aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d

Analysis

max time kernel
112s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe
Size

582KB
MD5

81fdff3ae27c77342e9ae9c4b3630d00
SHA1

4af7522f01117de3f6941327389c0ba9cee22806
SHA256

aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d
SHA512

d04db1ea9f6b73a38a2f651361460c866a275261fd18d13b47906032f8deee1dfca8ff39087fcf4e74739d32952bd13aeafa81bfbf2c0113f2cb5bb32493a450
SSDEEP

12288:qj5zz0yvLGl8FvxLtjJ3QyNcBDo888888888888W88888888888H0E:sUWGloxL3NcBq0E

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1336	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe
1336	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe
1336	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe
1336	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe
2312	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe
2312	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe
3240	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe
3240	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 3240	1336	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe	84
PID 1336 wrote to memory of 3240	1336	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe	84
PID 1336 wrote to memory of 3240	1336	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe	84
PID 1336 wrote to memory of 2312	1336	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe	85
PID 1336 wrote to memory of 2312	1336	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe	85
PID 1336 wrote to memory of 2312	1336	aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe	85

C:\Users\Admin\AppData\Local\Temp\aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe
"C:\Users\Admin\AppData\Local\Temp\aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe
  start
  2⤵
  - Checks BIOS information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3240
- C:\Users\Admin\AppData\Local\Temp\aaf4ee07223fd8a85145a94af680b17c4abf44745ba66e11de9f46a36b9a0b1d.exe
  watch
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1336-132-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1336-135-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2312-134-0x0000000000000000-mapping.dmp

Download
memory/2312-136-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2312-139-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3240-133-0x0000000000000000-mapping.dmp

Download
memory/3240-137-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3240-138-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download