7c7006f806e0b360bebc42c8e7d75507afbcd0569f153adc0cf06f5a35e2c1b3

Analysis

max time kernel
36s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe
Size

248KB
MD5

0bfd40449c1de10ddaa4d9a85e01b32c
SHA1

6717435249b4c5a75c34f4d9584d3f42b45eb6cc
SHA256

7c7006f806e0b360bebc42c8e7d75507afbcd0569f153adc0cf06f5a35e2c1b3
SHA512

ff3331152209921783969033ea04967d17d95d30a90001140b94e4773dcf411b1395a9cbef810e047230f41bcdde6222492001f3826fcc445a3f94926a3c7ab6

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.execmd.exe

description	pid	process	target process
PID 656 wrote to memory of 192	656	SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe	cmd.exe
PID 656 wrote to memory of 192	656	SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe	cmd.exe
PID 656 wrote to memory of 192	656	SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe	cmd.exe
PID 192 wrote to memory of 2120	192	cmd.exe	attrib.exe
PID 192 wrote to memory of 2120	192	cmd.exe	attrib.exe
PID 192 wrote to memory of 2120	192	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2120 attrib.exe

pid	process
2120	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\259315140.bat" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:192

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Downloader.Generic14.CHCV.9257.1895.exe"
3⤵
- Views/modifies file attributes
PID:2120

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259315140.bat
MD5
8e64b58b53fc71e37badecfd56d87e8c

SHA1
4a0c7a2e97b400465eb93f0eadb126c51b0d45b6

SHA256
3cda23cff4fa3288324a2bf298524a4e3070e3dee3a5f41b85902b38ab297721

SHA512
a632ba4715221f6cfe1488142853fa8bae4f6664d6dd54a82d9304d977683c5ae560341df867b04902dc8fa120fdb87f54b2411a80f1620eadf1a2047fe0c563

Download Submit
memory/192-0-0x0000000000000000-mapping.dmp

Download
memory/2120-2-0x0000000000000000-mapping.dmp

Download