Analysis

  • max time kernel
    125s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    01/07/2024, 18:32

General

  • Target

    0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe

  • Size

    7.6MB

  • MD5

    fda05bdaa4b6616c0c71467eed042501

  • SHA1

    f62ab476c50bf4d5ae3324cae500aa1d06c5c7d4

  • SHA256

    0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef

  • SHA512

    8869c9a5e8219e0488798ef5eac1211932c23b5f453a81a168c966a26e92633cd0887070cd31c39bff9d11f6a98b813c1c3032c88fe5f502a822fffbe0352ad6

  • SSDEEP

    196608:g2mDMmD2mDc2mDMmD2mDL2mDMmD2mDc2mDMmD2mDh2mDMmD2mDc2mDMmD2mDL2mK:i

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe
    "C:\Users\Admin\AppData\Local\Temp\0aad97c8ad5ada7a594bb3d4eb576f25b4cedcb8e400cd8af43e0b633f9328ef.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Impair Defenses: Safe Mode Boot
      • Modifies registry key
      PID:2716
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2500
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2516
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          PID:1416
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1048
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2080
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1528
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2320
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Users\Admin\AppData\Local\Temp\avscan.exe
          C:\Users\Admin\AppData\Local\Temp\avscan.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:996
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\windows\W_X_C.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1004
          • C:\windows\hosts.exe
            C:\windows\hosts.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2812
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
            5⤵
            • Adds policy Run key to start application
            PID:780
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:1616
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:1620
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:1396
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:2132
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        PID:1432

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

          Filesize

          15.3MB

          MD5

          752a6a3bbf624f51b1365b25ce55b32e

          SHA1

          9daaa804abd21e697b625f34264eee2c11661d61

          SHA256

          fbae7e10fc89ec0ec7f20814bde98c15fde64e141d28a2ed2ab74cd1e88c658b

          SHA512

          4f02afad48fe2c7b547e38f3d165ea5821a7e3c35d1a21567e789c136c4dabc8b01aa3bd4eada6fa885ce7a6b93fa34eff6b9f3e37c4a6b794ef741e7b1a6f53

        • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

          Filesize

          30.6MB

          MD5

          43b81eb05e42fe3267c61a359d66fa0f

          SHA1

          fb463d815eaa7fb8fa512e58d81cccdfb3052384

          SHA256

          bd36447f59b775545aa21c41ca1657c0727734543d99af175290c02837182188

          SHA512

          8a61e6766a013aeff1946779b979ca1a99e2a6a7e86afbc701048d1abf7f9f1cbf376fdf2df9a66df6b2810748d24007cd80b4fd273df9e7742df65a6fb4826a

        • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

          Filesize

          45.9MB

          MD5

          647e2f9bcdc27a3cf24a16214b77947a

          SHA1

          4e4df71887ecdcb3468bd9970d902c0ba3722d00

          SHA256

          c662c0cb07dc5972ca957a9cb86a44861e880deb3779498e5c6eff09508f7f06

          SHA512

          4f3ab8e682ebe88e7b1e0239cac884a1cd56943f813e80a1535771b1ecedb2de4bd92b9e7414e3ba258cce652d1e76e2a3880f485bbacdd3ee981be915834967

        • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

          Filesize

          61.2MB

          MD5

          accf53eae2ae253ca4a05d830370c65c

          SHA1

          265741d8046b239447519e21c0201096b033793f

          SHA256

          e99acbe09be282bf9daab21945a895137f9e3ad23681884257be8b28b082ee13

          SHA512

          54558dfeba04e4790ca6ef8817705199627f9f6e3de82428d2437e2e4f0689d16cec1525ee259018e836e4f8abdb4ae4b99aa8a60a64aad78f89c585f0ff590c

        • C:\Windows\W_X_C.vbs

          Filesize

          195B

          MD5

          f6c84b0b807d9c88dadd87289cbd9a71

          SHA1

          0ce2e8163c8b9bf6e56f6d819084d876821f8002

          SHA256

          73601c28154e4bbfcc10d4632aa75447ee9c97aebc599b9128fb0024af8939ac

          SHA512

          bf68dd033feba173231c07ca6beeba95c464d8ee226a957066901eccecfd771f457b59b475313fedd56856958fc575c14241bada16919b2400e6aa105d13849c

        • C:\Windows\hosts.exe

          Filesize

          7.6MB

          MD5

          abc2fbd2b68aa2d87a510dd9b4e5e37e

          SHA1

          40ffb98d9780c89ad93002189fb3470f21af0fe5

          SHA256

          1dff41f12e71182bc60a16591c64f85d1a4eb608c394e1dc19a8f2cab2d22bb5

          SHA512

          32679b93eec4e16fa64ca0543d0e9ff5b0c26d8b96821320f651db0bd029d67c1eeeaf1acc4935d5640b1b85e098a87b03c1213fd635e92bd91679139aa076ec

        • \??\c:\windows\W_X_C.bat

          Filesize

          336B

          MD5

          4db9f8b6175722b62ececeeeba1ce307

          SHA1

          3b3ba8414706e72a6fa19e884a97b87609e11e47

          SHA256

          d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

          SHA512

          1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

        • \Users\Admin\AppData\Local\Temp\avscan.exe

          Filesize

          7.6MB

          MD5

          2e8bd4270a3c71f0611695e787565714

          SHA1

          00491a9b0b52fe45cc0b87183577d30b5a6fd59d

          SHA256

          b24c5062a7e26c241c6583da2c2391e1aa4d29e1604d5fef59a19dcc41366767

          SHA512

          b195d5bbb97dd9c610f0ea7dc0cf6e109d672d800c2259a24661ce4c3685abd131f53ad9a988bee987ae41b3fdf8252e719b642d24c75cf51c73bbd2a097cecc