Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2023 11:16
Behavioral task
behavioral1
Sample
270bdbb2904246ffdcc826ddab6ee175a0f407fbab027557db23163be7bbcec9.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
270bdbb2904246ffdcc826ddab6ee175a0f407fbab027557db23163be7bbcec9.exe
Resource
win10v2004-20230831-en
General
-
Target
270bdbb2904246ffdcc826ddab6ee175a0f407fbab027557db23163be7bbcec9.exe
-
Size
1.6MB
-
MD5
6de3d334f093e5e98b8feaa7b5f7da6d
-
SHA1
263054124f2496dcee899be1e1e07ad8dfe34d1e
-
SHA256
270bdbb2904246ffdcc826ddab6ee175a0f407fbab027557db23163be7bbcec9
-
SHA512
16f4c04d5cec1dbbe764eef29ab9ccc55824fe89af1cd6dea7a13f211b91332434ed5833726ce331c88f134625b80b0bfd7cb12c47085b493db51ceecb722d45
-
SSDEEP
24576:1cuQIWzErfPc16ijZmm6W6RE/VoTtnkW3tr6kTk/OTsyhDSVXT5XicHya:1cuO1rYm63RE/mYdORGXT5XicH1
Malware Config
Signatures
-
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F6E0996E-7168-4E80-AC6D-9AF58381D509}.catalogItem svchost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1864 936 WerFault.exe 79 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\270bdbb2904246ffdcc826ddab6ee175a0f407fbab027557db23163be7bbcec9.exe"C:\Users\Admin\AppData\Local\Temp\270bdbb2904246ffdcc826ddab6ee175a0f407fbab027557db23163be7bbcec9.exe"1⤵PID:936
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 936 -s 3922⤵
- Program crash
PID:1864
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 936 -ip 9361⤵PID:4860
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5c01eaa0bdcd7c30a42bbb35a9acbf574
SHA10aee3e1b873e41d040f1991819d0027b6cc68f54
SHA25632297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40
SHA512d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5372b140a9304a1768a86e4ee4d45e2de
SHA18990d4959ffb30780775a00821159e1e26dafba2
SHA256a899cabd096b01e43dada0a3118e5b81349ff2719c68e837f4ae7a4033e837d6
SHA51282921b1185f5310089a8543c7bb8af350f489551be6219663df6886e55ebb254d87ef1c27a01c9a3663ec7803cb77a86f65155411d03caef7c9078bc27a4947e