cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6

General

Target

cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe
Size

1.6MB
MD5

cd11464c680693071d526746810cfd55
SHA1

95c72e5ddfd3d4db9b6e6200e79b1bb5cf3a8cdd
SHA256

cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6
SHA512

7a7bb5b514872f3c1c76f2ebd089a13c3a8a4b145c3b78a98c8250e95ecdff34c11c62f2ee73bfda2b1bea143848d3ce1943a8e776da848f850f29374433b537
SSDEEP

49152:ChNMMHkQ2ff4vHCF5azAgDxWT3egP5+CJM:KNb92ff4/CFszAgQP5By

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2900	Project1.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4656 set thread context of 2520	4656	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E90F63A-3E90-F63A-3E90-F63A3E90F63A}\InProcServer32	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E90F63A-3E90-F63A-3E90-F63A3E90F63A}\InProcServer32\ = "%SystemRoot%\\SysWow64\\VoiceActivationManager.dll"	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E90F63A-3E90-F63A-3E90-F63A3E90F63A}\InProcServer32\ThreadingModel = "Both"	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E90F63A-3E90-F63A-3E90-F63A3E90F63A}	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E90F63A-3E90-F63A-3E90-F63A3E90F63A}\ = "Voice Activation Manager 2 Class"	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4656	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe
Token: SeIncBasePriorityPrivilege	4656	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4656	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 2520	4656	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe	81
PID 4656 wrote to memory of 2520	4656	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe	81
PID 4656 wrote to memory of 2520	4656	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe	81
PID 4656 wrote to memory of 2520	4656	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe	81
PID 4656 wrote to memory of 2520	4656	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe	81
PID 4656 wrote to memory of 2520	4656	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe	81
PID 4656 wrote to memory of 2520	4656	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe	81
PID 4656 wrote to memory of 2520	4656	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe	81
PID 2520 wrote to memory of 2900	2520	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe	82
PID 2520 wrote to memory of 2900	2520	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe	82
PID 2520 wrote to memory of 2900	2520	cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe	82

C:\Users\Admin\AppData\Local\Temp\cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe
"C:\Users\Admin\AppData\Local\Temp\cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe
  "C:\Users\Admin\AppData\Local\Temp\cbfe9a096ef331766fbb7489c6754ddbe57eb4b5182c6faf0b0fbb1878a7a4e6.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\Project1.exe
    "C:\Users\Admin\AppData\Local\Temp\Project1.exe"
    3⤵
    - Executes dropped EXE
    PID:2900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Project1.exe

Filesize
1.6MB

MD5
4ea2871dcdf0caa2e0e52422806223cc

SHA1
84da41476c9e854ed01a2c9c98a13b7d2bab2cc6

SHA256
6315da503d0f4f1f9c81bfce3b4a4f8744c4d351306ceffd9e1fe12c6353414c

SHA512
b626e692e3592e7ca351fe1dd92aed0910ff2ceb3ca59ef667f8dfe207cd0fdc685ffc8aa54fc7ca3f2eee9df94167ffafe784985b5be2582ec1fce6a23ffe36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Project1.exe

Filesize
1.6MB

MD5
4ea2871dcdf0caa2e0e52422806223cc

SHA1
84da41476c9e854ed01a2c9c98a13b7d2bab2cc6

SHA256
6315da503d0f4f1f9c81bfce3b4a4f8744c4d351306ceffd9e1fe12c6353414c

SHA512
b626e692e3592e7ca351fe1dd92aed0910ff2ceb3ca59ef667f8dfe207cd0fdc685ffc8aa54fc7ca3f2eee9df94167ffafe784985b5be2582ec1fce6a23ffe36

Download Submit
memory/2520-156-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/2520-151-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/2520-161-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/2520-157-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/2520-147-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/2520-155-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/4656-150-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4656-140-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4656-132-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4656-142-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4656-139-0x00000000005B1000-0x00000000005E0000-memory.dmp

Filesize
188KB

Download
memory/4656-143-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4656-134-0x00000000005B0000-0x00000000005F9000-memory.dmp

Filesize
292KB

Download
memory/4656-141-0x0000000000401000-0x000000000041B000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads