cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2023 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
Size

1.7MB
MD5

73cf572be0886b6b0b22faafc3922a68
SHA1

23aef770557762bc034a0795859d9fa70e9a8b76
SHA256

cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78
SHA512

9b8ee1e78b059e9b450b868398c74ebb13bd3f7e710688a512c9efe8d4c597a071f8b25cb10bf8425ae79bb887fb1c6aba6633c9c8a8c828de5e0c46ea9b0fd4
SSDEEP

24576:FvZuLMjjpm/wbSzYA4uWmAzSBUVWmQTIogMg6T7Ck39mg36mBSgRhdums8GLWY8J:FkMXJogMg6TdQUSe/sjnp/8c8

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\drmsoft472a6\Battle Command.jpg	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\re5.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\++-++¿+·.exe	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\ÓÎÏ·¸¨Öú.exe	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\drm.tmp	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\config.ini	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\do5.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\Battle Orders.jpg	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\config.ini	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\do2.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\do4.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\do4.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\re5.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\Battle Command.jpg	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\Battle Orders.jpg	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\do1.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\do5.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\re1.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\re2.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\do1.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\do2.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\do3.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\re3.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\re4.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\re4.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File created	C:\Program Files\drmsoft472a6\do3.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\drm.tmp	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\re1.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\re2.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\re3.png	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
File opened for modification	C:\Program Files\drmsoft472a6\++-++¿+·.exe	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBIOSDate	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\sShortDate = "yyyy-MM-dd"	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\iDate = "2"	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\sDate = "-"	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1108	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
1108	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1108	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
1108	cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe

C:\Users\Admin\AppData\Local\Temp\cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe
"C:\Users\Admin\AppData\Local\Temp\cc098a06035a7e547dca60380d0e6eb2cce88c93879eb363f18f0870f10c4b78.exe"
1⤵
- Checks BIOS information in registry
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-179-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1108-180-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download