b7a9265a8b419f32a9f43e114478ad5a34fd9b00fbc72e0860183b34b8a1d817

Analysis

max time kernel
29s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9CC4E0E434A979417000BF8D7099890A.bin.exe
Size

3.4MB
MD5

9cc4e0e434a979417000bf8d7099890a
SHA1

23d8d2e657ded7b6c8bdb87abb2b561ec7c85180
SHA256

b7a9265a8b419f32a9f43e114478ad5a34fd9b00fbc72e0860183b34b8a1d817
SHA512

b5503df3c913cccab4bc838c9f4449acaf92ad293f0cf106bda2b98fe89c73e61ec4ad74183c4535e1646678428d4f0f97fe8b1b739390bb62eae9a335ab6591
SSDEEP

49152:18wwqmLQkM6Bqy0XqBxTh8T8HtY7sv2AFPpNNrjrsxsF0eeoPXccXopz1HEwmZb7:qwwRQk5B/LLU7s+InlN/XXAz1cqm

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

9CC4E0E434A979417000BF8D7099890A.bin.exe

pid process

2032 9CC4E0E434A979417000BF8D7099890A.bin.exe
2032 9CC4E0E434A979417000BF8D7099890A.bin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2032	9CC4E0E434A979417000BF8D7099890A.bin.exe
2032	9CC4E0E434A979417000BF8D7099890A.bin.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

9CC4E0E434A979417000BF8D7099890A.bin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	9CC4E0E434A979417000BF8D7099890A.bin.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	9CC4E0E434A979417000BF8D7099890A.bin.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "5fb59ad0-e0dbacc4-5"	9CC4E0E434A979417000BF8D7099890A.bin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	9CC4E0E434A979417000BF8D7099890A.bin.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	9CC4E0E434A979417000BF8D7099890A.bin.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	9CC4E0E434A979417000BF8D7099890A.bin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	9CC4E0E434A979417000BF8D7099890A.bin.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

9CC4E0E434A979417000BF8D7099890A.bin.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 485c73e8481b3cc2	9CC4E0E434A979417000BF8D7099890A.bin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

9CC4E0E434A979417000BF8D7099890A.bin.exe

pid process

2032 9CC4E0E434A979417000BF8D7099890A.bin.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9CC4E0E434A979417000BF8D7099890A.bin.exe

description pid process

Token: SeTakeOwnershipPrivilege 2032 9CC4E0E434A979417000BF8D7099890A.bin.exe

pid	process
2032	9CC4E0E434A979417000BF8D7099890A.bin.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2032	9CC4E0E434A979417000BF8D7099890A.bin.exe

C:\Users\Admin\AppData\Local\Temp\9CC4E0E434A979417000BF8D7099890A.bin.exe
"C:\Users\Admin\AppData\Local\Temp\9CC4E0E434A979417000BF8D7099890A.bin.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2032-54-0x000000013F550000-0x0000000140561000-memory.dmp

Filesize
16.1MB

Download
memory/2032-55-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2032-56-0x000000013F550000-0x0000000140561000-memory.dmp

Filesize
16.1MB

Download
memory/2032-57-0x000000013F550000-0x0000000140561000-memory.dmp

Filesize
16.1MB

Download
memory/2032-58-0x0000000001ED0000-0x0000000001EE0000-memory.dmp

Filesize
64KB

Download
memory/2032-59-0x0000000077D80000-0x0000000077D90000-memory.dmp

Filesize
64KB

Download
memory/2032-60-0x000000013F550000-0x0000000140561000-memory.dmp

Filesize
16.1MB

Download
memory/2032-62-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download