Analysis
-
max time kernel
152s -
max time network
98s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
06-11-2022 09:38
General
-
Target
16bc63f21507429fd3ee692712d98ba9e476db94afec37d26594616afcb60ff3.exe
-
Size
1.1MB
-
MD5
32759d20df49c681fb558dde6de8e0b0
-
SHA1
e8ebb9b090e3a35c8e820dd83ba3d4cdc6560d0f
-
SHA256
16bc63f21507429fd3ee692712d98ba9e476db94afec37d26594616afcb60ff3
-
SHA512
deb5d722ad1113a7a13b4cff877d5fb5a8994ab20ee20d37fb9b56bfef8ef32577187e7afe828f39fe5f4e3f4f2d4208a4315de2fe9bd87cc9dda3b3737cbc96
-
SSDEEP
12288:bF9vvkPCuYcoTKFng0SrQKwypmwPI2A66BvDYqt:jvvkPNjoTKa1UKwykwP+Zrt
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\16bc63f21507429fd3ee692712d98ba9e476db94afec37d26594616afcb60ff3.exe"C:\Users\Admin\AppData\Local\Temp\16bc63f21507429fd3ee692712d98ba9e476db94afec37d26594616afcb60ff3.exe"1⤵
- Adds policy Run key to start application
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\inputm.exeC:\Windows\SysWOW64\inputm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe/c C:\Users\Admin\AppData\Local\Temp\~unins6819.bat "C:\Users\Admin\AppData\Local\Temp\16bc63f21507429fd3ee692712d98ba9e476db94afec37d26594616afcb60ff3.exe"2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49B
MD59e0a2f5ab30517809b95a1ff1dd98c53
SHA15c1eefdf10e67d1e9216e2e3f5e92352d583c9ce
SHA25697ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32
SHA512e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42
-
Filesize
249KB
MD5abf9a21113bd75751b746d1d3ad4b369
SHA112fa8acbbe33aab9fc5e9697fad9bffa5a478dc4
SHA25654c49d7fdb9189601a410b4329dd75c79e20635b4b7379155f5256ad4c71c32e
SHA512b491ea1b77b336750ac5db2895ad324b9bb086772792b463e16490b71d0a393e9904ebeaef6e7495c6b800ab9988f00838bcc612399efc095b6e2b02e7a81505
-
Filesize
249KB
MD5abf9a21113bd75751b746d1d3ad4b369
SHA112fa8acbbe33aab9fc5e9697fad9bffa5a478dc4
SHA25654c49d7fdb9189601a410b4329dd75c79e20635b4b7379155f5256ad4c71c32e
SHA512b491ea1b77b336750ac5db2895ad324b9bb086772792b463e16490b71d0a393e9904ebeaef6e7495c6b800ab9988f00838bcc612399efc095b6e2b02e7a81505
-
Filesize
249KB
MD5abf9a21113bd75751b746d1d3ad4b369
SHA112fa8acbbe33aab9fc5e9697fad9bffa5a478dc4
SHA25654c49d7fdb9189601a410b4329dd75c79e20635b4b7379155f5256ad4c71c32e
SHA512b491ea1b77b336750ac5db2895ad324b9bb086772792b463e16490b71d0a393e9904ebeaef6e7495c6b800ab9988f00838bcc612399efc095b6e2b02e7a81505
-
Filesize
760KB
-
Filesize
8KB
-
Filesize
396KB
-
Filesize
356KB
-
Filesize
64KB
-
Filesize
360KB
-
Filesize
360KB
-
Filesize
396KB
-
Filesize
64KB
-
Filesize
760KB
-
Filesize
356KB
-
Filesize
760KB
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-