Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 05:21
Static task
static1
Behavioral task
behavioral1
Sample
e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe
Resource
win10v2004-20240226-en
General
-
Target
e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe
-
Size
3.1MB
-
MD5
e3e1b247481c08890ed60eed55d41d94
-
SHA1
e59eb8591f9c4c7b0ac16ea63b5d45ee4ebf0c07
-
SHA256
e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1
-
SHA512
b34cfffeffbe3dae4957d09cc61421ed78922e6ff55225d9611d8834767e19fdb92279e60fce4cbd13561f838c1639d29b1ce6712a777a9c62e51b22220ee431
-
SSDEEP
98304:gMmD2mDe2mDMmD2mDc2mDMmD2mD82mDM/:gMmD2mDe2mDMmD2mDc2mDMmD2mD82mDM
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OAILVCNY = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OAILVCNY = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OAILVCNY = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 6 IoCs
pid Process 3036 avscan.exe 3740 avscan.exe 4304 hosts.exe 3724 hosts.exe 5016 avscan.exe 1200 hosts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\W_X_C.vbs e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe File created \??\c:\windows\W_X_C.bat e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe File opened for modification C:\Windows\hosts.exe e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 9 IoCs
pid Process 2628 REG.exe 1968 REG.exe 4860 REG.exe 3964 REG.exe 4028 REG.exe 2452 REG.exe 4776 REG.exe 1668 REG.exe 1284 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 4028 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 3036 avscan.exe 4304 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4028 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 3036 avscan.exe 3740 avscan.exe 4304 hosts.exe 3724 hosts.exe 5016 avscan.exe 1200 hosts.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 4028 wrote to memory of 3964 4028 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 91 PID 4028 wrote to memory of 3964 4028 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 91 PID 4028 wrote to memory of 3964 4028 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 91 PID 4028 wrote to memory of 3036 4028 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 93 PID 4028 wrote to memory of 3036 4028 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 93 PID 4028 wrote to memory of 3036 4028 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 93 PID 3036 wrote to memory of 3740 3036 avscan.exe 94 PID 3036 wrote to memory of 3740 3036 avscan.exe 94 PID 3036 wrote to memory of 3740 3036 avscan.exe 94 PID 3036 wrote to memory of 224 3036 avscan.exe 95 PID 3036 wrote to memory of 224 3036 avscan.exe 95 PID 3036 wrote to memory of 224 3036 avscan.exe 95 PID 4028 wrote to memory of 3648 4028 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 96 PID 4028 wrote to memory of 3648 4028 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 96 PID 4028 wrote to memory of 3648 4028 e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe 96 PID 3648 wrote to memory of 4304 3648 cmd.exe 100 PID 3648 wrote to memory of 4304 3648 cmd.exe 100 PID 3648 wrote to memory of 4304 3648 cmd.exe 100 PID 224 wrote to memory of 3724 224 cmd.exe 99 PID 224 wrote to memory of 3724 224 cmd.exe 99 PID 224 wrote to memory of 3724 224 cmd.exe 99 PID 4304 wrote to memory of 5016 4304 hosts.exe 101 PID 4304 wrote to memory of 5016 4304 hosts.exe 101 PID 4304 wrote to memory of 5016 4304 hosts.exe 101 PID 4304 wrote to memory of 3980 4304 hosts.exe 103 PID 4304 wrote to memory of 3980 4304 hosts.exe 103 PID 4304 wrote to memory of 3980 4304 hosts.exe 103 PID 3980 wrote to memory of 1200 3980 cmd.exe 105 PID 3980 wrote to memory of 1200 3980 cmd.exe 105 PID 3980 wrote to memory of 1200 3980 cmd.exe 105 PID 3648 wrote to memory of 3696 3648 cmd.exe 106 PID 3648 wrote to memory of 3696 3648 cmd.exe 106 PID 3648 wrote to memory of 3696 3648 cmd.exe 106 PID 224 wrote to memory of 4476 224 cmd.exe 107 PID 224 wrote to memory of 4476 224 cmd.exe 107 PID 224 wrote to memory of 4476 224 cmd.exe 107 PID 3980 wrote to memory of 4448 3980 cmd.exe 108 PID 3980 wrote to memory of 4448 3980 cmd.exe 108 PID 3980 wrote to memory of 4448 3980 cmd.exe 108 PID 3036 wrote to memory of 2628 3036 avscan.exe 118 PID 3036 wrote to memory of 2628 3036 avscan.exe 118 PID 3036 wrote to memory of 2628 3036 avscan.exe 118 PID 4304 wrote to memory of 4028 4304 hosts.exe 120 PID 4304 wrote to memory of 4028 4304 hosts.exe 120 PID 4304 wrote to memory of 4028 4304 hosts.exe 120 PID 3036 wrote to memory of 2452 3036 avscan.exe 123 PID 3036 wrote to memory of 2452 3036 avscan.exe 123 PID 3036 wrote to memory of 2452 3036 avscan.exe 123 PID 4304 wrote to memory of 1968 4304 hosts.exe 125 PID 4304 wrote to memory of 1968 4304 hosts.exe 125 PID 4304 wrote to memory of 1968 4304 hosts.exe 125 PID 3036 wrote to memory of 4776 3036 avscan.exe 127 PID 3036 wrote to memory of 4776 3036 avscan.exe 127 PID 3036 wrote to memory of 4776 3036 avscan.exe 127 PID 4304 wrote to memory of 4860 4304 hosts.exe 129 PID 4304 wrote to memory of 4860 4304 hosts.exe 129 PID 4304 wrote to memory of 4860 4304 hosts.exe 129 PID 3036 wrote to memory of 1668 3036 avscan.exe 131 PID 3036 wrote to memory of 1668 3036 avscan.exe 131 PID 3036 wrote to memory of 1668 3036 avscan.exe 131 PID 4304 wrote to memory of 1284 4304 hosts.exe 133 PID 4304 wrote to memory of 1284 4304 hosts.exe 133 PID 4304 wrote to memory of 1284 4304 hosts.exe 133
Processes
-
C:\Users\Admin\AppData\Local\Temp\e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe"C:\Users\Admin\AppData\Local\Temp\e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Modifies registry key
PID:3964
-
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3724
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:4476
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2628
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2452
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:4776
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\windows\hosts.exeC:\windows\hosts.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1200
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"5⤵
- Adds policy Run key to start application
PID:4448
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:4028
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:1968
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:4860
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:1284
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:3696
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:3520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD52a5352988ff49576c23c54c4933b629e
SHA136ff12d65755f6c1c564833aa97f895eeb02e6d3
SHA2561fe9f38009a72efa65dd07895a946a35d7f8152647023de111ac749f5722da38
SHA512be07de1866918d1aaaf27db38e5a0f350a5c11bd968222b1ba59f7c073531172175248af8fa649637743d2a68ab9ebde2eaf74474fd9407e2c78382d5258c10d
-
Filesize
195B
MD50b7843cfac17421f5112f317542457da
SHA160383d2b53c315cef3e26e2254448623fbf75de2
SHA256b5006a0ac0b2c3200787642471940c08570b8f21eb46a03b5e53d103cb99a8c7
SHA512cf57206cd2828e2e4ca2f6b2ac8818cf30c5c6d69854f719bcb3296b674d7d02d6067453965220948418fc995aa6d8441a30736f5fa9ce46d01d4056801ff918
-
Filesize
3.1MB
MD5d77348c7bed8df48dc41c89c9feb3beb
SHA1b271574a365f216deeaeee5098e846c1e3c11c15
SHA2563e04d16b2ae5e6407d1e05434f725601030d9f73e57c72cb570a7c2ccd147471
SHA51249ff974265e35a9b618201e93cba4eab6fb0129c4f0b2ef1039427ac0453376bed020968c89570c10926d8db44c930190cfa6294fc471675a32fae24f3da4135
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b