2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e

General

Target

2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe
Size

938KB
MD5

6b2c64128bf247c7b987c65c9de3f81c
SHA1

1629ef7f8e13baa063afc0f97a5cb755b68e331f
SHA256

2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e
SHA512

11ac5c09556cf0d99a7ad5d38ca397edcb4c9ce188706729f85b56eb07973d448bed9c8864b542a51e25f33dec6f5b1c4499b95855874b3113b8becc3a6114bb

Score

10^/10

evasion suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata
suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
suricata
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1064 set thread context of 1552	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
828	schtasks.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 828	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	30
PID 1064 wrote to memory of 828	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	30
PID 1064 wrote to memory of 828	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	30
PID 1064 wrote to memory of 828	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	30
PID 1064 wrote to memory of 1552	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	32
PID 1064 wrote to memory of 1552	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	32
PID 1064 wrote to memory of 1552	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	32
PID 1064 wrote to memory of 1552	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	32
PID 1064 wrote to memory of 1552	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	32
PID 1064 wrote to memory of 1552	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	32
PID 1064 wrote to memory of 1552	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	32
PID 1064 wrote to memory of 1552	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	32
PID 1064 wrote to memory of 1552	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	32
PID 1064 wrote to memory of 1552	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	32
PID 1064 wrote to memory of 1552	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	32
PID 1064 wrote to memory of 1552	1064	2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe	32

C:\Users\Admin\AppData\Local\Temp\2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe
"C:\Users\Admin\AppData\Local\Temp\2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FHOjyTEIyyf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2ECE.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:828
- C:\Users\Admin\AppData\Local\Temp\2714b7aea9d62bafe4a3a08feca334677e8ee835441fb20fa29454b8e6c3a81e.exe
  "{path}"
  2⤵
  PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2ECE.tmp

Filesize
1KB

MD5
049fbf55d8b457a3489c905eea89ca98

SHA1
8014031ecc7854fe6f76f5f016bffb2f297879f7

SHA256
8299820c74274f9e5f8631f2e4e01512b96a2a89ca2975a5ed4f6959a34a68b3

SHA512
83c974013f9b0e26e446afd048b6ebb3f9e2a600d3660fd6b896cdd7ec97fef7a42bf65926f35c94f945ae7b105d64090b8a5de412a67038b31779ecd31ac6b8

Download Submit
memory/1064-54-0x0000000000830000-0x0000000000922000-memory.dmp

Filesize
968KB

Download
memory/1064-55-0x0000000000510000-0x000000000052E000-memory.dmp

Filesize
120KB

Download
memory/1064-56-0x0000000005520000-0x00000000055DA000-memory.dmp

Filesize
744KB

Download
memory/1552-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-60-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-62-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-59-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-69-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-72-0x0000000075691000-0x0000000075693000-memory.dmp

Filesize
8KB

Download
memory/1552-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-74-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads