Analysis
-
max time kernel
117s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2024 23:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6be493e835b83fa3fe2e7f48b6f25240N.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
6be493e835b83fa3fe2e7f48b6f25240N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
6be493e835b83fa3fe2e7f48b6f25240N.exe
-
Size
76KB
-
MD5
6be493e835b83fa3fe2e7f48b6f25240
-
SHA1
ab3a27144f20de62e1d384cdd3c7011e4d4a200f
-
SHA256
f10b8dc92701fd7b508a48e41ba420299ebfc1bf9d93d5e931c8ae094787d715
-
SHA512
7cf022915904af0ee475f3989f15a5d0b92e908b64f01fad3d467e93288c71c93ba50a3f28094800e441cd91df7f0614f446e92c15e851d27b83b20ac746c881
-
SSDEEP
768:ie8bNRqsuhlGOBnhgFwumSCbxTGy/BBGg4NKJJKqUThbJ32+ve7i40vN0TlT+XkE:mnqJu3abBGy3G8V0iuoct
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" auxa.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" auxa.exe -
Executes dropped EXE 1 IoCs
pid Process 3232 auxa.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt auxa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" auxa.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: auxa.exe File opened (read-only) \??\M: auxa.exe File opened (read-only) \??\P: auxa.exe File opened (read-only) \??\S: auxa.exe File opened (read-only) \??\L: auxa.exe File opened (read-only) \??\N: auxa.exe File opened (read-only) \??\T: auxa.exe File opened (read-only) \??\X: auxa.exe File opened (read-only) \??\E: auxa.exe File opened (read-only) \??\G: auxa.exe File opened (read-only) \??\H: auxa.exe File opened (read-only) \??\Y: auxa.exe File opened (read-only) \??\B: auxa.exe File opened (read-only) \??\Q: auxa.exe File opened (read-only) \??\V: auxa.exe File opened (read-only) \??\O: auxa.exe File opened (read-only) \??\R: auxa.exe File opened (read-only) \??\U: auxa.exe File opened (read-only) \??\W: auxa.exe File opened (read-only) \??\I: auxa.exe File opened (read-only) \??\J: auxa.exe File opened (read-only) \??\K: auxa.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\maxtrox.txt 6be493e835b83fa3fe2e7f48b6f25240N.exe File created \??\c:\windows\SysWOW64\Windows 3D.scr 6be493e835b83fa3fe2e7f48b6f25240N.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt auxa.exe File opened for modification \??\c:\windows\SysWOW64\Windows 3D.scr auxa.exe File created \??\c:\windows\SysWOW64\Desktop.sysm auxa.exe File created \??\c:\windows\SysWOW64\CommandPrompt.Sysm auxa.exe -
Drops file in Program Files directory 27 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe auxa.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpconfig.exe auxa.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnetwk.exe auxa.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmprph.exe auxa.exe File opened for modification \??\c:\Program Files\Windows Media Player\setup_wm.exe auxa.exe File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe auxa.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\pingsender.exe auxa.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\private_browsing.exe auxa.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnscfg.exe auxa.exe File opened for modification \??\c:\Program Files\7-Zip\7z.exe auxa.exe File opened for modification \??\c:\Program Files\Internet Explorer\iediagcmd.exe auxa.exe File opened for modification \??\c:\Program Files\Internet Explorer\iexplore.exe auxa.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmlaunch.exe auxa.exe File opened for modification \??\c:\Program Files\7-Zip\7zG.exe auxa.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe auxa.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.exe auxa.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe auxa.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe auxa.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\updater.exe auxa.exe File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe auxa.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmplayer.exe auxa.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\crashreporter.exe auxa.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe auxa.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.exe auxa.exe File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe auxa.exe File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe auxa.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe auxa.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6be493e835b83fa3fe2e7f48b6f25240N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language auxa.exe -
Modifies registry class 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm auxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" auxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt auxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" auxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" auxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon auxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd auxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm 6be493e835b83fa3fe2e7f48b6f25240N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile auxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" auxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon auxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt auxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command auxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt auxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command auxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" 6be493e835b83fa3fe2e7f48b6f25240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" auxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" auxa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4488 6be493e835b83fa3fe2e7f48b6f25240N.exe 3232 auxa.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4488 wrote to memory of 3232 4488 6be493e835b83fa3fe2e7f48b6f25240N.exe 84 PID 4488 wrote to memory of 3232 4488 6be493e835b83fa3fe2e7f48b6f25240N.exe 84 PID 4488 wrote to memory of 3232 4488 6be493e835b83fa3fe2e7f48b6f25240N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\6be493e835b83fa3fe2e7f48b6f25240N.exe"C:\Users\Admin\AppData\Local\Temp\6be493e835b83fa3fe2e7f48b6f25240N.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\auxa.exe"c:\Documents and Settings\Admin\Application Data\Microsoft\auxa.exe" 6be493e835b83fa3fe2e7f48b6f25240N2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3232
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD559b268f80824c51d6501091560356c54
SHA1765138e38978fbfb64c5e591fa10bf9a06a3d94e
SHA256192f728af2a9aa5984d084fbe1f49d315d13e378694a4b01bd8aed3035fee153
SHA512b9ebc0fbde9e515a3ea3dfd43c7ca59e3ff7cbe2c70cf6323fe94cbc82d8ae9b0754d9ac56064d0bbd9a084d6cada3e7874362e99461ac97992bb209ffa494ca
-
Filesize
76KB
MD5eeb307d58e5a86f344f0981f5fcec2e6
SHA1175458feaa3474f582526b15a8404fab1e94582f
SHA2565f21c492b47a4f26df20af3ad721c3f1b0fe7d07d3960b7ca23abd5726d4ea22
SHA512fac31d9ff15111650f1473c403bcddf6ee3f9e1a0877b7cb009aeb77194b65cc5c3b94f3574de07da385e172036108e4b0e85610f30b15fc4c41987662cf2b7f
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062