d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78

Analysis

max time kernel
156s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
Size

1.0MB
MD5

71042c51c976294d201ae634a464d74c
SHA1

0744ab6e25df3e44067049020158ee02bc2f81de
SHA256

d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78
SHA512

9837133b5854fc1934d807c721e6cc88224089c412726a44fbd51063719ab6ac31226b88d8f936cef8ba465534f066a0d5ca99dc4f7c19db9f8af70ff0355e11
SSDEEP

24576:gFPZnOZBl7hZyAOrJ9yTrLXIG0sHl7u1C:G75PyTH2sBuY

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4412	1456	WerFault.exe	82

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CE87EB7-9A70-BF47-7CE8-7EB79A70BF47}\InProcServer32\ThreadingModel = "Apartment"	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CE87EB7-9A70-BF47-7CE8-7EB79A70BF47}\tabsets	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CE87EB7-9A70-BF47-7CE8-7EB79A70BF47}\tabsets\location = "257"	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CE87EB7-9A70-BF47-7CE8-7EB79A70BF47}	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CE87EB7-9A70-BF47-7CE8-7EB79A70BF47}\Implemented Categories\{00021490-0000-0000-C000-000000000046}	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CE87EB7-9A70-BF47-7CE8-7EB79A70BF47}\InProcServer32\ = "%SystemRoot%\\SysWow64\\cabview.dll"	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CE87EB7-9A70-BF47-7CE8-7EB79A70BF47}\ShellFolder	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CE87EB7-9A70-BF47-7CE8-7EB79A70BF47}\ShellFolder\Attributes = "1744830880"	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CE87EB7-9A70-BF47-7CE8-7EB79A70BF47}\ = "Cabinet Shell Folder"	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CE87EB7-9A70-BF47-7CE8-7EB79A70BF47}\Implemented Categories	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CE87EB7-9A70-BF47-7CE8-7EB79A70BF47}\InProcServer32	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1456	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
Token: SeIncBasePriorityPrivilege	1456	d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe

C:\Users\Admin\AppData\Local\Temp\d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe
"C:\Users\Admin\AppData\Local\Temp\d701a48094c266527c28758812b748156df9bacee04e50c998dc8958afb24b78.exe"
1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1188
  2⤵
  - Program crash
  PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1456 -ip 1456
1⤵
PID:2748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1456-132-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1456-134-0x0000000002270000-0x0000000002373000-memory.dmp

Filesize
1.0MB

Download
memory/1456-140-0x0000000002271000-0x0000000002332000-memory.dmp

Filesize
772KB

Download
memory/1456-141-0x0000000002271000-0x0000000002332000-memory.dmp

Filesize
772KB

Download
memory/1456-142-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download