Analysis
-
max time kernel
278s -
max time network
328s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 14:47
Static task
static1
Behavioral task
behavioral1
Sample
236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe
Resource
win7-20220901-en
General
-
Target
236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe
-
Size
975KB
-
MD5
5847b9ede173b9906cd97d16d8f439ae
-
SHA1
252e1ef6da885fdd3b730ac7d37d3f062aed9b69
-
SHA256
236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac
-
SHA512
49caf512a6b6c07a0f949dc45eb8b803658ce5f98c0b0382468dd1fe5372a19d69eeff0bf7a488f4f91f8334342b1f5f45a342394c4450ed24d619b34c7615c1
-
SSDEEP
6144:aZ7l+qrvVra1h+9tbZ8WyAJe/V0TUJp9497AXJRpte6ECZkgwTSkne8CpiKk:cro1s9tWmetKw9qsHptemz7kne8CY
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4124-134-0x0000000002210000-0x00000000022C9000-memory.dmp upx behavioral2/memory/4124-137-0x0000000002210000-0x00000000022C9000-memory.dmp upx behavioral2/memory/4124-138-0x0000000002210000-0x00000000022C9000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exepid process 4124 236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe 4124 236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe 4124 236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe 4124 236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exedescription pid process Token: SeDebugPrivilege 4124 236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe"C:\Users\Admin\AppData\Local\Temp\236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4124-132-0x0000000000640000-0x0000000000650000-memory.dmpFilesize
64KB
-
memory/4124-133-0x0000000000B00000-0x0000000000B53000-memory.dmpFilesize
332KB
-
memory/4124-134-0x0000000002210000-0x00000000022C9000-memory.dmpFilesize
740KB
-
memory/4124-137-0x0000000002210000-0x00000000022C9000-memory.dmpFilesize
740KB
-
memory/4124-138-0x0000000002210000-0x00000000022C9000-memory.dmpFilesize
740KB
-
memory/4124-139-0x0000000002276000-0x00000000022C8000-memory.dmpFilesize
328KB
-
memory/4124-140-0x0000000002211000-0x0000000002276000-memory.dmpFilesize
404KB
-
memory/4124-141-0x0000000002276000-0x00000000022C8000-memory.dmpFilesize
328KB