Analysis
-
max time kernel
121s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 05:21
Static task
static1
Behavioral task
behavioral1
Sample
e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe
Resource
win10v2004-20240226-en
General
-
Target
e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe
-
Size
3.1MB
-
MD5
e3e1b247481c08890ed60eed55d41d94
-
SHA1
e59eb8591f9c4c7b0ac16ea63b5d45ee4ebf0c07
-
SHA256
e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1
-
SHA512
b34cfffeffbe3dae4957d09cc61421ed78922e6ff55225d9611d8834767e19fdb92279e60fce4cbd13561f838c1639d29b1ce6712a777a9c62e51b22220ee431
-
SSDEEP
98304:gMmD2mDe2mDMmD2mDc2mDMmD2mD82mDM/:gMmD2mDe2mDMmD2mDc2mDMmD2mD82mDM
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JAFTUVRJ = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JAFTUVRJ = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JAFTUVRJ = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe -
Executes dropped EXE 6 IoCs
pid Process 2732 avscan.exe 2540 avscan.exe 2668 hosts.exe 2772 hosts.exe 2528 avscan.exe 2276 hosts.exe -
Loads dropped DLL 5 IoCs
pid Process 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 2732 avscan.exe 2668 hosts.exe 2668 hosts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe File created C:\windows\W_X_C.vbs e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe File created \??\c:\windows\W_X_C.bat e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe File opened for modification C:\Windows\hosts.exe e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 9 IoCs
pid Process 2836 REG.exe 1788 REG.exe 1760 REG.exe 1840 REG.exe 1732 REG.exe 3040 REG.exe 1508 REG.exe 1608 REG.exe 828 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2732 avscan.exe 2668 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 2732 avscan.exe 2540 avscan.exe 2668 hosts.exe 2772 hosts.exe 2528 avscan.exe 2276 hosts.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 3040 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 28 PID 2044 wrote to memory of 3040 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 28 PID 2044 wrote to memory of 3040 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 28 PID 2044 wrote to memory of 3040 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 28 PID 2044 wrote to memory of 2732 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 30 PID 2044 wrote to memory of 2732 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 30 PID 2044 wrote to memory of 2732 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 30 PID 2044 wrote to memory of 2732 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 30 PID 2732 wrote to memory of 2540 2732 avscan.exe 31 PID 2732 wrote to memory of 2540 2732 avscan.exe 31 PID 2732 wrote to memory of 2540 2732 avscan.exe 31 PID 2732 wrote to memory of 2540 2732 avscan.exe 31 PID 2732 wrote to memory of 2808 2732 avscan.exe 32 PID 2732 wrote to memory of 2808 2732 avscan.exe 32 PID 2732 wrote to memory of 2808 2732 avscan.exe 32 PID 2732 wrote to memory of 2808 2732 avscan.exe 32 PID 2044 wrote to memory of 2792 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 34 PID 2044 wrote to memory of 2792 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 34 PID 2044 wrote to memory of 2792 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 34 PID 2044 wrote to memory of 2792 2044 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 34 PID 2792 wrote to memory of 2772 2792 cmd.exe 37 PID 2792 wrote to memory of 2772 2792 cmd.exe 37 PID 2792 wrote to memory of 2772 2792 cmd.exe 37 PID 2792 wrote to memory of 2772 2792 cmd.exe 37 PID 2808 wrote to memory of 2668 2808 cmd.exe 36 PID 2808 wrote to memory of 2668 2808 cmd.exe 36 PID 2808 wrote to memory of 2668 2808 cmd.exe 36 PID 2808 wrote to memory of 2668 2808 cmd.exe 36 PID 2668 wrote to memory of 2528 2668 hosts.exe 38 PID 2668 wrote to memory of 2528 2668 hosts.exe 38 PID 2668 wrote to memory of 2528 2668 hosts.exe 38 PID 2668 wrote to memory of 2528 2668 hosts.exe 38 PID 2668 wrote to memory of 2040 2668 hosts.exe 39 PID 2668 wrote to memory of 2040 2668 hosts.exe 39 PID 2668 wrote to memory of 2040 2668 hosts.exe 39 PID 2668 wrote to memory of 2040 2668 hosts.exe 39 PID 2792 wrote to memory of 2008 2792 cmd.exe 41 PID 2792 wrote to memory of 2008 2792 cmd.exe 41 PID 2792 wrote to memory of 2008 2792 cmd.exe 41 PID 2792 wrote to memory of 2008 2792 cmd.exe 41 PID 2040 wrote to memory of 2276 2040 cmd.exe 42 PID 2040 wrote to memory of 2276 2040 cmd.exe 42 PID 2040 wrote to memory of 2276 2040 cmd.exe 42 PID 2040 wrote to memory of 2276 2040 cmd.exe 42 PID 2808 wrote to memory of 2620 2808 cmd.exe 43 PID 2808 wrote to memory of 2620 2808 cmd.exe 43 PID 2808 wrote to memory of 2620 2808 cmd.exe 43 PID 2808 wrote to memory of 2620 2808 cmd.exe 43 PID 2040 wrote to memory of 1924 2040 cmd.exe 44 PID 2040 wrote to memory of 1924 2040 cmd.exe 44 PID 2040 wrote to memory of 1924 2040 cmd.exe 44 PID 2040 wrote to memory of 1924 2040 cmd.exe 44 PID 2732 wrote to memory of 1508 2732 avscan.exe 45 PID 2732 wrote to memory of 1508 2732 avscan.exe 45 PID 2732 wrote to memory of 1508 2732 avscan.exe 45 PID 2732 wrote to memory of 1508 2732 avscan.exe 45 PID 2668 wrote to memory of 2836 2668 hosts.exe 47 PID 2668 wrote to memory of 2836 2668 hosts.exe 47 PID 2668 wrote to memory of 2836 2668 hosts.exe 47 PID 2668 wrote to memory of 2836 2668 hosts.exe 47 PID 2732 wrote to memory of 1608 2732 avscan.exe 51 PID 2732 wrote to memory of 1608 2732 avscan.exe 51 PID 2732 wrote to memory of 1608 2732 avscan.exe 51 PID 2732 wrote to memory of 1608 2732 avscan.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe"C:\Users\Admin\AppData\Local\Temp\e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Modifies registry key
PID:3040
-
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2540
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat5⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2276
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
PID:1924
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:2836
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:1788
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:1760
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:1732
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:2620
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1508
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1608
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:828
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1840
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:2008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD5a53c96dfbb79f3e792c13e5ecdd32830
SHA14a11cfd1ca1b8769bf3be054b54bf5d549604c90
SHA256cf3bfedc5cd172228218fadc4fdb0866aa19222b80f9cc68e3916441df2da5e7
SHA5128b4b07dcc77b291885d8308993dd3cf38aed7041c741680c02534cf46dc76900d5a8e236df74f49a98bd9d1701e1e11d04a61eb25713f88bcce9ba1b7b1a6572
-
Filesize
9.2MB
MD5817002cba8ffd240e5f75aa51b77dc15
SHA1643b2e724f85c2ca2a24c16df2f8be0cd7931759
SHA2560d6b8981f4dd3b4e0fc1fcca024d871c7bee48a6f9532c5c2c4bcd0476b0f140
SHA5129f740803a8a925b32c0c84f160f8c05b6ea8a042d5d0ad99d823983bf34e72e0543c4f172b061a20658d4d124ce817a444d03c5998940cb4ef98932a8b5790a6
-
Filesize
12.3MB
MD5516199f1cbcea565b4aa4a85e97e8f16
SHA17095762624103d2982bd9d7e8e2dae2940295b72
SHA25690cd8697d4ddf69a5007dd26b22319615a5e497c62640a2a8bb8dafec951e3a6
SHA51284af6625b505d8693f06038c44b1bb008a639d6dbd0e5c38a1c740fca04444b63232758618df78394c5cfed448a486ee3dc3e3dbe1190954c59f20b917cbf27a
-
Filesize
18.4MB
MD57c192209c52348cbac776b3ed785adee
SHA19a98e73ac33d18d0bef1094c4bfa4c68c16b56b7
SHA2565ffe3b7acf81c325b2388a54e477ed7b6752b1911cc530d2d17a89c326627827
SHA512527d7828597ee67da95a5217df7639ee91dc57f7706b58f8a82c8e0a14970cb83f2dfa9eaa805eadce5591b01a01479b0f9c758d3edf74db06656d5e3118e87e
-
Filesize
18.4MB
MD5a1a53a6ab5b8a43ed06d839925980a1e
SHA14028d13360b1c54eccfdb9a7ba8306bef0d80523
SHA256cbd692fb2d3e9469092cf6bfc8349bd55963626bc974154576ca22531b5c968e
SHA512e5b98fb8418f17cdfb57c748d362a90a6fab281e3e37a56a7584d940daacab4c9b8755d2dde6cb0682304405640afe4f78856d83dcf900e82fc542eadf04f012
-
Filesize
24.5MB
MD54330ac0b888e1caa10bd7e0be1b3524f
SHA12f18b357b64011683ba0767a9136ae556071df75
SHA256431e5b2fe6a2346b8da56200b03e46b283407836787bbfbec0b23b13101a6170
SHA51259088b54ffc5ad87963e0f69e144aece8fbdd9724d3639ffa1e290e497106c99df4e917a4b2718d2088815cd56e39def2019b47401b93729e507230988a7a2d3
-
Filesize
24.5MB
MD5bed1d56b80b6a3ec3d99e762a0a39bcb
SHA1c9f5081b2c60055657be7c3fe5ac5dbbb590cedf
SHA256bcefdb471b871543db8972bc5aabfc218180415c9833a4d6eee9eb8ca2d2c113
SHA51281a2331dcf7bbfa8fcbfbca0a620144888cbf60c1c927304095f002fc58b01c1ca51476b151e553af19cf1ad9fcf4ba6cb0115ddc1798b321f0090212433c64f
-
Filesize
195B
MD5f95358465555a555747e89f1ff9648ec
SHA1c49cf9463efca89b6e07f06ccbb2e6d17d6fc645
SHA256f40d0daff2b4d5f62032c405ece6f2ad5482a2fcc53a29a41393ee72d996528f
SHA5126a9ad835557fb4c74c826abab42eb8c35a7c2d9f7d61dab15e244d2aeab00cde77abb2669a805ef79f0cf3b07f732ef2267668e1397e623ce543948b99fdbad5
-
Filesize
3.1MB
MD5eb074ced6670448ffcae4e37b132ac14
SHA165b3386055a607a1b03824cc76117ffba2debe72
SHA2560047a3a070befb9a8de971e2f1b0bbeaf0f4b6897eeee32aa56d9e567688e43c
SHA5125ed934d1155abe880b4685e31fbde63b994437c0762a587545a5af889ea70374233bb2cc5a7dd9f49a958fe0155593cf592b1f62bb52710e0ed4a9085c652fbf
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b
-
Filesize
3.1MB
MD5df874e396d203675edbacdcbe51c95da
SHA11f2925b2130c54641e52e18a59c505d043168934
SHA256ad96eb42433457811089874a8ff2b658cbae30c3c953a67bab1c91d882e3f3ea
SHA512a7f3567dca1e6ce354a88f775542e2fcf7005bee21142835e23118d25c5989b5909a2a39023c2e40d6b0efe370f7b6e0e41b959b62a09ef784f89ff18ef7b6ea