a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 04:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe
Size

135KB
MD5

58cb195e821612a6186d914b3b031210
SHA1

c939bb911fd0d7c9c8e745134e0e3188bb7c93e3
SHA256

a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810
SHA512

6172e426601235fd9cd1c3a169fce0d971189c109a92feaf246bf5737e4c984d65e528f746c042e08434afff030c4e0ea19cc69f6f153a5d5a2e28eafbd3985e
SSDEEP

3072:AGNfIg/7G+R0Qnjp3Dpy51l2BD9/GMblR:bfIcG+B5UF21o

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Deletes itself 1 IoCs

pid	Process
1940	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 1608	2032	a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2032	a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe
1608	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2032	a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1608	2032	a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe	28
PID 2032 wrote to memory of 1608	2032	a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe	28
PID 2032 wrote to memory of 1608	2032	a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe	28
PID 2032 wrote to memory of 1608	2032	a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe	28
PID 2032 wrote to memory of 1608	2032	a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe	28
PID 2032 wrote to memory of 1608	2032	a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe	28
PID 1608 wrote to memory of 1940	1608	svchost.exe	29
PID 1608 wrote to memory of 1940	1608	svchost.exe	29
PID 1608 wrote to memory of 1940	1608	svchost.exe	29
PID 1608 wrote to memory of 1940	1608	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe
"C:\Users\Admin\AppData\Local\Temp\a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Checks BIOS information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /c for /l %i in (1, 1, 4000000000) do if not exist "C:\Users\Admin\AppData\Local\Temp\a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe" (exit) else (del /f "C:\Users\Admin\AppData\Local\Temp\a0c4a8b7cc910a666dc4f823767fef26541038f773d68df175e49133ee837810.exe")
    3⤵
    - Deletes itself
    PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1608-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-56-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2032-57-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/2032-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download