521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 10:17 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe
Size

34KB
MD5

0006c4d07b2247b6053abab325b18bb0
SHA1

ccda25745868923c09ee92dd2d5cee5aad7eb06a
SHA256

521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293
SHA512

6c55a89a9b1dad0aadeff3edc1d9b826c41dcd0920483952507c01a2f2da9edf4462523c660f0b43cf9df59840fede936f7f67d55fc2097139db542fa4ee0b6e
SSDEEP

768:Y6huRKdgYIDWI5yEb0dZBQDv2sUANoDXYfxQqPnhYqicAdav:lAAgmcoOvEDXYEav

Score

6^/10

Malware Config

Signatures

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1128 set thread context of 4384	1128	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe	80

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1128	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe
4384	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe
4384	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 4384	1128	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe	80
PID 1128 wrote to memory of 4384	1128	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe	80
PID 1128 wrote to memory of 4384	1128	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe	80
PID 1128 wrote to memory of 4384	1128	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe	80
PID 1128 wrote to memory of 4384	1128	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe	80
PID 1128 wrote to memory of 4384	1128	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe	80
PID 1128 wrote to memory of 4384	1128	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe	80
PID 1128 wrote to memory of 4384	1128	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe	80
PID 1128 wrote to memory of 4384	1128	521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe	80

C:\Users\Admin\AppData\Local\Temp\521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe
"C:\Users\Admin\AppData\Local\Temp\521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe
  a|
  2⤵
  - Maps connected drives based on registry
  - Suspicious use of SetWindowsHookEx
  PID:4384

Network

DNS

85308.dnsm9.net

521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe

Remote address:

8.8.8.8:53

Request

85308.dnsm9.net

IN A

Response
DNS

226.101.242.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

226.101.242.52.in-addr.arpa

IN PTR

Response
DNS

6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

Remote address:

8.8.8.8:53

Request

6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

IN PTR

Response

67.27.154.126:80

260 B
5
209.197.3.8:80

46 B
40 B
1
1
8.238.110.126:80

260 B
5
20.189.173.10:443

322 B
7
8.238.110.126:80

260 B
5
67.27.154.126:80

260 B
5
8.238.110.126:80

322 B
7
93.184.220.29:80

322 B
7

8.8.8.8:53

85308.dnsm9.net

dns

521302edc63f6e9a44e828d76a55544a38270b321689f0f783efd5bf423e4293.exe

61 B
134 B
1
1

DNS Request

85308.dnsm9.net
8.8.8.8:53

226.101.242.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

226.101.242.52.in-addr.arpa
8.8.8.8:53

6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

dns

118 B
204 B
1
1

DNS Request

6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4384-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4384-137-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4384-141-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.