2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f

Analysis

max time kernel
181s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 14:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe
Size

935KB
MD5

8990d8ace40fd93327a9c80a0827b8ca
SHA1

dac5d723c6154d677884a39d73b23295ffe01d1c
SHA256

2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f
SHA512

0511648cfbbe4931346640cbd6dfff2a17d3f62d7fc56707ff925ddfbc9f32c9b76fece62a46e7c6887050410507dbd38d48d93843a1b21ac7e4156bcae3c574
SSDEEP

12288:p5Yr15f753d5QWIDz/Wz9NCyzHinLipNDJ5eoFb0OZ/WiGaks+HL63S27x4:pyHv5Z+Wzv7AiBll0OBWi6si9G

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/748-133-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/748-135-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/748-136-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/748-137-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/748-138-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/748-139-0x0000000000400000-0x00000000004F2000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3716 set thread context of 748	3716	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe	85

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
748	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe
748	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe
748	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe
748	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe
748	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe
748	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 748	3716	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe	85
PID 3716 wrote to memory of 748	3716	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe	85
PID 3716 wrote to memory of 748	3716	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe	85
PID 3716 wrote to memory of 748	3716	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe	85
PID 3716 wrote to memory of 748	3716	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe	85
PID 3716 wrote to memory of 748	3716	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe	85
PID 3716 wrote to memory of 748	3716	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe	85
PID 3716 wrote to memory of 748	3716	2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe	85

C:\Users\Admin\AppData\Local\Temp\2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe
"C:\Users\Admin\AppData\Local\Temp\2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Users\Admin\AppData\Local\Temp\2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe
  "C:\Users\Admin\AppData\Local\Temp\2ffccd6ceeb12193cd8c9f825b6113d00da2182c0362a4ec760921439780b35f.exe" Track="0001101000"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-133-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/748-135-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/748-136-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/748-137-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/748-138-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/748-139-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads