Overview
overview
7Static
static
1Speccy.exe
windows7-x64
6Speccy.exe
windows10-2004-x64
6Speccy64.exe
windows7-x64
7Speccy64.exe
windows10-2004-x64
7lang/lang-1026.dll
windows7-x64
1lang/lang-1026.dll
windows10-2004-x64
1lang/lang-1031.dll
windows7-x64
1lang/lang-1031.dll
windows10-2004-x64
1lang/lang-1033.dll
windows7-x64
1lang/lang-1033.dll
windows10-2004-x64
1lang/lang-1034.dll
windows7-x64
1lang/lang-1034.dll
windows10-2004-x64
1lang/lang-1035.dll
windows7-x64
1lang/lang-1035.dll
windows10-2004-x64
1lang/lang-1036.dll
windows7-x64
1lang/lang-1036.dll
windows10-2004-x64
1lang/lang-1037.dll
windows7-x64
1lang/lang-1037.dll
windows10-2004-x64
1lang/lang-1038.dll
windows7-x64
1lang/lang-1038.dll
windows10-2004-x64
1lang/lang-1040.dll
windows7-x64
1lang/lang-1040.dll
windows10-2004-x64
1lang/lang-1041.dll
windows7-x64
1lang/lang-1041.dll
windows10-2004-x64
1lang/lang-1043.dll
windows7-x64
1lang/lang-1043.dll
windows10-2004-x64
1lang/lang-1045.dll
windows7-x64
1lang/lang-1045.dll
windows10-2004-x64
1lang/lang-1046.dll
windows7-x64
1lang/lang-1046.dll
windows10-2004-x64
1lang/lang-1049.dll
windows7-x64
1lang/lang-1049.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 15:15
Static task
static1
Behavioral task
behavioral1
Sample
Speccy.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
Speccy.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Speccy64.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
Speccy64.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
lang/lang-1026.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
lang/lang-1026.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
lang/lang-1031.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
lang/lang-1031.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
lang/lang-1033.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
lang/lang-1033.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
lang/lang-1034.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral12
Sample
lang/lang-1034.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
lang/lang-1035.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
lang/lang-1035.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
lang/lang-1036.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
lang/lang-1036.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
lang/lang-1037.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
lang/lang-1037.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
lang/lang-1038.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral20
Sample
lang/lang-1038.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
lang/lang-1040.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
lang/lang-1040.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
lang/lang-1041.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral24
Sample
lang/lang-1041.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
lang/lang-1043.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
lang/lang-1043.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
lang/lang-1045.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
lang/lang-1045.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
lang/lang-1046.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral30
Sample
lang/lang-1046.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
lang/lang-1049.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
lang/lang-1049.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
Speccy.exe
-
Size
5.0MB
-
MD5
5ceba11afa3cb63e73320786dc0652ca
-
SHA1
d6d0971807f15b2c80d3164353edd00629c8ded5
-
SHA256
fdea8741ef3af7375ae7a10564b863a01b3646a8c427249e183646409f9166d2
-
SHA512
933d2b749e671745aae64fe29b0ec61c4070a3367f316fe78218e16ebcd3659f1ad46d17f543ac121d7c0c3140fd939b1aec0dca2883250f20ca69c00fe07c48
-
SSDEEP
98304:yHMNlpept3gSuDdFeznGkcBLwX1Pge/7yhg0:UMoptYDdFhkp7w
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: speccy64.exe File opened (read-only) \??\R: speccy64.exe File opened (read-only) \??\G: speccy64.exe File opened (read-only) \??\K: speccy64.exe File opened (read-only) \??\P: speccy64.exe File opened (read-only) \??\A: speccy64.exe File opened (read-only) \??\W: speccy64.exe File opened (read-only) \??\J: speccy64.exe File opened (read-only) \??\V: speccy64.exe File opened (read-only) \??\X: speccy64.exe File opened (read-only) \??\Y: speccy64.exe File opened (read-only) \??\Z: speccy64.exe File opened (read-only) \??\B: speccy64.exe File opened (read-only) \??\E: speccy64.exe File opened (read-only) \??\I: speccy64.exe File opened (read-only) \??\N: speccy64.exe File opened (read-only) \??\O: speccy64.exe File opened (read-only) \??\S: speccy64.exe File opened (read-only) \??\T: speccy64.exe File opened (read-only) \??\U: speccy64.exe File opened (read-only) \??\H: speccy64.exe File opened (read-only) \??\L: speccy64.exe File opened (read-only) \??\M: speccy64.exe -
Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes speccy64.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 speccy64.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF speccy64.exe File created \??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF speccy64.exe File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF speccy64.exe File created \??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF speccy64.exe File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF speccy64.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF speccy64.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Speccy.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName speccy64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 speccy64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc speccy64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName speccy64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 speccy64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc speccy64.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe 3012 speccy64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeShutdownPrivilege 3012 speccy64.exe Token: SeCreatePagefilePrivilege 3012 speccy64.exe Token: SeDebugPrivilege 3012 speccy64.exe Token: SeShutdownPrivilege 3012 speccy64.exe Token: SeCreatePagefilePrivilege 3012 speccy64.exe Token: SeShutdownPrivilege 3012 speccy64.exe Token: SeCreatePagefilePrivilege 3012 speccy64.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3012 speccy64.exe 3012 speccy64.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3012 speccy64.exe 3012 speccy64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3012 speccy64.exe 3012 speccy64.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 984 wrote to memory of 3012 984 Speccy.exe 84 PID 984 wrote to memory of 3012 984 Speccy.exe 84 PID 3012 wrote to memory of 3448 3012 speccy64.exe 90 PID 3012 wrote to memory of 3448 3012 speccy64.exe 90 PID 3012 wrote to memory of 2472 3012 speccy64.exe 92 PID 3012 wrote to memory of 2472 3012 speccy64.exe 92 PID 3012 wrote to memory of 884 3012 speccy64.exe 95 PID 3012 wrote to memory of 884 3012 speccy64.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Speccy.exe"C:\Users\Admin\AppData\Local\Temp\Speccy.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Local\Temp\speccy64.exe"C:\Users\Admin\AppData\Local\Temp\Speccy.exe"2⤵
- Enumerates connected drives
- Remote Services: SMB/Windows Admin Shares
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java" -version3⤵PID:3448
-
-
C:\Program Files\Java\jdk-1.8\bin\java.exe"C:\Program Files\Java\jdk-1.8\bin\java" -version3⤵PID:2472
-
-
C:\Windows\system32\secedit.exe/export /cfg "C:\Users\Admin\AppData\Local\Temp\spc_se.txt" /quiet /areas SECURITYPOLICY3⤵PID:884
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a233be01a4ccda6a437f57b9a2c92309
SHA1e3339773c30ffc1cc75eee1103ffb6ecb9c43ec4
SHA2564c1e429a300f9be0caccd74af2a62c1a0f8e49956be7dfdb8de40e22c346bf2c
SHA512bc90bd898a5bcaa1b185c6497f69f29b83eda7723e46b62eababb1d171e07cd28d356d9290c898f702c330a6d247fbe3f989eb0131ab3536382685133a921349
-
Filesize
12KB
MD5009819c0abc869038a9d184bd7a9b6c7
SHA13ce497bc1ce7cb35209fd2a8556dabae7ee3adfe
SHA2562fd69eb9a60ae80b0168ff8f4656e5981701f1558bf5707997b1ee9ba35c3185
SHA5123fe0065e16ade01bda35f0c850b6a67cfbd0e3377e7470c67680f2502b76444261f6abc4dbd6ea2822d1a76f3d386c6f7af7aa5bd8f32659d15912428ec7b23d