aaf61ffd433aa50c224ee70649d8543dd6377f036a0a4178bbdfe3536a4575a5

Resubmissions

27/11/2024, 09:59

241127-l1b3cayna1 10

10/06/2023, 10:31

230610-mkdrnseg66 10

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2023, 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bca1b67bff83c7176473408db7c326ed.exe
Size

444KB
MD5

bca1b67bff83c7176473408db7c326ed
SHA1

5abb405146389a8dbf97f34d4d283307ca879cfd
SHA256

aaf61ffd433aa50c224ee70649d8543dd6377f036a0a4178bbdfe3536a4575a5
SHA512

82b77f1a1b7d53fe87f3b2de4085c50a60ca54c77b49769dd78dff884ee99950b6bb134f3eded1408c7fba694af3508755bb9912fcc26a8b388e153fbe2f452f
SSDEEP

6144:IjKvnAzRPqkroWHcrTIhB1uA2dOJhhgWbMbitWGFNuldsfiy3NiGA:Ijzgk00oIuA6ahE+F0/y36

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4348 created 3168	4348	bca1b67bff83c7176473408db7c326ed.exe	55

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4348	bca1b67bff83c7176473408db7c326ed.exe
4348	bca1b67bff83c7176473408db7c326ed.exe
4348	bca1b67bff83c7176473408db7c326ed.exe
4348	bca1b67bff83c7176473408db7c326ed.exe
3784	certreq.exe
3784	certreq.exe
3784	certreq.exe
3784	certreq.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 3784	4348	bca1b67bff83c7176473408db7c326ed.exe	85
PID 4348 wrote to memory of 3784	4348	bca1b67bff83c7176473408db7c326ed.exe	85
PID 4348 wrote to memory of 3784	4348	bca1b67bff83c7176473408db7c326ed.exe	85
PID 4348 wrote to memory of 3784	4348	bca1b67bff83c7176473408db7c326ed.exe	85

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\bca1b67bff83c7176473408db7c326ed.exe
  "C:\Users\Admin\AppData\Local\Temp\bca1b67bff83c7176473408db7c326ed.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4348
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3784-150-0x00007FF4EBB80000-0x00007FF4EBCAD000-memory.dmp

Filesize
1.2MB

Download
memory/3784-152-0x00007FF4EBB80000-0x00007FF4EBCAD000-memory.dmp

Filesize
1.2MB

Download
memory/3784-157-0x00007FF4EBB80000-0x00007FF4EBCAD000-memory.dmp

Filesize
1.2MB

Download
memory/3784-148-0x00007FF4EBB80000-0x00007FF4EBCAD000-memory.dmp

Filesize
1.2MB

Download
memory/3784-156-0x00007FF4EBB80000-0x00007FF4EBCAD000-memory.dmp

Filesize
1.2MB

Download
memory/3784-155-0x00007FF4EBB80000-0x00007FF4EBCAD000-memory.dmp

Filesize
1.2MB

Download
memory/3784-144-0x000002364E4F0000-0x000002364E4F3000-memory.dmp

Filesize
12KB

Download
memory/3784-145-0x000002364E750000-0x000002364E757000-memory.dmp

Filesize
28KB

Download
memory/3784-154-0x00007FF4EBB80000-0x00007FF4EBCAD000-memory.dmp

Filesize
1.2MB

Download
memory/3784-146-0x00007FF4EBB80000-0x00007FF4EBCAD000-memory.dmp

Filesize
1.2MB

Download
memory/3784-136-0x000002364E4F0000-0x000002364E4F3000-memory.dmp

Filesize
12KB

Download
memory/3784-149-0x00007FF4EBB80000-0x00007FF4EBCAD000-memory.dmp

Filesize
1.2MB

Download
memory/3784-153-0x00007FF4EBB80000-0x00007FF4EBCAD000-memory.dmp

Filesize
1.2MB

Download
memory/3784-147-0x00007FF4EBB80000-0x00007FF4EBCAD000-memory.dmp

Filesize
1.2MB

Download
memory/4348-133-0x00000000021C0000-0x00000000021C7000-memory.dmp

Filesize
28KB

Download
memory/4348-134-0x0000000002470000-0x0000000002870000-memory.dmp

Filesize
4.0MB

Download
memory/4348-143-0x00000000031F0000-0x0000000003226000-memory.dmp

Filesize
216KB

Download
memory/4348-137-0x00000000031F0000-0x0000000003226000-memory.dmp

Filesize
216KB

Download
memory/4348-135-0x0000000002470000-0x0000000002870000-memory.dmp

Filesize
4.0MB

Download