8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348

General

Target

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
Size

119KB
MD5

46e1676cfc354dae4ae457773d20c2b2
SHA1

6515f574701e101b7df0b6306671cb70800359eb
SHA256

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348
SHA512

1e04f78a01558c6f3e7d6fef718ed3da6559be7185c92f78d9e24b2b3731b2e9b974b5b1f3f0dde63e5116a155c86a60852eff53fb6c726f9cb5590c07c94489
SSDEEP

1536:TwbIdIdbNCPoWaPEnw3XW4nKyXsseoiepwQRfl16p8eZk7qjh3rmKPNRsbA5:EPNYnkG4nKyjjw0fGqeZ7jZqMNRsE5

Score

7^/10

persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosdate svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosdate	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aaaaaaaa = "C:\\Windows\\System32\\aaaaaaaa.exe"	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaaaaaaa = "C:\\Users\\Admin\\aaaaaaaa.exe"	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

Drops file in System32 directory 1 IoCs

Processes:

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

description ioc process

File created C:\Windows\SysWOW64\aaaaaaaa.exe 8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

description	ioc	process
File created	C:\Windows\SysWOW64\aaaaaaaa.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

description	pid	process	target process
PID 1780 set thread context of 3772	1780	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 3772 set thread context of 5052	3772	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

pid	process
1780	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
1780	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
1780	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
1780	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe

description	pid	process	target process
PID 1780 wrote to memory of 3772	1780	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1780 wrote to memory of 3772	1780	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1780 wrote to memory of 3772	1780	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1780 wrote to memory of 3772	1780	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1780 wrote to memory of 3772	1780	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1780 wrote to memory of 3772	1780	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1780 wrote to memory of 3772	1780	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 1780 wrote to memory of 3772	1780	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
PID 3772 wrote to memory of 5052	3772	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 3772 wrote to memory of 5052	3772	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 3772 wrote to memory of 5052	3772	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 3772 wrote to memory of 5052	3772	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 3772 wrote to memory of 5052	3772	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 3772 wrote to memory of 5052	3772	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 3772 wrote to memory of 5052	3772	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe
PID 3772 wrote to memory of 5052	3772	8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
"C:\Users\Admin\AppData\Local\Temp\8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Local\Temp\8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe
"C:\Users\Admin\AppData\Local\Temp\8dd4bbe4d9d2a935c0f420a09989529830f814a979ff444debc8d98ce557f348.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
3⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:5052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1780-135-0x0000000000500000-0x0000000000505000-memory.dmp

Filesize
20KB

Download
memory/3772-132-0x0000000000000000-mapping.dmp

Download
memory/3772-133-0x0000000013100000-0x000000001310A000-memory.dmp

Filesize
40KB

Download
memory/3772-136-0x0000000013100000-0x000000001310A000-memory.dmp

Filesize
40KB

Download
memory/3772-139-0x0000000013100000-0x000000001310A000-memory.dmp

Filesize
40KB

Download
memory/5052-137-0x0000000000000000-mapping.dmp

Download
memory/5052-138-0x0000000009500000-0x0000000009508000-memory.dmp

Filesize
32KB

Download
memory/5052-141-0x0000000009500000-0x0000000009508000-memory.dmp

Filesize
32KB

Download
memory/5052-142-0x0000000009500000-0x0000000009508000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads