Analysis
-
max time kernel
147s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2023 04:29
Behavioral task
behavioral1
Sample
aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe
Resource
win7-20221111-en
General
-
Target
aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe
-
Size
634KB
-
MD5
8d5b19eb840a7308ebeb3d87295602de
-
SHA1
b50eedfb62434545a1558d59d7047a2ff3cfcb64
-
SHA256
aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5
-
SHA512
e5c8293265a31df09e53783be979b4bda1ed474b836837a59fe73b7da35d1e3ceb9e07353fb947dd795c3dedd123fcd4a4aca3fba378835af42dd40e2fff8ae6
-
SSDEEP
12288:YpwAFyxT5SaflN97oY/9PAh7VwoIWGgzQxn5pTMsk9kIB/f:CwAAt5N977/9PixwLWGgzQrRMsGPBH
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exedescription pid process Token: SeIncreaseQuotaPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeSecurityPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeTakeOwnershipPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeLoadDriverPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeSystemProfilePrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeSystemtimePrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeProfSingleProcessPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeIncBasePriorityPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeCreatePagefilePrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeBackupPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeRestorePrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeShutdownPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeDebugPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeSystemEnvironmentPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeChangeNotifyPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeRemoteShutdownPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeUndockPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeManageVolumePrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeImpersonatePrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: SeCreateGlobalPrivilege 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: 33 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: 34 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: 35 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe Token: 36 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exedescription pid process target process PID 4852 wrote to memory of 748 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe explorer.exe PID 4852 wrote to memory of 748 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe explorer.exe PID 4852 wrote to memory of 748 4852 aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe"C:\Users\Admin\AppData\Local\Temp\aad570b3b387fa92911063850d338fd8985888572f8d08d2d1550f11028d91d5.exe"1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/748-132-0x0000000000000000-mapping.dmp