7c7006f806e0b360bebc42c8e7d75507afbcd0569f153adc0cf06f5a35e2c1b3

General

Target

SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe
Size

248KB
MD5

0bfd40449c1de10ddaa4d9a85e01b32c
SHA1

6717435249b4c5a75c34f4d9584d3f42b45eb6cc
SHA256

7c7006f806e0b360bebc42c8e7d75507afbcd0569f153adc0cf06f5a35e2c1b3
SHA512

ff3331152209921783969033ea04967d17d95d30a90001140b94e4773dcf411b1395a9cbef810e047230f41bcdde6222492001f3826fcc445a3f94926a3c7ab6

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1660 cmd.exe

pid	process
1660	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 1660	2036	SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe	cmd.exe
PID 2036 wrote to memory of 1660	2036	SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe	cmd.exe
PID 2036 wrote to memory of 1660	2036	SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe	cmd.exe
PID 2036 wrote to memory of 1660	2036	SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe	cmd.exe
PID 1660 wrote to memory of 1652	1660	cmd.exe	attrib.exe
PID 1660 wrote to memory of 1652	1660	cmd.exe	attrib.exe
PID 1660 wrote to memory of 1652	1660	cmd.exe	attrib.exe
PID 1660 wrote to memory of 1652	1660	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1652 attrib.exe

pid	process
1652	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259295689.bat" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe"
3⤵
- Views/modifies file attributes
PID:1652

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259295689.bat
MD5
0bf80c5440e3555c4ab125d93d210028

SHA1
4df44ffc0e62d2f2a7e28c08b9b626914a5acaa8

SHA256
8518a46c1533e5ba6336573d4ffdbb2c43bbd737ec9ffe20fe89e4215a926961

SHA512
17663910064b08751ec53af2d6a7ab4c7f4fe4fd0b25b9713d29c4ba31a497dfa9034f44240c0a44652bf701e57e3868d0bc6661d29e9c87cd26c15e0cc71d13

Download Submit
memory/1652-2-0x0000000000000000-mapping.dmp

Download
memory/1660-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing