29581cf5189942cc86cd1d4d87af7b7896d91ba8d889c251b0f346eb9bd336bf

Analysis

max time kernel
134s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2023, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29581cf5189942cc86cd1d4d87af7b7896d91ba8d889c251b0f346eb9bd336bf.exe
Size

2.0MB
MD5

ccce8d405e1248c31c36c848ef850517
SHA1

7e926e36bc11d6f0496db904b7012fbce7b99194
SHA256

29581cf5189942cc86cd1d4d87af7b7896d91ba8d889c251b0f346eb9bd336bf
SHA512

9f8412f269f7a71839be4bcd7f10c22991a1fb45631795c5b6f9ec3ec2df9f63f3d60ec76216a770953ff89ccd328138bc88f7def42b5038fadec2e386046564
SSDEEP

24576:ypwVibt/lAnm19fbHCGNb8Fpa6aHX7dGP5Kv3Ooc8UHkC2eK9mCy3KxW3ixPEmx7:ypwUttdGlxapGInW3Rm2vGaCJQ7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1916	ClientDaemon.exe
1144	PcAssit.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	PcAssit.exe
File opened (read-only)	\??\Y:	PcAssit.exe
File opened (read-only)	\??\B:	PcAssit.exe
File opened (read-only)	\??\J:	PcAssit.exe
File opened (read-only)	\??\M:	PcAssit.exe
File opened (read-only)	\??\P:	PcAssit.exe
File opened (read-only)	\??\Z:	PcAssit.exe
File opened (read-only)	\??\G:	PcAssit.exe
File opened (read-only)	\??\I:	PcAssit.exe
File opened (read-only)	\??\N:	PcAssit.exe
File opened (read-only)	\??\Q:	PcAssit.exe
File opened (read-only)	\??\U:	PcAssit.exe
File opened (read-only)	\??\V:	PcAssit.exe
File opened (read-only)	\??\E:	PcAssit.exe
File opened (read-only)	\??\F:	PcAssit.exe
File opened (read-only)	\??\H:	PcAssit.exe
File opened (read-only)	\??\R:	PcAssit.exe
File opened (read-only)	\??\W:	PcAssit.exe
File opened (read-only)	\??\X:	PcAssit.exe
File opened (read-only)	\??\K:	PcAssit.exe
File opened (read-only)	\??\L:	PcAssit.exe
File opened (read-only)	\??\O:	PcAssit.exe
File opened (read-only)	\??\S:	PcAssit.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PcAssit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PcAssit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3348	29581cf5189942cc86cd1d4d87af7b7896d91ba8d889c251b0f346eb9bd336bf.exe
3348	29581cf5189942cc86cd1d4d87af7b7896d91ba8d889c251b0f346eb9bd336bf.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe
1144	PcAssit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1144	PcAssit.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 1916	3348	29581cf5189942cc86cd1d4d87af7b7896d91ba8d889c251b0f346eb9bd336bf.exe	82
PID 3348 wrote to memory of 1916	3348	29581cf5189942cc86cd1d4d87af7b7896d91ba8d889c251b0f346eb9bd336bf.exe	82
PID 1916 wrote to memory of 1144	1916	ClientDaemon.exe	83
PID 1916 wrote to memory of 1144	1916	ClientDaemon.exe	83
PID 1916 wrote to memory of 1144	1916	ClientDaemon.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\29581cf5189942cc86cd1d4d87af7b7896d91ba8d889c251b0f346eb9bd336bf.exe
"C:\Users\Admin\AppData\Local\Temp\29581cf5189942cc86cd1d4d87af7b7896d91ba8d889c251b0f346eb9bd336bf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3348
- \??\c:\recovery\ClientDaemon.exe
  c:\recovery\ClientDaemon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1916
- - \??\c:\recovery\PcAssit.exe
    "c:\recovery\PcAssit.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\ClientDaemon.exe

Filesize
200KB

MD5
9ea5c430bba7600bdad6d0ffb6d01a4d

SHA1
97698db2d796f49ec45a611470e70a1e115f25a8

SHA256
3d0b5ef8d36d3794311129c70888867ca7ce7b846e52e6e6d7bf0b8fd3738516

SHA512
fb00d9eab5b82787796f5ebf237a8e121d3bf02e5ba0f5440ceecc86193b80412d360fc398c5a4de36085af8c58eec9afa3c196e0208ce44c27bb776fd04e40d

Download Submit
C:\Recovery\PcAssit.exe

Filesize
73KB

MD5
2d7eb1dd4528eedb0f2335e18bdd7193

SHA1
69fa906f8ab2365dcc67476fce421e861dc99d4f

SHA256
8ac6a364e101cce51638bec5e3d697301beb24bd4ecdbea8bf7cbc4b537465a2

SHA512
0d53f93dae58b15193c48b670c0c788d996e68d9c217f9105a84dfdad2fc776764b2d9d2427eba5b698628911a90e2f7b7e474549acf0e864936910ce42aa95a

Download Submit
\??\c:\Recovery\cd.txt

Filesize
254KB

MD5
32cec41c0caa5fb23b08980ce67d3039

SHA1
6a5423915e0c8e3da44d92ec8d81de7dc430dd65

SHA256
cfef8204eb057245a9e26d56ccf1d83c8dc0f10d62f5347f15edf215f8a21013

SHA512
98857976f93b75ccacb8e96d669617bfb17a3e37492b1ed83bd914f6ff1aeca233188473d77c67e3947e0eeac81cb3db8b9e00e87144e372f03e62c01513bdb8

Download Submit
\??\c:\recovery\ClientDaemon.exe

Filesize
200KB

MD5
9ea5c430bba7600bdad6d0ffb6d01a4d

SHA1
97698db2d796f49ec45a611470e70a1e115f25a8

SHA256
3d0b5ef8d36d3794311129c70888867ca7ce7b846e52e6e6d7bf0b8fd3738516

SHA512
fb00d9eab5b82787796f5ebf237a8e121d3bf02e5ba0f5440ceecc86193b80412d360fc398c5a4de36085af8c58eec9afa3c196e0208ce44c27bb776fd04e40d

Download Submit
\??\c:\recovery\PcAssit.exe

Filesize
73KB

MD5
2d7eb1dd4528eedb0f2335e18bdd7193

SHA1
69fa906f8ab2365dcc67476fce421e861dc99d4f

SHA256
8ac6a364e101cce51638bec5e3d697301beb24bd4ecdbea8bf7cbc4b537465a2

SHA512
0d53f93dae58b15193c48b670c0c788d996e68d9c217f9105a84dfdad2fc776764b2d9d2427eba5b698628911a90e2f7b7e474549acf0e864936910ce42aa95a

Download Submit
memory/1144-145-0x0000000000D90000-0x0000000000DD8000-memory.dmp

Filesize
288KB

Download
memory/1144-146-0x0000000000D90000-0x0000000000DD8000-memory.dmp

Filesize
288KB

Download
memory/1144-148-0x0000000000D90000-0x0000000000DD8000-memory.dmp

Filesize
288KB

Download
memory/1144-149-0x0000000000D90000-0x0000000000DD8000-memory.dmp

Filesize
288KB

Download
memory/1144-150-0x0000000000D90000-0x0000000000DD8000-memory.dmp

Filesize
288KB

Download