929adcf731e730ee1251eeef8513fd774b1357c1c3e1da4d287722ed778434f9

Analysis

max time kernel
24s
max time network
121s
platform
windows7_x64
resource
win7-en-20210920
submitted
20-10-2021 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Size

7.0MB
MD5

4e99a8966d8a05dd8f7032620d9a7a38
SHA1

285494be0f47a105a773b0acf49418f2c5f2d84a
SHA256

36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0
SHA512

832a3f298124a22b5afdde372e6e8bae4e0528760888fb5eac2b17a1bc555690a6f064420cc5f6633a1cac4633eb615577b6d93821faa389bef9e2e616f5a025

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe

Modifies registry class 21 IoCs

Processes:

36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\AuxUserType\3	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\AuxUserType\3\ = "Microsoft Excel"	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\Insertable	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\NotInsertable	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\NotInsertable\	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\ProgID\ = "Excel.Sheet.5"	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\TreatAs	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\AuxUserType\2	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\AuxUserType	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\Insertable\	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\TreatAs\ = "{00020820-0000-0000-C000-000000000046}"	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\AutoConvertTo\ = "{00020820-0000-0000-C000-000000000046}"	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\AuxUserType\2\ = "Worksheet"	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\ProgID	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\ = "Microsoft Excel 95 Worksheet"	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\AutoConvertTo	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\DefaultIcon	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\DefaultIcon\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE,1"	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\PersistentHandler	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe

description	pid	process
Token: 33	1596	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Token: SeIncBasePriorityPrivilege	1596	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Token: SeDebugPrivilege	1596	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe

C:\Users\Admin\AppData\Local\Temp\36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
"C:\Users\Admin\AppData\Local\Temp\36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe"
1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1596-55-0x00000000032F0000-0x00000000033E9000-memory.dmp

Filesize
996KB

Download
memory/1596-59-0x0000000000400000-0x0000000001762000-memory.dmp

Filesize
19.4MB

Download
memory/1596-60-0x0000000000400000-0x0000000001762000-memory.dmp

Filesize
19.4MB

Download
memory/1596-61-0x0000000000400000-0x0000000001762000-memory.dmp

Filesize
19.4MB

Download
memory/1596-62-0x0000000003800000-0x0000000003820000-memory.dmp

Filesize
128KB

Download
memory/1596-63-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download