Overview
overview
7Static
static
1Speccy.exe
windows7-x64
6Speccy.exe
windows10-2004-x64
6Speccy64.exe
windows7-x64
7Speccy64.exe
windows10-2004-x64
7lang/lang-1026.dll
windows7-x64
1lang/lang-1026.dll
windows10-2004-x64
1lang/lang-1031.dll
windows7-x64
1lang/lang-1031.dll
windows10-2004-x64
1lang/lang-1033.dll
windows7-x64
1lang/lang-1033.dll
windows10-2004-x64
1lang/lang-1034.dll
windows7-x64
1lang/lang-1034.dll
windows10-2004-x64
1lang/lang-1035.dll
windows7-x64
1lang/lang-1035.dll
windows10-2004-x64
1lang/lang-1036.dll
windows7-x64
1lang/lang-1036.dll
windows10-2004-x64
1lang/lang-1037.dll
windows7-x64
1lang/lang-1037.dll
windows10-2004-x64
1lang/lang-1038.dll
windows7-x64
1lang/lang-1038.dll
windows10-2004-x64
1lang/lang-1040.dll
windows7-x64
1lang/lang-1040.dll
windows10-2004-x64
1lang/lang-1041.dll
windows7-x64
1lang/lang-1041.dll
windows10-2004-x64
1lang/lang-1043.dll
windows7-x64
1lang/lang-1043.dll
windows10-2004-x64
1lang/lang-1045.dll
windows7-x64
1lang/lang-1045.dll
windows10-2004-x64
1lang/lang-1046.dll
windows7-x64
1lang/lang-1046.dll
windows10-2004-x64
1lang/lang-1049.dll
windows7-x64
1lang/lang-1049.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 15:15
Static task
static1
Behavioral task
behavioral1
Sample
Speccy.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
Speccy.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Speccy64.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
Speccy64.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
lang/lang-1026.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
lang/lang-1026.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
lang/lang-1031.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
lang/lang-1031.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
lang/lang-1033.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
lang/lang-1033.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
lang/lang-1034.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral12
Sample
lang/lang-1034.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
lang/lang-1035.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
lang/lang-1035.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
lang/lang-1036.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
lang/lang-1036.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
lang/lang-1037.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
lang/lang-1037.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
lang/lang-1038.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral20
Sample
lang/lang-1038.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
lang/lang-1040.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
lang/lang-1040.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
lang/lang-1041.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral24
Sample
lang/lang-1041.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
lang/lang-1043.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
lang/lang-1043.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
lang/lang-1045.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
lang/lang-1045.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
lang/lang-1046.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral30
Sample
lang/lang-1046.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
lang/lang-1049.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
lang/lang-1049.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
Speccy.exe
-
Size
5.0MB
-
MD5
5ceba11afa3cb63e73320786dc0652ca
-
SHA1
d6d0971807f15b2c80d3164353edd00629c8ded5
-
SHA256
fdea8741ef3af7375ae7a10564b863a01b3646a8c427249e183646409f9166d2
-
SHA512
933d2b749e671745aae64fe29b0ec61c4070a3367f316fe78218e16ebcd3659f1ad46d17f543ac121d7c0c3140fd939b1aec0dca2883250f20ca69c00fe07c48
-
SSDEEP
98304:yHMNlpept3gSuDdFeznGkcBLwX1Pge/7yhg0:UMoptYDdFhkp7w
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: speccy64.exe File opened (read-only) \??\H: speccy64.exe File opened (read-only) \??\K: speccy64.exe File opened (read-only) \??\Y: speccy64.exe File opened (read-only) \??\A: speccy64.exe File opened (read-only) \??\L: speccy64.exe File opened (read-only) \??\U: speccy64.exe File opened (read-only) \??\O: speccy64.exe File opened (read-only) \??\S: speccy64.exe File opened (read-only) \??\W: speccy64.exe File opened (read-only) \??\J: speccy64.exe File opened (read-only) \??\M: speccy64.exe File opened (read-only) \??\N: speccy64.exe File opened (read-only) \??\P: speccy64.exe File opened (read-only) \??\Q: speccy64.exe File opened (read-only) \??\R: speccy64.exe File opened (read-only) \??\T: speccy64.exe File opened (read-only) \??\V: speccy64.exe File opened (read-only) \??\B: speccy64.exe File opened (read-only) \??\G: speccy64.exe File opened (read-only) \??\I: speccy64.exe File opened (read-only) \??\X: speccy64.exe File opened (read-only) \??\Z: speccy64.exe -
Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LanmanServer\Parameters\NullSessionPipes speccy64.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 speccy64.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log speccy64.exe File opened for modification C:\Windows\setupact.log speccy64.exe File opened for modification C:\Windows\setuperr.log speccy64.exe File opened for modification C:\Windows\WindowsUpdate.log speccy64.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Speccy.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe 2724 speccy64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeRestorePrivilege 2724 speccy64.exe Token: SeRestorePrivilege 2724 speccy64.exe Token: SeRestorePrivilege 2724 speccy64.exe Token: SeRestorePrivilege 2724 speccy64.exe Token: SeRestorePrivilege 2724 speccy64.exe Token: SeRestorePrivilege 2724 speccy64.exe Token: SeRestorePrivilege 2724 speccy64.exe Token: SeShutdownPrivilege 2724 speccy64.exe Token: SeDebugPrivilege 2724 speccy64.exe Token: SeShutdownPrivilege 2724 speccy64.exe Token: SeShutdownPrivilege 2724 speccy64.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2724 speccy64.exe 2724 speccy64.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2724 speccy64.exe 2724 speccy64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2724 speccy64.exe 2724 speccy64.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2724 2396 Speccy.exe 30 PID 2396 wrote to memory of 2724 2396 Speccy.exe 30 PID 2396 wrote to memory of 2724 2396 Speccy.exe 30 PID 2396 wrote to memory of 2724 2396 Speccy.exe 30 PID 2724 wrote to memory of 2576 2724 speccy64.exe 32 PID 2724 wrote to memory of 2576 2724 speccy64.exe 32 PID 2724 wrote to memory of 2576 2724 speccy64.exe 32 PID 2724 wrote to memory of 448 2724 speccy64.exe 34 PID 2724 wrote to memory of 448 2724 speccy64.exe 34 PID 2724 wrote to memory of 448 2724 speccy64.exe 34 PID 2724 wrote to memory of 2940 2724 speccy64.exe 36 PID 2724 wrote to memory of 2940 2724 speccy64.exe 36 PID 2724 wrote to memory of 2940 2724 speccy64.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Speccy.exe"C:\Users\Admin\AppData\Local\Temp\Speccy.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\speccy64.exe"C:\Users\Admin\AppData\Local\Temp\Speccy.exe"2⤵
- Enumerates connected drives
- Remote Services: SMB/Windows Admin Shares
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java" -version3⤵PID:2576
-
-
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe"C:\Program Files\Java\jdk1.7.0_80\bin\java" -version3⤵PID:448
-
-
C:\Windows\system32\secedit.exe/export /cfg "C:\Users\Admin\AppData\Local\Temp\spc_se.txt" /quiet /areas SECURITYPOLICY3⤵PID:2940
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2168
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5dc505882bcd8807dbe21ff2ba0e48826
SHA183b732cfe3fa5830779c0a1be554e01deda066d1
SHA256dd280e08bfad952f40388b31a2641bf9888f2ace821e39d9bbceac3f487ff134
SHA5124ff9a96ba2a08e249d2cd43bc7d1f8d8f7f378189f5fd9b48ed0079be16ad0e57add876c2a964c69be429935b8f7df9b8f380bfd8a0e35ad4911e8c1cb2453e4