Overview

overview

10

Static

static

3

test/Autoit3.exe

windows7-x64

10

test/Autoit3.exe

windows10-2004-x64

10

test/SafeService.dll

windows7-x64

1

test/SafeService.dll

windows10-2004-x64

1

test/script.a3x

windows7-x64

3

test/script.a3x

windows10-2004-x64

3

Analysis

  • max time kernel
    79s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/03/2025, 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test/Autoit3.exe

  • Size

    872KB

  • MD5

    c56b5f0201a3b3de53e561fe76912bfd

  • SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

  • SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

  • SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • SSDEEP

    12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

Score
10/10
discoveryexecution

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1124
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2860
    • C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe
      "C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1752
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2128
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://~/appdata
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2272
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:275457 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2856
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe
          "C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe" .\script.a3x
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Command and Scripting Interpreter: AutoIT
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2616
          • \??\c:\windows\SysWOW64\cmd.exe
            "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\baadefe\bffhked
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic ComputerSystem get domain
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2028

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\baadefe\bffhked
        Filesize

        54B

        MD5

        c8bbad190eaaa9755c8dfb1573984d81

        SHA1

        17ad91294403223fde66f687450545a2bad72af5

        SHA256

        7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

        SHA512

        05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        71KB

        MD5

        83142242e97b8953c386f988aa694e4a

        SHA1

        833ed12fc15b356136dcdd27c61a50f59c5c7d50

        SHA256

        d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

        SHA512

        bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        7280986f0eeb689a247bcd4bc6a4b47d

        SHA1

        2ce43ea87c12e59895e021ca54a24ae8203986f7

        SHA256

        c8faa5d2a4bc5725585ea1caffbc07d4d06c3546f0dafae7ff5b4d7666b54125

        SHA512

        78999b79433b8992d952af0c16d79c1e2a5778dc7f2e19f4344eb406f5836489150554ff6ed0ac71da954524f0a8ed493c426a846b1ec7ebf4fbe55f9d1ef942

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        6cc0e2d2514416e2fc26d8b66a7859db

        SHA1

        93d076bc4d6f7736996d3eb94c8f7c810542adba

        SHA256

        680c7d844115780a65d7db2655606f1f2b5f58558bd8d6c0a97aeeec8b955866

        SHA512

        8eaf8ebc8117d0ecc9999e6b44aa22f3f006e8bde0bad95ac31008a5c723739b95ce826242c4a1b29c67ba34f4aba895cfa287940167f841b7abfe42ee492c75

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        ec0578b4446c10fa45054525dab2aa5b

        SHA1

        625adbfa84bd4b1f026f73f695f7fb4e5fd23dbc

        SHA256

        81fb00950538c312b71d85fdd6c6142313598c7ebe55aa717bdb4bec58052f31

        SHA512

        541a56556bde0ba0dd08d1441a4cc2813c6bd13f4bb03c29388af82c7175d458470e42224cc66458fea19da27c2590b4d1443bcef42bad059c47a2df276ea341

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        d5d8d4cc84eddb0693d071a2a79d66a9

        SHA1

        85b38b9bfc109bf9f5d8c7d6f626ccf15f63f398

        SHA256

        4c58de4c7d652e9e3da8654ba21d637495f77c483e730172805fb956865a9e12

        SHA512

        622fa2a99b136d3b10222ad671193f4fad096ea32401011189abfc128699efa48aa450e7a7fcac391f52e11245df733b3ecdb6b14c43a1fd83be7ffe2b3b72ed

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        ef8806e3642e08bde11148165993c2fa

        SHA1

        42dce0b505b0560d37fbcf03ac8cd812f66aec26

        SHA256

        6f804576597fdc20f7ea7c445645fe1bb4558b52409c2a3c92da1f787b2a71ac

        SHA512

        a2d617661f1388fed3f0e332316df5c97962aae8a916bf68479b02621448b2c85e1218a4e0cf303c396021be4fa8ef688f797ebcbef43e5b009487aea78867bc

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        769b4a39efe0355da96a2d4ef420a8a0

        SHA1

        7b3a2036b18e66d22a799cd458fc1f37ac2be3f8

        SHA256

        62b236a06a90893cd62c7b7615d9fefc4ca9a6c1e6e97ea7734f147dd158cd16

        SHA512

        2c96a83b8c34023255db71bea9a96c08f7f547a4f4e6db38a2ae435d5cd397bca62c866aee4954f53357f65f06517e3163f2efa6e5c3299c3754470ccebc62ae

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        2bd8b82806b2632a85e5fa4795968f42

        SHA1

        7cec2656c4371236caf4ab5719bb1780df9e5e07

        SHA256

        85141d6f6878236a3302ba35f68c0d9203068e32eed6ac40240fc941118c2c28

        SHA512

        18891fb5d03a4ef02828d85bb5dca443da4eaec4241aefb0a9eeb41f835854573168d4aed254290ff8982d551a31094ae7f9f3ef3762111e1eab89bee2b174a1

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        11d87ed72e6eb9dd9a85c3db91311d9c

        SHA1

        44d0ff2fa3aece8ffe948554877ce93146f013e0

        SHA256

        d0b54880d6135b6279c988efcfa26a1cd467cbb38835464e3e1797fbb623d0ee

        SHA512

        7bf549e31ad20312367ddb16c1b4d8fd00e370e860b5baecd9e725a9471df296effe520f14abbda3d8c5d8d0cf25c0c2139f6c9b9369b6642d95beaa4e82da5e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        83a84e6fae1f8e3299146f746b9c919d

        SHA1

        f29a281e3a53bb3c34b12b5c6e59b4d776a519db

        SHA256

        1128ad378f6fcc2370e06daa1a3ff8a41bfee23e0c8eb3a26550b5035d65b0af

        SHA512

        3f860b74b516780243d571740140414b5b23643b3c077427a66dc38737203d753b40f1d7d57449a9ff4b3e008854a59c1050329114af4d43446cd7ecc7ff6811

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab2732.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar2852.tmp
        Filesize

        183KB

        MD5

        109cab5505f5e065b63d01361467a83b

        SHA1

        4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

        SHA256

        ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

        SHA512

        753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

        Download Submit

      • C:\Users\Admin\AppData\Roaming\fFeHfAa
        Filesize

        32B

        MD5

        87cb447289e9ae7a147fa223b169bdbc

        SHA1

        090116ed1fad2e7c4e73eb5145d084e2cafc91cf

        SHA256

        e199842fa9e3bda3b7a0c95ec0a3a368ad20b63743832c27fe8d4cc87fe24ef8

        SHA512

        9e14ca49889eeff6365e491c299bea416b07c7154f02da7bdc6040afe77b4c519a416bffeb7d49957896c26005dd33668c9aa7240ae26e58b6cda0f14c79a8b1

        Download Submit

      • C:\temp\bcfhfff
        Filesize

        4B

        MD5

        0594b592c2e70286087fb4eb92e56d7d

        SHA1

        f51f0d9e1367effb67fe23ef1c3a62e040197909

        SHA256

        75440c260e9fc84fbaf5d0d77589c8d4f529981c5a022796564c9a30fc64366f

        SHA512

        8b92b5375a36b0f62783ae47996a51213018d541499f4be98fb0287a0dc336e4e423cd25e820515cf4089f870e243adaad3992847f3f9161c47f263d20917dab

        Download Submit

      • memory/1752-0-0x0000000004CA0000-0x0000000004CA2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2004-483-0x000000001B650000-0x000000001B932000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2004-484-0x00000000027E0000-0x00000000027E8000-memory.dmp

        Filesize

        32KB

        Download