929adcf731e730ee1251eeef8513fd774b1357c1c3e1da4d287722ed778434f9

Analysis

max time kernel
66s
max time network
175s
platform
windows10_x64
resource
win10-en-20210920
submitted
20-10-2021 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Size

7.0MB
MD5

d910657c1650393b1cfde998c574f413
SHA1

794bea89515536401aa7af5f48af11c5e7a7fc71
SHA256

10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41
SHA512

62dc606f624456cf7fb5c2c2b81b9ab9ee53239ca9182ef4e354f3b15ae8178dcf862395ba4c3bcd62963358dd8409eedc414bddfb83b3ff233c3991baceca42

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe

Modifies registry class 5 IoCs

Processes:

10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}	10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\ = "PSTypeInfo"	10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InprocServer32	10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InprocServer32\ = "C:\\Windows\\SysWOW64\\oleaut32.dll"	10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InprocServer32\ThreadingModel = "Both"	10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe

description	pid	process
Token: 33	2440	10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Token: SeIncBasePriorityPrivilege	2440	10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Token: SeDebugPrivilege	2440	10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe

C:\Users\Admin\AppData\Local\Temp\10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
"C:\Users\Admin\AppData\Local\Temp\10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe"
1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2440-118-0x0000000003440000-0x0000000003539000-memory.dmp

Filesize
996KB

Download
memory/2440-122-0x0000000000400000-0x0000000001764000-memory.dmp

Filesize
19.4MB

Download
memory/2440-123-0x0000000000400000-0x0000000001764000-memory.dmp

Filesize
19.4MB

Download
memory/2440-124-0x0000000000400000-0x0000000001764000-memory.dmp

Filesize
19.4MB

Download
memory/2440-125-0x0000000003E40000-0x0000000003E60000-memory.dmp

Filesize
128KB

Download
memory/2440-126-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download