5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd

General

Target

5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
Size

734KB
MD5

83a13048952eb0917ebbf673b96b18a4
SHA1

27f2b8b814e8746bce63e72098a3a7e41d0902b9
SHA256

5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd
SHA512

44894bff107d01b5316bcdde29f840c2994a066a775ab012598d15d1f7ae7722bccf08161d782728640cd6c3459ef57be6bba986cc06e5bd7976f49353a52bf0
SSDEEP

12288:fZ9P9SH3NcISew9d7tMsdYJZ3wYII1f7g1QQtM9HSy0A:T1SXqlGeYJZAYGMEy0A

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe

pid	process
1256	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
1048	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
1956	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\ 5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe

pid process

1256 5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe

description	pid	process	target process
PID 1256 wrote to memory of 1048	1256	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
PID 1256 wrote to memory of 1048	1256	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
PID 1256 wrote to memory of 1048	1256	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
PID 1256 wrote to memory of 1048	1256	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
PID 1256 wrote to memory of 1956	1256	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
PID 1256 wrote to memory of 1956	1256	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
PID 1256 wrote to memory of 1956	1256	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
PID 1256 wrote to memory of 1956	1256	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe	5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe

C:\Users\Admin\AppData\Local\Temp\5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
"C:\Users\Admin\AppData\Local\Temp\5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
start
2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
PID:1048

C:\Users\Admin\AppData\Local\Temp\5fdfe588a427c00dc404525a5b7e73d976c53078cfbc1c2deae645d9b2d9e4cd.exe
watch
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-56-0x0000000000000000-mapping.dmp

Download
memory/1048-61-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1048-63-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1256-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1256-55-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1256-60-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1956-57-0x0000000000000000-mapping.dmp

Download
memory/1956-62-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1956-64-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads