929adcf731e730ee1251eeef8513fd774b1357c1c3e1da4d287722ed778434f9

Analysis

max time kernel
72s
max time network
197s
platform
windows10_x64
resource
win10-en-20210920
submitted
20-10-2021 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Size

7.0MB
MD5

4e99a8966d8a05dd8f7032620d9a7a38
SHA1

285494be0f47a105a773b0acf49418f2c5f2d84a
SHA256

36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0
SHA512

832a3f298124a22b5afdde372e6e8bae4e0528760888fb5eac2b17a1bc555690a6f064420cc5f6633a1cac4633eb615577b6d93821faa389bef9e2e616f5a025

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe

Modifies registry class 6 IoCs

Processes:

36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\ = "WalletFactory"	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\AppID = "{2EA38040-0B9C-4379-87FD-4D38BB892F37}"	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InProcServer32	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InProcServer32\ = "C:\\Windows\\SysWOW64\\WalletProxy.dll"	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InProcServer32\ThreadingModel = "Both"	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe

description	pid	process
Token: 33	3800	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Token: SeIncBasePriorityPrivilege	3800	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Token: SeDebugPrivilege	3800	36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe

C:\Users\Admin\AppData\Local\Temp\36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
"C:\Users\Admin\AppData\Local\Temp\36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe"
1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3800-118-0x0000000003590000-0x0000000003689000-memory.dmp

Filesize
996KB

Download
memory/3800-122-0x0000000000400000-0x0000000001762000-memory.dmp

Filesize
19.4MB

Download
memory/3800-123-0x0000000000400000-0x0000000001762000-memory.dmp

Filesize
19.4MB

Download
memory/3800-124-0x0000000000400000-0x0000000001762000-memory.dmp

Filesize
19.4MB

Download
memory/3800-125-0x0000000001B00000-0x0000000001B20000-memory.dmp

Filesize
128KB

Download
memory/3800-126-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download