200aecef38ad66080dc4d02a0ef28951c5186b9058f3e5b8fb00ffd67abd18ef

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2023, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3747246517841079684.exe
Size

2.3MB
MD5

60c04897b2ad150a66061e418521d7d3
SHA1

6654b8af0223d45890b25d7e8fbf3aebc0949481
SHA256

98f0d47b4b67a7dca2bd6573eedce8fd3c877dcbabcb597efa44694dd2bdf4cb
SHA512

be3cb1199c50583e1a4e1f99760343b0aa31c5f820c08daa8afe03a1e92545cca238b151461f51acbcb182a79695f6ef67679e6d737455facc57921c54417aac
SSDEEP

49152:Nqe3f6xje0NQq5rISAGFCY+DaaAexGENRbUgPVlDlr:cSiZNNC7eCTGa/xlbLP/hr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2840	3747246517841079684.tmp

Loads dropped DLL 3 IoCs

pid	Process
2840	3747246517841079684.tmp
2840	3747246517841079684.tmp
2840	3747246517841079684.tmp

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{526D5630-A6AD-4130-BF06-310496F472B8}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D47D75DA-B201-4010-A906-ED444755349B}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2840	1544	3747246517841079684.exe	75
PID 1544 wrote to memory of 2840	1544	3747246517841079684.exe	75
PID 1544 wrote to memory of 2840	1544	3747246517841079684.exe	75

C:\Users\Admin\AppData\Local\Temp\3747246517841079684.exe
"C:\Users\Admin\AppData\Local\Temp\3747246517841079684.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\is-MHQKG.tmp\3747246517841079684.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MHQKG.tmp\3747246517841079684.tmp" /SL5="$F0062,1559708,780800,C:\Users\Admin\AppData\Local\Temp\3747246517841079684.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-CCBRS.tmp\Helper.dll

Filesize
2.0MB

MD5
4eb0347e66fa465f602e52c03e5c0b4b

SHA1
fdfedb72614d10766565b7f12ab87f1fdca3ea81

SHA256
c73e53cbb7b98feafe27cc7de8fdad51df438e2235e91891461c5123888f73cc

SHA512
4c909a451059628119f92b2f0c8bcd67b31f63b57d5339b6ce8fd930be5c9baf261339fdd9da820321be497df8889ce7594b7bfaadbaa43c694156651bf6c1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CCBRS.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CCBRS.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MHQKG.tmp\3747246517841079684.tmp

Filesize
2.9MB

MD5
623a3abd7b318e1f410b1e12a42c7b71

SHA1
88e34041850ec4019dae469adc608e867b936d21

SHA256
fe1a4555d18617532248d2eaa8d3fcc2c74182f994a964a62cf418295e8554d3

SHA512
9afea88e4617e0f11416c2a2c416a6aa2d5d1f702d98d2cc223b399736191a6d002d1b717020ca6aae09e835c6356b7ddafad71e101dacab15967d89a105e391

Download Submit
memory/1544-132-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1544-136-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1544-138-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1544-142-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2840-141-0x00000000060E0000-0x00000000060EF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads