Analysis
-
max time kernel
125s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01/07/2024, 18:32
Static task
static1
Behavioral task
behavioral1
Sample
0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe
Resource
win10v2004-20240508-en
General
-
Target
0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe
-
Size
7.6MB
-
MD5
fda05bdaa4b6616c0c71467eed042501
-
SHA1
f62ab476c50bf4d5ae3324cae500aa1d06c5c7d4
-
SHA256
0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef
-
SHA512
8869c9a5e8219e0488798ef5eac1211932c23b5f453a81a168c966a26e92633cd0887070cd31c39bff9d11f6a98b813c1c3032c88fe5f502a822fffbe0352ad6
-
SSDEEP
196608:g2mDMmD2mDc2mDMmD2mDL2mDMmD2mDc2mDMmD2mDh2mDMmD2mDc2mDMmD2mDL2mK:i
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EILATWEW = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EILATWEW = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EILATWEW = "W_X_C.bat" WScript.exe -
Executes dropped EXE 6 IoCs
pid Process 2704 avscan.exe 2500 avscan.exe 2480 hosts.exe 2516 hosts.exe 996 avscan.exe 2812 hosts.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power REG.exe -
Loads dropped DLL 5 IoCs
pid Process 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 2704 avscan.exe 2480 hosts.exe 2480 hosts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\W_X_C.vbs 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe File created \??\c:\windows\W_X_C.bat 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe File opened for modification C:\Windows\hosts.exe 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 9 IoCs
pid Process 2080 REG.exe 1620 REG.exe 1528 REG.exe 1396 REG.exe 2132 REG.exe 2716 REG.exe 1048 REG.exe 1616 REG.exe 2320 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2704 avscan.exe 2480 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 2704 avscan.exe 2500 avscan.exe 2480 hosts.exe 2516 hosts.exe 996 avscan.exe 2812 hosts.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2716 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 28 PID 1720 wrote to memory of 2716 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 28 PID 1720 wrote to memory of 2716 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 28 PID 1720 wrote to memory of 2716 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 28 PID 1720 wrote to memory of 2704 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 30 PID 1720 wrote to memory of 2704 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 30 PID 1720 wrote to memory of 2704 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 30 PID 1720 wrote to memory of 2704 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 30 PID 2704 wrote to memory of 2500 2704 avscan.exe 31 PID 2704 wrote to memory of 2500 2704 avscan.exe 31 PID 2704 wrote to memory of 2500 2704 avscan.exe 31 PID 2704 wrote to memory of 2500 2704 avscan.exe 31 PID 2704 wrote to memory of 3024 2704 avscan.exe 32 PID 2704 wrote to memory of 3024 2704 avscan.exe 32 PID 2704 wrote to memory of 3024 2704 avscan.exe 32 PID 2704 wrote to memory of 3024 2704 avscan.exe 32 PID 1720 wrote to memory of 2600 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 33 PID 1720 wrote to memory of 2600 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 33 PID 1720 wrote to memory of 2600 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 33 PID 1720 wrote to memory of 2600 1720 0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe 33 PID 2600 wrote to memory of 2480 2600 cmd.exe 36 PID 2600 wrote to memory of 2480 2600 cmd.exe 36 PID 2600 wrote to memory of 2480 2600 cmd.exe 36 PID 2600 wrote to memory of 2480 2600 cmd.exe 36 PID 3024 wrote to memory of 2516 3024 cmd.exe 37 PID 3024 wrote to memory of 2516 3024 cmd.exe 37 PID 3024 wrote to memory of 2516 3024 cmd.exe 37 PID 3024 wrote to memory of 2516 3024 cmd.exe 37 PID 2480 wrote to memory of 996 2480 hosts.exe 38 PID 2480 wrote to memory of 996 2480 hosts.exe 38 PID 2480 wrote to memory of 996 2480 hosts.exe 38 PID 2480 wrote to memory of 996 2480 hosts.exe 38 PID 3024 wrote to memory of 1416 3024 cmd.exe 40 PID 3024 wrote to memory of 1416 3024 cmd.exe 40 PID 3024 wrote to memory of 1416 3024 cmd.exe 40 PID 3024 wrote to memory of 1416 3024 cmd.exe 40 PID 2600 wrote to memory of 1432 2600 cmd.exe 39 PID 2600 wrote to memory of 1432 2600 cmd.exe 39 PID 2600 wrote to memory of 1432 2600 cmd.exe 39 PID 2600 wrote to memory of 1432 2600 cmd.exe 39 PID 2480 wrote to memory of 1004 2480 hosts.exe 41 PID 2480 wrote to memory of 1004 2480 hosts.exe 41 PID 2480 wrote to memory of 1004 2480 hosts.exe 41 PID 2480 wrote to memory of 1004 2480 hosts.exe 41 PID 1004 wrote to memory of 2812 1004 cmd.exe 43 PID 1004 wrote to memory of 2812 1004 cmd.exe 43 PID 1004 wrote to memory of 2812 1004 cmd.exe 43 PID 1004 wrote to memory of 2812 1004 cmd.exe 43 PID 1004 wrote to memory of 780 1004 cmd.exe 44 PID 1004 wrote to memory of 780 1004 cmd.exe 44 PID 1004 wrote to memory of 780 1004 cmd.exe 44 PID 1004 wrote to memory of 780 1004 cmd.exe 44 PID 2704 wrote to memory of 1048 2704 avscan.exe 47 PID 2704 wrote to memory of 1048 2704 avscan.exe 47 PID 2704 wrote to memory of 1048 2704 avscan.exe 47 PID 2704 wrote to memory of 1048 2704 avscan.exe 47 PID 2480 wrote to memory of 1616 2480 hosts.exe 49 PID 2480 wrote to memory of 1616 2480 hosts.exe 49 PID 2480 wrote to memory of 1616 2480 hosts.exe 49 PID 2480 wrote to memory of 1616 2480 hosts.exe 49 PID 2704 wrote to memory of 2080 2704 avscan.exe 51 PID 2704 wrote to memory of 2080 2704 avscan.exe 51 PID 2704 wrote to memory of 2080 2704 avscan.exe 51 PID 2704 wrote to memory of 2080 2704 avscan.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe"C:\Users\Admin\AppData\Local\Temp\0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Impair Defenses: Safe Mode Boot
- Modifies registry key
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2500
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2516
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:1416
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1048
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2080
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1528
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2320
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:996
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat4⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\windows\hosts.exeC:\windows\hosts.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2812
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"5⤵
- Adds policy Run key to start application
PID:780
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:1616
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:1620
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:1396
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:2132
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:1432
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15.3MB
MD5752a6a3bbf624f51b1365b25ce55b32e
SHA19daaa804abd21e697b625f34264eee2c11661d61
SHA256fbae7e10fc89ec0ec7f20814bde98c15fde64e141d28a2ed2ab74cd1e88c658b
SHA5124f02afad48fe2c7b547e38f3d165ea5821a7e3c35d1a21567e789c136c4dabc8b01aa3bd4eada6fa885ce7a6b93fa34eff6b9f3e37c4a6b794ef741e7b1a6f53
-
Filesize
30.6MB
MD543b81eb05e42fe3267c61a359d66fa0f
SHA1fb463d815eaa7fb8fa512e58d81cccdfb3052384
SHA256bd36447f59b775545aa21c41ca1657c0727734543d99af175290c02837182188
SHA5128a61e6766a013aeff1946779b979ca1a99e2a6a7e86afbc701048d1abf7f9f1cbf376fdf2df9a66df6b2810748d24007cd80b4fd273df9e7742df65a6fb4826a
-
Filesize
45.9MB
MD5647e2f9bcdc27a3cf24a16214b77947a
SHA14e4df71887ecdcb3468bd9970d902c0ba3722d00
SHA256c662c0cb07dc5972ca957a9cb86a44861e880deb3779498e5c6eff09508f7f06
SHA5124f3ab8e682ebe88e7b1e0239cac884a1cd56943f813e80a1535771b1ecedb2de4bd92b9e7414e3ba258cce652d1e76e2a3880f485bbacdd3ee981be915834967
-
Filesize
61.2MB
MD5accf53eae2ae253ca4a05d830370c65c
SHA1265741d8046b239447519e21c0201096b033793f
SHA256e99acbe09be282bf9daab21945a895137f9e3ad23681884257be8b28b082ee13
SHA51254558dfeba04e4790ca6ef8817705199627f9f6e3de82428d2437e2e4f0689d16cec1525ee259018e836e4f8abdb4ae4b99aa8a60a64aad78f89c585f0ff590c
-
Filesize
195B
MD5f6c84b0b807d9c88dadd87289cbd9a71
SHA10ce2e8163c8b9bf6e56f6d819084d876821f8002
SHA25673601c28154e4bbfcc10d4632aa75447ee9c97aebc599b9128fb0024af8939ac
SHA512bf68dd033feba173231c07ca6beeba95c464d8ee226a957066901eccecfd771f457b59b475313fedd56856958fc575c14241bada16919b2400e6aa105d13849c
-
Filesize
7.6MB
MD5abc2fbd2b68aa2d87a510dd9b4e5e37e
SHA140ffb98d9780c89ad93002189fb3470f21af0fe5
SHA2561dff41f12e71182bc60a16591c64f85d1a4eb608c394e1dc19a8f2cab2d22bb5
SHA51232679b93eec4e16fa64ca0543d0e9ff5b0c26d8b96821320f651db0bd029d67c1eeeaf1acc4935d5640b1b85e098a87b03c1213fd635e92bd91679139aa076ec
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b
-
Filesize
7.6MB
MD52e8bd4270a3c71f0611695e787565714
SHA100491a9b0b52fe45cc0b87183577d30b5a6fd59d
SHA256b24c5062a7e26c241c6583da2c2391e1aa4d29e1604d5fef59a19dcc41366767
SHA512b195d5bbb97dd9c610f0ea7dc0cf6e109d672d800c2259a24661ce4c3685abd131f53ad9a988bee987ae41b3fdf8252e719b642d24c75cf51c73bbd2a097cecc