395b6a08c66ac5c26db8a19461fa440e09dd730c46e3b2d62f4d78b1eabdd82b

Analysis

max time kernel
261s
max time network
335s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

61de999f1862b283214880b3902a9ec2
SHA1

9a307cdf80c9167add439f7030fc3cf471d52434
SHA256

395b6a08c66ac5c26db8a19461fa440e09dd730c46e3b2d62f4d78b1eabdd82b
SHA512

20abb7359e740cd415daf2f2a201ecca7e0059d7bd7cf97ac36be225a83f30be36f2f6a59a7468586932db902944c9dcefacc63877bb1f34060674fed3b8259c
SSDEEP

196608:91Og37vsagYxWwiWWdy0fzzb4LV7u2QJPCYDpI+:3OgrvBgY8wIdTzzoVq2WXlv

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3248	Install.exe
3904	Install.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 3248	1492	file.exe	82
PID 1492 wrote to memory of 3248	1492	file.exe	82
PID 1492 wrote to memory of 3248	1492	file.exe	82
PID 3248 wrote to memory of 3904	3248	Install.exe	84
PID 3248 wrote to memory of 3904	3248	Install.exe	84
PID 3248 wrote to memory of 3904	3248	Install.exe	84

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\7zS5327.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Users\Admin\AppData\Local\Temp\7zSB5C9.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Enumerates system info in registry
    PID:3904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS5327.tmp\Install.exe

Filesize
6.3MB

MD5
0f08895fb9b9c4569eec3125305e9538

SHA1
4ca2a918dc913b8452070338188f58754f09994f

SHA256
406a32dc2c381e780cfface1ad825ed303767d5ffe8bae69d8eb26df9b791ee5

SHA512
a67b4d7beb12a45b5e30188b98413f4ca8e1df6fb38a75df48e6adc36b08c71020594393c8e0270cf5f0fba11a1b7d78881dadb5102dc28e75f5a889ea845744

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5327.tmp\Install.exe

Filesize
6.3MB

MD5
0f08895fb9b9c4569eec3125305e9538

SHA1
4ca2a918dc913b8452070338188f58754f09994f

SHA256
406a32dc2c381e780cfface1ad825ed303767d5ffe8bae69d8eb26df9b791ee5

SHA512
a67b4d7beb12a45b5e30188b98413f4ca8e1df6fb38a75df48e6adc36b08c71020594393c8e0270cf5f0fba11a1b7d78881dadb5102dc28e75f5a889ea845744

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB5C9.tmp\Install.exe

Filesize
6.9MB

MD5
994f958a62e5ef7ace45bb6e5096e302

SHA1
d02aab11466b959a464a35a62e1112af0d31e257

SHA256
c75481e9a69780c280f00ceb34d492d3538cec727a5bccc12122c83598bc3178

SHA512
e75543507fb46dfa77b082d207a35f71f19ee35d7fe58a8f21c82efb6a0fb4b3a3b333ee467a9ff97d3eb8381b337e01b37ef428bcbf56ec51161811a7a9f1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB5C9.tmp\Install.exe

Filesize
6.9MB

MD5
994f958a62e5ef7ace45bb6e5096e302

SHA1
d02aab11466b959a464a35a62e1112af0d31e257

SHA256
c75481e9a69780c280f00ceb34d492d3538cec727a5bccc12122c83598bc3178

SHA512
e75543507fb46dfa77b082d207a35f71f19ee35d7fe58a8f21c82efb6a0fb4b3a3b333ee467a9ff97d3eb8381b337e01b37ef428bcbf56ec51161811a7a9f1ab

Download Submit
memory/3904-138-0x0000000012E20000-0x00000000138D6000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads