4bb31847846180bf78033b5eb7761b874b114f6dd086862472915be761fc042a

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
09-06-2022 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS8A52FD1B/62a1ea2df066e_add786971.exe
Size

172KB
MD5

fa026e2025aee68f7a28808eba6f09af
SHA1

28033d304e34b1989d6e6214f962b937f7359856
SHA256

06760e7403eeb738fc2cd8c2c9d1597ce9628294332aa66d85f6630659a2486c
SHA512

8b206e0ee721a74dbd5f6da921f3e7ed176c048e4814768b5c620c5e90581e7d0279d2603033f5cc98917ad537a87ec459a39f057c8e2beb8d7204e282c2f038

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

62a1ea2df066e_add786971.exe

description pid process target process

PID 1408 set thread context of 1952 1408 62a1ea2df066e_add786971.exe 62a1ea2df066e_add786971.exe

description	pid	process	target process
PID 1408 set thread context of 1952	1408	62a1ea2df066e_add786971.exe	62a1ea2df066e_add786971.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

62a1ea2df066e_add786971.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	62a1ea2df066e_add786971.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	62a1ea2df066e_add786971.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	62a1ea2df066e_add786971.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

62a1ea2df066e_add786971.exe

pid	process
1952	62a1ea2df066e_add786971.exe
1952	62a1ea2df066e_add786971.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

62a1ea2df066e_add786971.exe

pid process

1952 62a1ea2df066e_add786971.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1272

description	pid	process
Token: SeShutdownPrivilege	1272

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

62a1ea2df066e_add786971.exe

description	pid	process	target process
PID 1408 wrote to memory of 1952	1408	62a1ea2df066e_add786971.exe	62a1ea2df066e_add786971.exe
PID 1408 wrote to memory of 1952	1408	62a1ea2df066e_add786971.exe	62a1ea2df066e_add786971.exe
PID 1408 wrote to memory of 1952	1408	62a1ea2df066e_add786971.exe	62a1ea2df066e_add786971.exe
PID 1408 wrote to memory of 1952	1408	62a1ea2df066e_add786971.exe	62a1ea2df066e_add786971.exe
PID 1408 wrote to memory of 1952	1408	62a1ea2df066e_add786971.exe	62a1ea2df066e_add786971.exe
PID 1408 wrote to memory of 1952	1408	62a1ea2df066e_add786971.exe	62a1ea2df066e_add786971.exe
PID 1408 wrote to memory of 1952	1408	62a1ea2df066e_add786971.exe	62a1ea2df066e_add786971.exe

C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea2df066e_add786971.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea2df066e_add786971.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea2df066e_add786971.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea2df066e_add786971.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1952

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1408-56-0x0000000000ACE000-0x0000000000AD7000-memory.dmp

Filesize
36KB

Download
memory/1408-58-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1952-55-0x0000000000402DD8-mapping.dmp

Download
memory/1952-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1952-57-0x00000000765C1000-0x00000000765C3000-memory.dmp

Filesize
8KB

Download
memory/1952-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1952-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads