Analysis
-
max time kernel
6s -
max time network
8s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 11:35
Static task
static1
Behavioral task
behavioral1
Sample
ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe
Resource
win7-20221111-en
General
-
Target
ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe
-
Size
668KB
-
MD5
7434b6c4ee381a0c83e1a25305d5e29f
-
SHA1
9aaac47d1101c74cedb331a7e5a3c08d8a694f20
-
SHA256
ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c
-
SHA512
79ad32bfb7a7fa3071e492ce110f8ba2902d89a657e3571769f008e84fc67a55ee3576e3e98b3dc6e9b53353fae9e00e1f565e278b606d3d727821da720cb7a4
-
SSDEEP
12288:1MkI8TndMPYINs+WaKOfXhFa8wodovujk2nWNYCZzl2C4D7pQRi1o/2rNoNSXf:1LhTnovpWaKOPapBywY+wHD7SRiKu2Yf
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4684-133-0x000000003BF80000-0x000000003BFB8000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe -
Processes:
ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exedescription pid process Token: SeDebugPrivilege 4684 ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe"C:\Users\Admin\AppData\Local\Temp\ec3873b9136338a5b8d42353cf33ea70496e6f9768ff7779d087800b84d5492c.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken