a913bf3bee70654502bad100f70c9a117dc7c9cc3cc0c673c63161ae232b7499

Analysis

max time kernel
142s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Config.exe
Size

48KB
MD5

ef0d9fc38396ef924f488e07a615180b
SHA1

d64730154abf4c41040d58d29e216ccbe1afa71b
SHA256

7541fdf21bf5f8f1e220846e02ed919b6272c4ac352dd094952f8825e0310e69
SHA512

a5691f0f0af0490b6ee3acac0e5060fbee914ac31871f334f52cce7cf03102e38ace2c641cc74e4c6e1cc1a23e9350b1faf2a26ca0bc9e629f10e299b543674e
SSDEEP

192:C8ydsXb2WkunoJlmCICIP1oynVwy144UZAn5YD5982k1qwkWbBdFlloh:Emr2k1Xwy144UZq5YD5e0wBBbwh

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DRIVERS\SETB52C.tmp	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\SETB52C.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\DRIVERS\ser2pl.sys	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1448	Config.exe
1448	Config.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 392	1448	Config.exe	80
PID 1448 wrote to memory of 392	1448	Config.exe	80
PID 1448 wrote to memory of 392	1448	Config.exe	80
PID 392 wrote to memory of 4364	392	rundll32.exe	81
PID 392 wrote to memory of 4364	392	rundll32.exe	81
PID 392 wrote to memory of 4364	392	rundll32.exe	81
PID 4364 wrote to memory of 3824	4364	runonce.exe	82
PID 4364 wrote to memory of 3824	4364	runonce.exe	82
PID 4364 wrote to memory of 3824	4364	runonce.exe	82

C:\Users\Admin\AppData\Local\Temp\Config.exe
"C:\Users\Admin\AppData\Local\Temp\Config.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe setupapi.dll,InstallHinfSection ComPort.NT 128 C:\Users\Admin\AppData\Local\Temp\98ME_20011_2kXP_20024\Serwpl.inf
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\SysWOW64\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\SysWOW64\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:3824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads