ea6dd47a47719361da8c63b6b27aa9ed07b2f6cf8c3526d66d8bc5d943c37d54

Analysis

max time kernel
95s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uLrcEditor211/Plugin/WebLrcLoader.exe
Size

342KB
MD5

e4199a5870d219c9e421f024f60d9a48
SHA1

95d5ce3ba862163ba0f8e02bde64a8ccfe9eb0f9
SHA256

4fd31680e3b030a8b912c2ae166ca92f0c14991d892253aeca7299adb78152d6
SHA512

7f0e2e0f9da7028e3e2b950086e836a8cd15d482cbf643c9c14a66c402840db69c701b7e29afab7b2a54559aca641b67145cefc739f931b6f3afd0d6edcb5450
SSDEEP

6144:VWbMw/7uPJ0qgA5dNSKuWbMw/7uPJ0qgA5dNS:VWbUJ04rSKuWbUJ04rS

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1664	dw20.exe
Token: SeBackupPrivilege	1664	dw20.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1664	2364	WebLrcLoader.exe	81
PID 2364 wrote to memory of 1664	2364	WebLrcLoader.exe	81

C:\Users\Admin\AppData\Local\Temp\uLrcEditor211\Plugin\WebLrcLoader.exe
"C:\Users\Admin\AppData\Local\Temp\uLrcEditor211\Plugin\WebLrcLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 800
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2364-132-0x00007FFD0E900000-0x00007FFD0F336000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads