c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1

General

Target

c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
Size

2.0MB
MD5

3e731b4d45a3c0ffd68341df615e5c43
SHA1

7b94874c630da0658a06e25419c3a5ae869f2719
SHA256

c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1
SHA512

a336a2e64a253b2962587e3bc77b27e3192d72b75b3165cd0bea77a65da1f9ebb87e972e916ab2863df3c70bf2fb83fa2ac4962cdb8b8aa138d58abbe97b7b34

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 968	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	30
PID 1084 wrote to memory of 968	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	30
PID 1084 wrote to memory of 968	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	30
PID 1084 wrote to memory of 968	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	30
PID 1084 wrote to memory of 1800	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	32
PID 1084 wrote to memory of 1800	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	32
PID 1084 wrote to memory of 1800	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	32
PID 1084 wrote to memory of 1800	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	32
PID 1084 wrote to memory of 1648	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	33
PID 1084 wrote to memory of 1648	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	33
PID 1084 wrote to memory of 1648	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	33
PID 1084 wrote to memory of 1648	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	33
PID 1084 wrote to memory of 960	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	34
PID 1084 wrote to memory of 960	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	34
PID 1084 wrote to memory of 960	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	34
PID 1084 wrote to memory of 960	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	34
PID 1084 wrote to memory of 112	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	35
PID 1084 wrote to memory of 112	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	35
PID 1084 wrote to memory of 112	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	35
PID 1084 wrote to memory of 112	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	35
PID 1084 wrote to memory of 680	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	36
PID 1084 wrote to memory of 680	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	36
PID 1084 wrote to memory of 680	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	36
PID 1084 wrote to memory of 680	1084	c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe	36

C:\Users\Admin\AppData\Local\Temp\c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
"C:\Users\Admin\AppData\Local\Temp\c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ARCeIRiCVNN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4318.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:968
- C:\Users\Admin\AppData\Local\Temp\c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
  "{path}"
  2⤵
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
  "{path}"
  2⤵
  PID:1648
- C:\Users\Admin\AppData\Local\Temp\c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
  "{path}"
  2⤵
  PID:960
- C:\Users\Admin\AppData\Local\Temp\c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
  "{path}"
  2⤵
  PID:112
- C:\Users\Admin\AppData\Local\Temp\c27e641edc2184890a340b8eac895e9f710a0aca5706b4becd117b2ed395d4d1.exe
  "{path}"
  2⤵
  PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4318.tmp

Filesize
1KB

MD5
1d3ac3a255f2a1cccd152f0fa6dedfc1

SHA1
49b451e24c007f51b7a5c1f58a048a441ec9fc4d

SHA256
21bde76295361e3118ab8ba8acd21e93faa4e1483f0149e9278193bc18cf303b

SHA512
42e6ad163ae7a1e17b1826ea17dde94d382c741e191ac100eea004a3477d22a0ac79f9bb515f6cdae46471c7ebf07149fdb20ccb405df8a95e602d854fbcb735

Download Submit
memory/1084-54-0x00000000002E0000-0x00000000004DA000-memory.dmp

Filesize
2.0MB

Download
memory/1084-55-0x0000000001E50000-0x0000000001E6C000-memory.dmp

Filesize
112KB

Download
memory/1084-56-0x0000000005E00000-0x0000000005FBE000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads