6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe

Analysis

max time kernel
117s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/11/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Size

76KB
MD5

3c052f2a11337af28ec200097917d377
SHA1

6dbe8a3e9866bf60167c9319ead4033b96e30789
SHA256

6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe
SHA512

497bad33ff9ecc69eeaece52184ac3a5bd1a1366b06c42daf8134c21873eba75d26b87e65f4cac3a72d4257703f29e5d43a0517bd4534fc393dde35f9db796eb
SSDEEP

768:zZVy+DZ4mV+RMO2rhgFwuqCbxTGy/BBGg4NKhLU4dhbDW2+Kv00dX0vN0TlT+Xyo:Jamlu3hbBGy3G8nhMpj

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	asct.exe

Executes dropped EXE 1 IoCs

pid	Process
2788	asct.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
2708	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	asct.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	asct.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	asct.exe
File opened (read-only)	\??\O:	asct.exe
File opened (read-only)	\??\Q:	asct.exe
File opened (read-only)	\??\W:	asct.exe
File opened (read-only)	\??\Z:	asct.exe
File opened (read-only)	\??\E:	asct.exe
File opened (read-only)	\??\L:	asct.exe
File opened (read-only)	\??\M:	asct.exe
File opened (read-only)	\??\U:	asct.exe
File opened (read-only)	\??\V:	asct.exe
File opened (read-only)	\??\X:	asct.exe
File opened (read-only)	\??\B:	asct.exe
File opened (read-only)	\??\I:	asct.exe
File opened (read-only)	\??\T:	asct.exe
File opened (read-only)	\??\P:	asct.exe
File opened (read-only)	\??\R:	asct.exe
File opened (read-only)	\??\Y:	asct.exe
File opened (read-only)	\??\G:	asct.exe
File opened (read-only)	\??\H:	asct.exe
File opened (read-only)	\??\K:	asct.exe
File opened (read-only)	\??\J:	asct.exe
File opened (read-only)	\??\S:	asct.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	asct.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	asct.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	asct.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	asct.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	asct.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	asct.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	asct.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	asct.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\private_browsing.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	asct.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	asct.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	asct.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	asct.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	asct.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	asct.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	asct.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	asct.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	asct.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	asct.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	asct.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	asct.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	asct.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	asct.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	asct.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asct.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	asct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	asct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	asct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	asct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	asct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	asct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	asct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	asct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	asct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	asct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	asct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	asct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	asct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	asct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	asct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	asct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2708	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
2788	asct.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2788	2708	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe	30
PID 2708 wrote to memory of 2788	2708	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe	30
PID 2708 wrote to memory of 2788	2708	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe	30
PID 2708 wrote to memory of 2788	2708	6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe	30

C:\Users\Admin\AppData\Local\Temp\6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe
"C:\Users\Admin\AppData\Local\Temp\6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- \??\c:\Documents and Settings\Admin\Application Data\Microsoft\asct.exe
  "c:\Documents and Settings\Admin\Application Data\Microsoft\asct.exe" 6c71ee7f6920531d7d5a29dab191f7196a135ffd558106193c18e1155c851abe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\asct.exe

Filesize
76KB

MD5
8d8351c6145804643b7d546708d9f1f2

SHA1
9b2dfa0a095effaff1f8a326b5529c410369c6ec

SHA256
8d2040e637878bdef68f5caa99e3a8b843de40e8349d538d011f6c94006a017c

SHA512
ccd375d604d6d4ec3bdb9ad1822515cda5138607b9b30c1d0aa32d6d7cc890614f4c5d995bf982213b9a2fd7e94f33535203e67c03e6e6a3b78acdb2b4c85e90

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads