Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 19:38
Static task
static1
Behavioral task
behavioral1
Sample
6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe
Resource
win10v2004-20220812-en
General
-
Target
6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe
-
Size
560KB
-
MD5
0bed5fbe6172b4da68950a69f73a6655
-
SHA1
f4c61d3efb83e915bd78060e4ef654bf62b648ad
-
SHA256
6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71
-
SHA512
18822c0d95aae011dc0a4ebde34da6a2cf1c9316aed4473da71f70c710e3be6160b8074b85cfa8e3a55221c3700808b49126cc9e18aefe38cfdf79bde2dee3bd
-
SSDEEP
12288:vflAhHtn1bvzSP6iTn1UserksHkU5KrVclb6ajydnl:vfShHLvmP6+19egRG10nl
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1952 svchost.exe -
Drops file in Program Files directory 5 IoCs
Processes:
svchost.exe6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exedescription ioc process File opened for modification C:\Program Files\DbProtectSupport\fake.cfg svchost.exe File created C:\Program Files\DbProtectSupport\fake.cfg svchost.exe File created C:\Program Files\DbProtectSupport\svchost.exe.bak 6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe File created C:\Program Files\DbProtectSupport\svchost.exe 6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe File opened for modification C:\Program Files\DbProtectSupport\svchost.exe 6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe"C:\Users\Admin\AppData\Local\Temp\6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe"1⤵
- Drops file in Program Files directory
PID:1592
-
C:\Program Files\DbProtectSupport\svchost.exe"C:\Program Files\DbProtectSupport\svchost.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
PID:1952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\DbProtectSupport\svchost.exeFilesize
281KB
MD50e5ed49d2c83c2c34031f0c3712bd479
SHA1068e08738d05ede9d83ce7f1cb74a695e2fcd9f2
SHA2566c14e4287757b30837a611b3593eba59994fd58a9bd774c9084b6c857c51493b
SHA5123a8cc2366d0b9feead3b2f5e617f5392579fe4e2199d4aa428c4c2c2ce8360ae87ad3ae4f391ead19f16d24f08a8d0baebef253cbfc2d4772d59823d433fdd6c