss/ReaIte...st.exe
windows10-2004-x64
10sss/ReaIte...tw.exe
windows7-x64
9sss/ReaIte...tw.exe
windows10-2004-x64
9sss/Window...rv.exe
windows7-x64
10sss/Window...rv.exe
windows10-2004-x64
10sss/Window...MD.exe
windows7-x64
1sss/Window...MD.exe
windows10-2004-x64
1sss/Window...le.exe
windows7-x64
1sss/Window...le.exe
windows10-2004-x64
1sss/Window...st.exe
windows7-x64
1sss/Window...st.exe
windows10-2004-x64
1sss/Window...64.sys
windows7-x64
1sss/Window...64.sys
windows10-2004-x64
1sss/Window...dg.exe
windows7-x64
9sss/Window...dg.exe
windows10-2004-x64
9sss/Window...on.bat
windows7-x64
1sss/Window...on.bat
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-03-2024 23:04
Behavioral task
behavioral1
Sample
sss/Install/Del3.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
sss/Install/Del3.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
sss/Install/Delete.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
sss/Install/Delete.bat
Resource
win10v2004-20240319-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
sss/Install/del.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
sss/Install/del.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
sss/Install/smss.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
sss/Install/smss.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
sss/RDPWinst.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
sss/RDPWinst.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
sss/ReaItekHD/taskhost.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
sss/ReaItekHD/taskhost.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
sss/ReaItekHD/taskhostw.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
sss/ReaItekHD/taskhostw.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
sss/Windows Tasks Service/winserv.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral16
Sample
sss/Windows Tasks Service/winserv.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
sss/WindowsTask/AMD.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
sss/WindowsTask/AMD.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
sss/WindowsTask/AppModule.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
sss/WindowsTask/AppModule.exe
Resource
win10v2004-20240319-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
sss/WindowsTask/MicrosoftHost.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
sss/WindowsTask/MicrosoftHost.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
sss/WindowsTask/WinRing0x64.sys
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
sss/WindowsTask/WinRing0x64.sys
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
sss/WindowsTask/audiodg.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral26
Sample
sss/WindowsTask/audiodg.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
sss/WindowsTask/winlogon.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
sss/WindowsTask/winlogon.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
sss/ReaItekHD/taskhostw.exe
-
Size
28.1MB
-
MD5
dc1292c7fa973a334934340d6674e376
-
SHA1
82660001eeefec20cdfa4ce78f8db5e6968ce729
-
SHA256
fcc78017b47e6d12fc84a479bce14e27562e746d928ebe30bdb13cbc3cc8c2d1
-
SHA512
7fe20bc6ccd8e78036c5ab7517706f88e8d5ed4ed602515ad702d4db5a2271b44fd76fed5fd7bbf4cd47b5006cfb97772f01f6ead2b35af7ff10d7b9ec2c4a04
-
SSDEEP
786432:5Uv4WjB487BSaxifeu5K/P9D/puKTLAA+ecrJ:5UvbnoX5g/puKTczr
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ taskhostw.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts taskhostw.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion taskhostw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion taskhostw.exe -
resource yara_rule behavioral14/memory/3572-0-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-2-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-3-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-4-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-5-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-6-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-7-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-8-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-9-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-27-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-28-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-29-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-31-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-32-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-33-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-34-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-35-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-36-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-37-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-38-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-39-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-40-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-41-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida behavioral14/memory/3572-42-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\ReaItekHD\\taskhostw.exe" taskhostw.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com -
AutoIT Executable 22 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral14/memory/3572-3-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-4-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-5-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-6-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-7-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-8-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-9-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-27-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-28-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-29-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-31-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-32-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-33-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-34-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-35-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-36-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-37-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-38-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-39-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-40-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-41-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe behavioral14/memory/3572-42-0x00007FF6040E0000-0x00007FF60655E000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3572 taskhostw.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskhostw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskhostw.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe 3572 taskhostw.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3572 taskhostw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sss\ReaItekHD\taskhostw.exe"C:\Users\Admin\AppData\Local\Temp\sss\ReaItekHD\taskhostw.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD551ca2264f5b3ad532a4d6dae175e1750
SHA13dc996beb38928c70fca66658c46b00092ae6532
SHA256d2bd2aeb50ac5df60c1eb10afcec2b680d5a8a9f2bbc74a15c45bf3525528334
SHA5126c169854acd97daf85ebfbefb78ae9b1ce249e8c6a79c7eaa42bcf6c546e6e14bae25bbe989b2e2d07d9ba92a69908b320534b0b97e5ba305bd783273e8d1e55