Overview

overview

8

Static

static

ce4ef3fbfc...23.exe

windows7-x64

8

ce4ef3fbfc...23.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce4ef3fbfc08919a16dc8cff25c69f39a260c3aebad708082a65231176080223.exe

  • Size

    347KB

  • MD5

    bba7d452aae29e5061c8f41ab07d0f1e

  • SHA1

    8da8e1e6c76b783836f18436187fcb9257504904

  • SHA256

    ce4ef3fbfc08919a16dc8cff25c69f39a260c3aebad708082a65231176080223

  • SHA512

    4f4003faa621de6615e970931d86326cc95b89e3b587e20f27b45fd9eeb31222e783245e8607d23b2fa70695722568e1d6953f8c2bdd8a8d98d314741245c514

  • SSDEEP

    6144:QxMBi+F32eaD9BI0VJ2kAZtU4DCWjEIWoO55JlllAZOhDOnqxV:nToD9BUZi4DC8Ko+N8AKS

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 5 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce4ef3fbfc08919a16dc8cff25c69f39a260c3aebad708082a65231176080223.exe
    "C:\Users\Admin\AppData\Local\Temp\ce4ef3fbfc08919a16dc8cff25c69f39a260c3aebad708082a65231176080223.exe"
    1⤵
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in Windows directory
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\WINDOWS\DXREG.EXE
      C:\WINDOWS\DXREG.EXE
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Drops file in Windows directory
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:4704
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\nsrkul.bat
      2⤵
        PID:4636

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\WINDOWS\DXREG.EXE
      Filesize

      347KB

      MD5

      bba7d452aae29e5061c8f41ab07d0f1e

      SHA1

      8da8e1e6c76b783836f18436187fcb9257504904

      SHA256

      ce4ef3fbfc08919a16dc8cff25c69f39a260c3aebad708082a65231176080223

      SHA512

      4f4003faa621de6615e970931d86326cc95b89e3b587e20f27b45fd9eeb31222e783245e8607d23b2fa70695722568e1d6953f8c2bdd8a8d98d314741245c514

      Download Submit

    • C:\Windows\PCGWIN32.LI4
      Filesize

      528B

      MD5

      cc7ab84fddc48b84c1d81c7642dde4ca

      SHA1

      cb8731c13b7991dfefa15f92967bc211df579301

      SHA256

      bdec4b48f7d38cc72c7268da1a35828d0031208731776758274dcbf51cd7e756

      SHA512

      887fbae4e6aaf2f92ff0bb0633c3408aa61d7e9a4e255ca4574e0eba237086163267dce396b3223f4cda51268dce7eccee6ac8bc1e6196f0c0ad5a920878fc78

      Download Submit

    • C:\Windows\dxreg.exe
      Filesize

      347KB

      MD5

      bba7d452aae29e5061c8f41ab07d0f1e

      SHA1

      8da8e1e6c76b783836f18436187fcb9257504904

      SHA256

      ce4ef3fbfc08919a16dc8cff25c69f39a260c3aebad708082a65231176080223

      SHA512

      4f4003faa621de6615e970931d86326cc95b89e3b587e20f27b45fd9eeb31222e783245e8607d23b2fa70695722568e1d6953f8c2bdd8a8d98d314741245c514

      Download Submit

    • \??\c:\NSRKUL.BAT
      Filesize

      139B

      MD5

      7686c83d0fe68c2f414d4da3fed2b940

      SHA1

      4f8630d2bde947dcc16bda2d12e5565f37d4d69b

      SHA256

      b402b02c167efec945836bfda7d9214d113852c3e9c2d618210aee74cdbbf788

      SHA512

      0b2af4f89936c444c552149babf1beaf07ecb804db500062b3e850c6910fbfde8477c9e22d8fb1aa4f4bbc0ff71f92b4f7c6a762d4021df9e0d5be7304715c8c

      Download Submit

    • memory/2208-135-0x0000000000660000-0x0000000000674000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2208-132-0x0000000000400000-0x00000000004CB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2208-134-0x0000000000400000-0x00000000004CB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2208-144-0x0000000000660000-0x0000000000674000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2208-143-0x0000000000400000-0x00000000004CB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2208-133-0x0000000000660000-0x0000000000674000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4704-140-0x0000000000400000-0x00000000004CB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4704-141-0x0000000000620000-0x0000000000634000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4704-146-0x0000000000400000-0x00000000004CB000-memory.dmp

      Filesize

      812KB

      Download