Overview
overview
7Static
static
1Speccy.exe
windows7-x64
6Speccy.exe
windows10-2004-x64
6Speccy64.exe
windows7-x64
7Speccy64.exe
windows10-2004-x64
7lang/lang-1026.dll
windows7-x64
1lang/lang-1026.dll
windows10-2004-x64
1lang/lang-1031.dll
windows7-x64
1lang/lang-1031.dll
windows10-2004-x64
1lang/lang-1033.dll
windows7-x64
1lang/lang-1033.dll
windows10-2004-x64
1lang/lang-1034.dll
windows7-x64
1lang/lang-1034.dll
windows10-2004-x64
1lang/lang-1035.dll
windows7-x64
1lang/lang-1035.dll
windows10-2004-x64
1lang/lang-1036.dll
windows7-x64
1lang/lang-1036.dll
windows10-2004-x64
1lang/lang-1037.dll
windows7-x64
1lang/lang-1037.dll
windows10-2004-x64
1lang/lang-1038.dll
windows7-x64
1lang/lang-1038.dll
windows10-2004-x64
1lang/lang-1040.dll
windows7-x64
1lang/lang-1040.dll
windows10-2004-x64
1lang/lang-1041.dll
windows7-x64
1lang/lang-1041.dll
windows10-2004-x64
1lang/lang-1043.dll
windows7-x64
1lang/lang-1043.dll
windows10-2004-x64
1lang/lang-1045.dll
windows7-x64
1lang/lang-1045.dll
windows10-2004-x64
1lang/lang-1046.dll
windows7-x64
1lang/lang-1046.dll
windows10-2004-x64
1lang/lang-1049.dll
windows7-x64
1lang/lang-1049.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 15:15
Static task
static1
Behavioral task
behavioral1
Sample
Speccy.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
Speccy.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Speccy64.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
Speccy64.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
lang/lang-1026.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
lang/lang-1026.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
lang/lang-1031.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
lang/lang-1031.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
lang/lang-1033.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
lang/lang-1033.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
lang/lang-1034.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral12
Sample
lang/lang-1034.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
lang/lang-1035.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
lang/lang-1035.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
lang/lang-1036.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
lang/lang-1036.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
lang/lang-1037.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
lang/lang-1037.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
lang/lang-1038.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral20
Sample
lang/lang-1038.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
lang/lang-1040.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
lang/lang-1040.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
lang/lang-1041.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral24
Sample
lang/lang-1041.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
lang/lang-1043.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
lang/lang-1043.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
lang/lang-1045.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
lang/lang-1045.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
lang/lang-1046.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral30
Sample
lang/lang-1046.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
lang/lang-1049.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
lang/lang-1049.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
Speccy64.exe
-
Size
6.8MB
-
MD5
ed1feb46b43c4b52b815a7572762ed6d
-
SHA1
0663ded285aeca6e7d95310df20a004034bb3e88
-
SHA256
e84fae9f0de05d8c3f67a21f2a10cbb842a75b1fc0eaf075428a934c78dc18cf
-
SHA512
6996b2f8bf0b15ee0f3c4f02f3b06a2f6f995aaa3dd52242e5bf94d783213a91d3d18046cf588b5f00e32a437d82ebb79700d374fc7f74d1fe754198fb04930e
-
SSDEEP
49152:7McPg8d3J5p6nMtHPpun99rNHjRo5xsU1wS5LCbStxqqzPEBKj/SUqUl/kgHmH80:8Ln05xsYAKjSVfCv8+2j2HAJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation Speccy64.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Speccy64.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Speccy64.exe File opened (read-only) \??\K: Speccy64.exe File opened (read-only) \??\N: Speccy64.exe File opened (read-only) \??\O: Speccy64.exe File opened (read-only) \??\P: Speccy64.exe File opened (read-only) \??\U: Speccy64.exe File opened (read-only) \??\Z: Speccy64.exe File opened (read-only) \??\B: Speccy64.exe File opened (read-only) \??\H: Speccy64.exe File opened (read-only) \??\M: Speccy64.exe File opened (read-only) \??\R: Speccy64.exe File opened (read-only) \??\S: Speccy64.exe File opened (read-only) \??\V: Speccy64.exe File opened (read-only) \??\W: Speccy64.exe File opened (read-only) \??\A: Speccy64.exe File opened (read-only) \??\I: Speccy64.exe File opened (read-only) \??\J: Speccy64.exe File opened (read-only) \??\L: Speccy64.exe File opened (read-only) \??\Q: Speccy64.exe File opened (read-only) \??\T: Speccy64.exe File opened (read-only) \??\X: Speccy64.exe File opened (read-only) \??\G: Speccy64.exe File opened (read-only) \??\Y: Speccy64.exe -
Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LanmanServer\Parameters\NullSessionPipes Speccy64.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 Speccy64.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\setupact.log Speccy64.exe File opened for modification C:\Windows\setuperr.log Speccy64.exe File opened for modification C:\Windows\INF\setupapi.app.log Speccy64.exe File opened for modification C:\Windows\WindowsUpdate.log Speccy64.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe 2984 Speccy64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeRestorePrivilege 2984 Speccy64.exe Token: SeRestorePrivilege 2984 Speccy64.exe Token: SeRestorePrivilege 2984 Speccy64.exe Token: SeRestorePrivilege 2984 Speccy64.exe Token: SeRestorePrivilege 2984 Speccy64.exe Token: SeRestorePrivilege 2984 Speccy64.exe Token: SeRestorePrivilege 2984 Speccy64.exe Token: SeShutdownPrivilege 2984 Speccy64.exe Token: SeDebugPrivilege 2984 Speccy64.exe Token: SeShutdownPrivilege 2984 Speccy64.exe Token: SeShutdownPrivilege 2984 Speccy64.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2984 Speccy64.exe 2984 Speccy64.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2984 Speccy64.exe 2984 Speccy64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2984 Speccy64.exe 2984 Speccy64.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2408 2984 Speccy64.exe 31 PID 2984 wrote to memory of 2408 2984 Speccy64.exe 31 PID 2984 wrote to memory of 2408 2984 Speccy64.exe 31 PID 2984 wrote to memory of 2824 2984 Speccy64.exe 33 PID 2984 wrote to memory of 2824 2984 Speccy64.exe 33 PID 2984 wrote to memory of 2824 2984 Speccy64.exe 33 PID 2984 wrote to memory of 2596 2984 Speccy64.exe 35 PID 2984 wrote to memory of 2596 2984 Speccy64.exe 35 PID 2984 wrote to memory of 2596 2984 Speccy64.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Speccy64.exe"C:\Users\Admin\AppData\Local\Temp\Speccy64.exe"1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Remote Services: SMB/Windows Admin Shares
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java" -version2⤵PID:2408
-
-
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe"C:\Program Files\Java\jdk1.7.0_80\bin\java" -version2⤵PID:2824
-
-
C:\Windows\system32\secedit.exe/export /cfg "C:\Users\Admin\AppData\Local\Temp\spc_se.txt" /quiet /areas SECURITYPOLICY2⤵PID:2596
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1960
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5dc505882bcd8807dbe21ff2ba0e48826
SHA183b732cfe3fa5830779c0a1be554e01deda066d1
SHA256dd280e08bfad952f40388b31a2641bf9888f2ace821e39d9bbceac3f487ff134
SHA5124ff9a96ba2a08e249d2cd43bc7d1f8d8f7f378189f5fd9b48ed0079be16ad0e57add876c2a964c69be429935b8f7df9b8f380bfd8a0e35ad4911e8c1cb2453e4