Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 05:05
Static task
static1
Behavioral task
behavioral1
Sample
9a8b0ebe7b18da6e638fdc9f7e1353c56a561419b12932aff6b0a42a7fe6ac12.zip
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
General
-
Target
9a8b0ebe7b18da6e638fdc9f7e1353c56a561419b12932aff6b0a42a7fe6ac12.zip
-
Size
802KB
-
MD5
96bb795d111717109fac22f8433c7e27
-
SHA1
daf03c1faa4290b7f4eeec983110a8bd7858b834
-
SHA256
9a8b0ebe7b18da6e638fdc9f7e1353c56a561419b12932aff6b0a42a7fe6ac12
-
SHA512
cccf6b4736b6e33ec1bcd020d8f1fb67cc0a9e72a841a5dc7a2f81e62e54b20324bd0b5b1edcc5073becf12cc07584e77cef8c997fe4f4702d85b06ea488d988
-
SSDEEP
24576:YIAjSP9123EtVDkL+zNRbMtv4J0RXTTwaK:YIF91BVIazHotC0RXTTwaK
Score
5/10
Malware Config
Signatures
-
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
pid Process 708 Autoit3.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 Autoit3.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings Autoit3.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "6" Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Autoit3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Autoit3.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Autoit3.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags Autoit3.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 708 Autoit3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1580 Autoit3.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2280 WMIC.exe Token: SeSecurityPrivilege 2280 WMIC.exe Token: SeTakeOwnershipPrivilege 2280 WMIC.exe Token: SeLoadDriverPrivilege 2280 WMIC.exe Token: SeSystemProfilePrivilege 2280 WMIC.exe Token: SeSystemtimePrivilege 2280 WMIC.exe Token: SeProfSingleProcessPrivilege 2280 WMIC.exe Token: SeIncBasePriorityPrivilege 2280 WMIC.exe Token: SeCreatePagefilePrivilege 2280 WMIC.exe Token: SeBackupPrivilege 2280 WMIC.exe Token: SeRestorePrivilege 2280 WMIC.exe Token: SeShutdownPrivilege 2280 WMIC.exe Token: SeDebugPrivilege 2280 WMIC.exe Token: SeSystemEnvironmentPrivilege 2280 WMIC.exe Token: SeRemoteShutdownPrivilege 2280 WMIC.exe Token: SeUndockPrivilege 2280 WMIC.exe Token: SeManageVolumePrivilege 2280 WMIC.exe Token: 33 2280 WMIC.exe Token: 34 2280 WMIC.exe Token: 35 2280 WMIC.exe Token: SeIncreaseQuotaPrivilege 2280 WMIC.exe Token: SeSecurityPrivilege 2280 WMIC.exe Token: SeTakeOwnershipPrivilege 2280 WMIC.exe Token: SeLoadDriverPrivilege 2280 WMIC.exe Token: SeSystemProfilePrivilege 2280 WMIC.exe Token: SeSystemtimePrivilege 2280 WMIC.exe Token: SeProfSingleProcessPrivilege 2280 WMIC.exe Token: SeIncBasePriorityPrivilege 2280 WMIC.exe Token: SeCreatePagefilePrivilege 2280 WMIC.exe Token: SeBackupPrivilege 2280 WMIC.exe Token: SeRestorePrivilege 2280 WMIC.exe Token: SeShutdownPrivilege 2280 WMIC.exe Token: SeDebugPrivilege 2280 WMIC.exe Token: SeSystemEnvironmentPrivilege 2280 WMIC.exe Token: SeRemoteShutdownPrivilege 2280 WMIC.exe Token: SeUndockPrivilege 2280 WMIC.exe Token: SeManageVolumePrivilege 2280 WMIC.exe Token: 33 2280 WMIC.exe Token: 34 2280 WMIC.exe Token: 35 2280 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1580 Autoit3.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 708 wrote to memory of 480 708 Autoit3.exe 38 PID 708 wrote to memory of 480 708 Autoit3.exe 38 PID 708 wrote to memory of 480 708 Autoit3.exe 38 PID 708 wrote to memory of 480 708 Autoit3.exe 38 PID 480 wrote to memory of 2280 480 cmd.exe 40 PID 480 wrote to memory of 2280 480 cmd.exe 40 PID 480 wrote to memory of 2280 480 cmd.exe 40 PID 480 wrote to memory of 2280 480 cmd.exe 40
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\9a8b0ebe7b18da6e638fdc9f7e1353c56a561419b12932aff6b0a42a7fe6ac12.zip1⤵PID:1040
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1752
-
C:\Users\Admin\Desktop\Autoit3.exe"C:\Users\Admin\Desktop\Autoit3.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1580
-
C:\Users\Admin\Desktop\Autoit3.exe"C:\Users\Admin\Desktop\Autoit3.exe" C:\Users\Admin\Desktop\script.a3x1⤵
- Command and Scripting Interpreter: AutoIT
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:708 -
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\dbbacdc\cdcecaa2⤵
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get domain3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54B
MD5c8bbad190eaaa9755c8dfb1573984d81
SHA117ad91294403223fde66f687450545a2bad72af5
SHA2567f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac
SHA51205f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df