a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218

General

Target

a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe
Size

4.0MB
MD5

ffb8f2b184a583a281e42b7ceeaacbc1
SHA1

848f8cb912fd833a08481f571146022fb73eb80e
SHA256

a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218
SHA512

5342fae478ccac6d933894905c5b068bd2ac0ac97dad5afb88831b31fd58bc9237388149de0439489a8913224719cb038d5c929fa098581cc7da981fd0a4a79b
SSDEEP

98304:Xoe0/H/vLq+crSY8bBXKJ01peq1cZqD+cngaSHQ3rafb:XhAHLq+cJ8NXKJApeq1c8DJgaBi

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\0 = 709c3ee7dc721bb5d28b69ee98b64d0c3f026a5b1f	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32A04561-77C1-13D1-B2E4-0060975B8649}\Version\ = "1.0"	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	680	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe
Token: SeIncBasePriorityPrivilege	680	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
680	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 680	1516	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe	28
PID 1516 wrote to memory of 680	1516	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe	28
PID 1516 wrote to memory of 680	1516	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe	28
PID 1516 wrote to memory of 680	1516	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe	28
PID 1516 wrote to memory of 680	1516	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe	28
PID 1516 wrote to memory of 680	1516	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe	28
PID 1516 wrote to memory of 680	1516	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe	28
PID 1516 wrote to memory of 680	1516	a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe	28

C:\Users\Admin\AppData\Local\Temp\a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe
"C:\Users\Admin\AppData\Local\Temp\a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe
  "C:\Users\Admin\AppData\Local\Temp\a13b90111cf5054e290a42ac307d8fac2113cd5e597f7b9f84051b2d88986218.exe"
  2⤵
  - Checks BIOS information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/680-64-0x0000000000400000-0x0000000000463200-memory.dmp

Filesize
396KB

Download
memory/680-68-0x0000000000400000-0x0000000000463200-memory.dmp

Filesize
396KB

Download
memory/680-73-0x0000000000400000-0x0000000000463200-memory.dmp

Filesize
396KB

Download
memory/680-57-0x0000000000000000-mapping.dmp

Download
memory/680-59-0x0000000001B90000-0x0000000001BB4000-memory.dmp

Filesize
144KB

Download
memory/680-65-0x0000000000400000-0x0000000000463200-memory.dmp

Filesize
396KB

Download
memory/680-71-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/680-70-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/1516-54-0x0000000000400000-0x0000000000463200-memory.dmp

Filesize
396KB

Download
memory/1516-67-0x0000000000570000-0x00000000005D4000-memory.dmp

Filesize
400KB

Download
memory/1516-69-0x0000000000400000-0x0000000000463200-memory.dmp

Filesize
396KB

Download
memory/1516-66-0x0000000000400000-0x0000000000463200-memory.dmp

Filesize
396KB

Download
memory/1516-55-0x0000000000400000-0x0000000000463200-memory.dmp

Filesize
396KB

Download
memory/1516-56-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/1516-74-0x0000000000400000-0x0000000000463200-memory.dmp

Filesize
396KB

Download

Analysis

Sharing