0549c7fd709a5090661a3a61e4ebd0e22c6f50defcf6304c6792676480ad4728

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

311.exe
Size

560KB
MD5

f77f8f2151012a32813ed0181c205882
SHA1

6d652b36b38fc352060050f2608975749aae32b5
SHA256

dbd4052fc52d018d93db9ace8d02f3642320305677e070516fdcbf7effa34d82
SHA512

feec9974d0f5f3dc927d22b075d3dc7a3f7d33ef24d111be7d428a287dc3d604f14714a81144eb8ade7677d68a79c474083c2838e2c7735132dafdf4face5581
SSDEEP

12288:vElAhHtn1bvzSP6iTn1UserksHkU5KrVclb6ajydnl:vEShHLvmP6+19egRG10nl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

4624 svchost.exe

pid	process
4624	svchost.exe

Drops file in Program Files directory 5 IoCs

Processes:

311.exesvchost.exe

description	ioc	process
File created	C:\Program Files\DbProtectSupport\svchost.exe.bak	311.exe
File created	C:\Program Files\DbProtectSupport\svchost.exe	311.exe
File opened for modification	C:\Program Files\DbProtectSupport\svchost.exe	311.exe
File opened for modification	C:\Program Files\DbProtectSupport\fake.cfg	svchost.exe
File created	C:\Program Files\DbProtectSupport\fake.cfg	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	svchost.exe

C:\Users\Admin\AppData\Local\Temp\311.exe
"C:\Users\Admin\AppData\Local\Temp\311.exe"
1⤵
- Drops file in Program Files directory
PID:4648

C:\Program Files\DbProtectSupport\svchost.exe
"C:\Program Files\DbProtectSupport\svchost.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DbProtectSupport\svchost.exe
Filesize
281KB

MD5
b233326519cbf78ac1abb44e84d9ac54

SHA1
400868c5ab9e5adfd7a6a1de75dbda49fceaa433

SHA256
97045a8fda6e1382363c40757581b845e0e4097d0de235382fdcbf0c4aa28990

SHA512
9b801f7d356ce924f5444f78106e953379ca304344a8440a7dd932536e0087eba84d35b209d902a37cfd7657c1fa38c1912301e0b594e46125e1108e2d1e8bcf

Download Submit
C:\Program Files\DbProtectSupport\svchost.exe
Filesize
281KB

MD5
b233326519cbf78ac1abb44e84d9ac54

SHA1
400868c5ab9e5adfd7a6a1de75dbda49fceaa433

SHA256
97045a8fda6e1382363c40757581b845e0e4097d0de235382fdcbf0c4aa28990

SHA512
9b801f7d356ce924f5444f78106e953379ca304344a8440a7dd932536e0087eba84d35b209d902a37cfd7657c1fa38c1912301e0b594e46125e1108e2d1e8bcf

Download Submit