8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348

General

Target

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
Size

119KB
MD5

46e1676cfc354dae4ae457773d20c2b2
SHA1

6515f574701e101b7df0b6306671cb70800359eb
SHA256

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348
SHA512

1e04f78a01558c6f3e7d6fef718ed3da6559be7185c92f78d9e24b2b3731b2e9b974b5b1f3f0dde63e5116a155c86a60852eff53fb6c726f9cb5590c07c94489
SSDEEP

1536:TwbIdIdbNCPoWaPEnw3XW4nKyXsseoiepwQRfl16p8eZk7qjh3rmKPNRsbA5:EPNYnkG4nKyjjw0fGqeZ7jZqMNRsE5

Score

7^/10

persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosdate svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosdate	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aaaaaaaa = "C:\\Windows\\System32\\aaaaaaaa.exe"	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\aaaaaaaa = "C:\\Users\\Admin\\aaaaaaaa.exe"	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

Drops file in System32 directory 1 IoCs

Processes:

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

description ioc process

File created C:\Windows\SysWOW64\aaaaaaaa.exe 8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

description	ioc	process
File created	C:\Windows\SysWOW64\aaaaaaaa.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

description	pid	process	target process
PID 1676 set thread context of 1980	1676	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1980 set thread context of 1240	1980	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

pid	process
1676	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
1676	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

description	pid	process	target process
PID 1676 wrote to memory of 1980	1676	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1676 wrote to memory of 1980	1676	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1676 wrote to memory of 1980	1676	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1676 wrote to memory of 1980	1676	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1676 wrote to memory of 1980	1676	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1676 wrote to memory of 1980	1676	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1676 wrote to memory of 1980	1676	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1676 wrote to memory of 1980	1676	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1676 wrote to memory of 1980	1676	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1980 wrote to memory of 1240	1980	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 1980 wrote to memory of 1240	1980	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 1980 wrote to memory of 1240	1980	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 1980 wrote to memory of 1240	1980	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 1980 wrote to memory of 1240	1980	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 1980 wrote to memory of 1240	1980	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 1980 wrote to memory of 1240	1980	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 1980 wrote to memory of 1240	1980	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 1980 wrote to memory of 1240	1980	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
"C:\Users\Admin\AppData\Local\Temp\8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
"C:\Users\Admin\AppData\Local\Temp\8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
3⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:1240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-73-0x0000000009504E30-mapping.dmp

Download
memory/1240-77-0x0000000009500000-0x0000000009508000-memory.dmp

Filesize
32KB

Download
memory/1240-76-0x0000000009500000-0x0000000009508000-memory.dmp

Filesize
32KB

Download
memory/1240-75-0x0000000009500000-0x0000000009508000-memory.dmp

Filesize
32KB

Download
memory/1240-67-0x0000000009500000-0x0000000009508000-memory.dmp

Filesize
32KB

Download
memory/1240-68-0x0000000009500000-0x0000000009508000-memory.dmp

Filesize
32KB

Download
memory/1240-70-0x0000000009500000-0x0000000009508000-memory.dmp

Filesize
32KB

Download
memory/1240-72-0x0000000009500000-0x0000000009508000-memory.dmp

Filesize
32KB

Download
memory/1240-71-0x0000000009500000-0x0000000009508000-memory.dmp

Filesize
32KB

Download
memory/1676-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1676-63-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/1980-60-0x0000000013100000-0x000000001310A000-memory.dmp

Filesize
40KB

Download
memory/1980-66-0x0000000013100000-0x000000001310A000-memory.dmp

Filesize
40KB

Download
memory/1980-65-0x0000000013100000-0x000000001310A000-memory.dmp

Filesize
40KB

Download
memory/1980-62-0x0000000013101CF0-mapping.dmp

Download
memory/1980-61-0x0000000013100000-0x000000001310A000-memory.dmp

Filesize
40KB

Download
memory/1980-58-0x0000000013100000-0x000000001310A000-memory.dmp

Filesize
40KB

Download
memory/1980-56-0x0000000013100000-0x000000001310A000-memory.dmp

Filesize
40KB

Download
memory/1980-55-0x0000000013100000-0x000000001310A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads