1bdf993e05d10e0e18dbacda4135f247600802acd2800fc712f179146660584b

Analysis

max time kernel
117s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef57a4d074b6e37051ce9317cc2d06f0N.exe
Size

82KB
MD5

ef57a4d074b6e37051ce9317cc2d06f0
SHA1

d0a9697d4f48c0387b5e73d1d3bf3400a88d172f
SHA256

1bdf993e05d10e0e18dbacda4135f247600802acd2800fc712f179146660584b
SHA512

86b3654e3c63d647e81d05f335b18185826b02dd5a4b3a00cf60b1a56f3c58a38b957c419137d86c414b05477485f6dcc4d191656692755c0b7b35c68780d4e3
SSDEEP

768:rZVy+DZ4mV+RMO2rhgFwuqCbxTGy/BBGg4NKhLU4dhbDW2+Kv00dX0vN0TlT+Xy5:Bamlu3hbBGy3G8nhMpHKvw816C

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	scaa.exe

Executes dropped EXE 1 IoCs

pid	Process
3760	scaa.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	ef57a4d074b6e37051ce9317cc2d06f0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	scaa.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	scaa.exe
File opened (read-only)	\??\V:	scaa.exe
File opened (read-only)	\??\E:	scaa.exe
File opened (read-only)	\??\H:	scaa.exe
File opened (read-only)	\??\J:	scaa.exe
File opened (read-only)	\??\K:	scaa.exe
File opened (read-only)	\??\L:	scaa.exe
File opened (read-only)	\??\O:	scaa.exe
File opened (read-only)	\??\P:	scaa.exe
File opened (read-only)	\??\S:	scaa.exe
File opened (read-only)	\??\B:	scaa.exe
File opened (read-only)	\??\Y:	scaa.exe
File opened (read-only)	\??\U:	scaa.exe
File opened (read-only)	\??\T:	scaa.exe
File opened (read-only)	\??\X:	scaa.exe
File opened (read-only)	\??\N:	scaa.exe
File opened (read-only)	\??\I:	scaa.exe
File opened (read-only)	\??\Q:	scaa.exe
File opened (read-only)	\??\R:	scaa.exe
File opened (read-only)	\??\W:	scaa.exe
File opened (read-only)	\??\Z:	scaa.exe
File opened (read-only)	\??\G:	scaa.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\maxtrox.txt	ef57a4d074b6e37051ce9317cc2d06f0N.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	ef57a4d074b6e37051ce9317cc2d06f0N.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	scaa.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	scaa.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	scaa.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	scaa.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\private_browsing.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	scaa.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	scaa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	scaa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	scaa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	scaa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	scaa.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef57a4d074b6e37051ce9317cc2d06f0N.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	scaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	scaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	scaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	scaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	scaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	scaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	scaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	scaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	scaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	scaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	scaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	scaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	scaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	scaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	ef57a4d074b6e37051ce9317cc2d06f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	scaa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2248	ef57a4d074b6e37051ce9317cc2d06f0N.exe
3760	scaa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3760	2248	ef57a4d074b6e37051ce9317cc2d06f0N.exe	85
PID 2248 wrote to memory of 3760	2248	ef57a4d074b6e37051ce9317cc2d06f0N.exe	85
PID 2248 wrote to memory of 3760	2248	ef57a4d074b6e37051ce9317cc2d06f0N.exe	85

C:\Users\Admin\AppData\Local\Temp\ef57a4d074b6e37051ce9317cc2d06f0N.exe
"C:\Users\Admin\AppData\Local\Temp\ef57a4d074b6e37051ce9317cc2d06f0N.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies system executable filetype association
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe
  "c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe" ef57a4d074b6e37051ce9317cc2d06f0N
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\scaa.exe

Filesize
82KB

MD5
54221861a485666acdc1f50abc7695c6

SHA1
256f7c6f8a0bc717c84b683dfd57887c602ea049

SHA256
f8c83464071770b4253f42a3a9adadc26eb60162b2f95fa74fcf698f8cfdf4c9

SHA512
ab7399353f181411c23ea71d844ebb9e789e6d26ec88dcecc95c911ac738b01f1c842a6f0a7ff225aabbbf754d0fcf27a27430cfd95209765390017b624c5e9e

Download Submit
C:\Windows\SysWOW64\Desktop.sysm

Filesize
82KB

MD5
fa796eb44a6a4a4d0dde400abc6610a9

SHA1
3468b25f951537a147d00590a2829b0e6eb86d97

SHA256
341cf0740f3dc0ccd6ab647631b7ea0e9263db5f086113e7fdbfdb4549b9d553

SHA512
578ae0cbda320183e0aa207af1ae24349eb85a8dda3a698fee76903cba1c5b77e4d1f5a1a1eefd968f864ec0fc43a9ef2a12996bb2808b629c505fb3ca9ee3f0

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads