06474f43d27259d2633f0c09b031d7481db2ca264102015900fad64e2a46f090

Analysis

max time kernel
138s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2023, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06474f43d27259d2633f0c09b031d7481db2ca264102015900fad64e2a46f090.exe
Size

15.8MB
MD5

ed0f16f4fc9b497182304c10198e7f88
SHA1

7167a901d625417168ab3c6fb32344343baa55ee
SHA256

06474f43d27259d2633f0c09b031d7481db2ca264102015900fad64e2a46f090
SHA512

cc928bf7234f77784711ca47ec71c1cbabaaed2dd8139c4bba04dde7fa8bfbedf0eb66bd64e7515adec57ba7639dabbcc7670fab35a6996b07640b7f8e6fee48
SSDEEP

98304:WZ1TbaF4HKMtM82QCzblReoSV7/fGkLEcKbanfpdTCRMA1iVztfe7mKaf6g6sknO:iNHy8MblSLLy8pdOyBfBWsEhTX12CS

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1100	tg.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	tg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	tg.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3208	06474f43d27259d2633f0c09b031d7481db2ca264102015900fad64e2a46f090.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	tg.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3208	06474f43d27259d2633f0c09b031d7481db2ca264102015900fad64e2a46f090.exe
3208	06474f43d27259d2633f0c09b031d7481db2ca264102015900fad64e2a46f090.exe
1100	tg.exe
1100	tg.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 1100	3208	06474f43d27259d2633f0c09b031d7481db2ca264102015900fad64e2a46f090.exe	85
PID 3208 wrote to memory of 1100	3208	06474f43d27259d2633f0c09b031d7481db2ca264102015900fad64e2a46f090.exe	85

C:\Users\Admin\AppData\Local\Temp\06474f43d27259d2633f0c09b031d7481db2ca264102015900fad64e2a46f090.exe
"C:\Users\Admin\AppData\Local\Temp\06474f43d27259d2633f0c09b031d7481db2ca264102015900fad64e2a46f090.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Users\Admin\AppData\Local\Temp\tg.exe
  C:\Users\Admin\AppData\Local\Temp\tg.exe
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tg.exe

Filesize
14.8MB

MD5
5f25507b6fff7c527c13cd8424d495ef

SHA1
5a21ada8d959db1085b65b8307da3a56c52dc659

SHA256
9155858f788a1ab291943a721c3f3a7bd9dfc6962f68aa1cb0de39a54c727cb8

SHA512
98a82a21eb0d6833e834b83337b80e98b11081bcb9af7e1fd26eaa594aeb93abd9407efaefb77dfcd8b9d0d25955a0dd483edc9db7943e4c37e7e8121b3195bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tg.exe

Filesize
14.8MB

MD5
5f25507b6fff7c527c13cd8424d495ef

SHA1
5a21ada8d959db1085b65b8307da3a56c52dc659

SHA256
9155858f788a1ab291943a721c3f3a7bd9dfc6962f68aa1cb0de39a54c727cb8

SHA512
98a82a21eb0d6833e834b83337b80e98b11081bcb9af7e1fd26eaa594aeb93abd9407efaefb77dfcd8b9d0d25955a0dd483edc9db7943e4c37e7e8121b3195bb

Download Submit