Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 05:05
Static task
static1
Behavioral task
behavioral1
Sample
9a8b0ebe7b18da6e638fdc9f7e1353c56a561419b12932aff6b0a42a7fe6ac12.zip
Resource
win7-20240221-en
General
-
Target
9a8b0ebe7b18da6e638fdc9f7e1353c56a561419b12932aff6b0a42a7fe6ac12.zip
-
Size
802KB
-
MD5
96bb795d111717109fac22f8433c7e27
-
SHA1
daf03c1faa4290b7f4eeec983110a8bd7858b834
-
SHA256
9a8b0ebe7b18da6e638fdc9f7e1353c56a561419b12932aff6b0a42a7fe6ac12
-
SHA512
cccf6b4736b6e33ec1bcd020d8f1fb67cc0a9e72a841a5dc7a2f81e62e54b20324bd0b5b1edcc5073becf12cc07584e77cef8c997fe4f4702d85b06ea488d988
-
SSDEEP
24576:YIAjSP9123EtVDkL+zNRbMtv4J0RXTTwaK:YIF91BVIazHotC0RXTTwaK
Malware Config
Signatures
-
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Autoit3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe -
Modifies registry class 22 IoCs
Processes:
Autoit3.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 Autoit3.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings Autoit3.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "6" Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Autoit3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Autoit3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Autoit3.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Autoit3.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags Autoit3.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Autoit3.exepid process 708 Autoit3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Autoit3.exepid process 1580 Autoit3.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2280 WMIC.exe Token: SeSecurityPrivilege 2280 WMIC.exe Token: SeTakeOwnershipPrivilege 2280 WMIC.exe Token: SeLoadDriverPrivilege 2280 WMIC.exe Token: SeSystemProfilePrivilege 2280 WMIC.exe Token: SeSystemtimePrivilege 2280 WMIC.exe Token: SeProfSingleProcessPrivilege 2280 WMIC.exe Token: SeIncBasePriorityPrivilege 2280 WMIC.exe Token: SeCreatePagefilePrivilege 2280 WMIC.exe Token: SeBackupPrivilege 2280 WMIC.exe Token: SeRestorePrivilege 2280 WMIC.exe Token: SeShutdownPrivilege 2280 WMIC.exe Token: SeDebugPrivilege 2280 WMIC.exe Token: SeSystemEnvironmentPrivilege 2280 WMIC.exe Token: SeRemoteShutdownPrivilege 2280 WMIC.exe Token: SeUndockPrivilege 2280 WMIC.exe Token: SeManageVolumePrivilege 2280 WMIC.exe Token: 33 2280 WMIC.exe Token: 34 2280 WMIC.exe Token: 35 2280 WMIC.exe Token: SeIncreaseQuotaPrivilege 2280 WMIC.exe Token: SeSecurityPrivilege 2280 WMIC.exe Token: SeTakeOwnershipPrivilege 2280 WMIC.exe Token: SeLoadDriverPrivilege 2280 WMIC.exe Token: SeSystemProfilePrivilege 2280 WMIC.exe Token: SeSystemtimePrivilege 2280 WMIC.exe Token: SeProfSingleProcessPrivilege 2280 WMIC.exe Token: SeIncBasePriorityPrivilege 2280 WMIC.exe Token: SeCreatePagefilePrivilege 2280 WMIC.exe Token: SeBackupPrivilege 2280 WMIC.exe Token: SeRestorePrivilege 2280 WMIC.exe Token: SeShutdownPrivilege 2280 WMIC.exe Token: SeDebugPrivilege 2280 WMIC.exe Token: SeSystemEnvironmentPrivilege 2280 WMIC.exe Token: SeRemoteShutdownPrivilege 2280 WMIC.exe Token: SeUndockPrivilege 2280 WMIC.exe Token: SeManageVolumePrivilege 2280 WMIC.exe Token: 33 2280 WMIC.exe Token: 34 2280 WMIC.exe Token: 35 2280 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Autoit3.exepid process 1580 Autoit3.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Autoit3.execmd.exedescription pid process target process PID 708 wrote to memory of 480 708 Autoit3.exe cmd.exe PID 708 wrote to memory of 480 708 Autoit3.exe cmd.exe PID 708 wrote to memory of 480 708 Autoit3.exe cmd.exe PID 708 wrote to memory of 480 708 Autoit3.exe cmd.exe PID 480 wrote to memory of 2280 480 cmd.exe WMIC.exe PID 480 wrote to memory of 2280 480 cmd.exe WMIC.exe PID 480 wrote to memory of 2280 480 cmd.exe WMIC.exe PID 480 wrote to memory of 2280 480 cmd.exe WMIC.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\9a8b0ebe7b18da6e638fdc9f7e1353c56a561419b12932aff6b0a42a7fe6ac12.zip1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Users\Admin\Desktop\Autoit3.exe"C:\Users\Admin\Desktop\Autoit3.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Autoit3.exe"C:\Users\Admin\Desktop\Autoit3.exe" C:\Users\Admin\Desktop\script.a3x1⤵
- Command and Scripting Interpreter: AutoIT
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\dbbacdc\cdcecaa2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get domain3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\dbbacdc\cdcecaaFilesize
54B
MD5c8bbad190eaaa9755c8dfb1573984d81
SHA117ad91294403223fde66f687450545a2bad72af5
SHA2567f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac
SHA51205f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df
-
memory/1580-0-0x0000000004BE0000-0x0000000004BE2000-memory.dmpFilesize
8KB
-
memory/1580-1-0x0000000000A20000-0x0000000000E20000-memory.dmpFilesize
4.0MB