ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977

Analysis

max time kernel
168s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe
Size

637KB
MD5

24c87d15d3655c8efdf3b0bcc8ad8c43
SHA1

dc3d8efe0eba85c8f2a7dd7259fca6d1420f1ebd
SHA256

ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977
SHA512

3b7b0fa8a390f0d35f96729dc7cc7c248624a78c83ac40bf7b651b65205d03438c15856cee58c3e49051f7c28b2ed803dcd0919208aecf00d242693955fe157b
SSDEEP

12288:qVd802EFXB2l4qIVm/hmx6dX1Yit4bCDPwrIuZAoXQna/KXpSH8qP2G3AHSXkG:s831IVm/hbX1Yit4b3dZAoXQnxwH8qe8

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

dw20.exe

description	pid	process
Token: SeRestorePrivilege	756	dw20.exe
Token: SeBackupPrivilege	756	dw20.exe
Token: SeBackupPrivilege	756	dw20.exe
Token: SeBackupPrivilege	756	dw20.exe
Token: SeBackupPrivilege	756	dw20.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe

description	pid	process	target process
PID 5096 wrote to memory of 756	5096	ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe	dw20.exe
PID 5096 wrote to memory of 756	5096	ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe	dw20.exe
PID 5096 wrote to memory of 756	5096	ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe
"C:\Users\Admin\AppData\Local\Temp\ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 860
2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-133-0x0000000000000000-mapping.dmp

Download
memory/5096-132-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/5096-134-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download