682c7c3df9a428f9776b35a8c44b93c67374378087336520a44aba53165ee6cc

Analysis

max time kernel
74s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1081bf3c40aba19ced51d6a075e0b380_JC.exe
Size

716KB
MD5

1081bf3c40aba19ced51d6a075e0b380
SHA1

a3f1abb1eb71475fc65efe08988e4b795df1ff69
SHA256

682c7c3df9a428f9776b35a8c44b93c67374378087336520a44aba53165ee6cc
SHA512

e12f2fa9684222c86dd345f13494dc3876262e5c6ad0cfa189e4dbfc8aa30def144a04d510d3b98cca482fd665c8281e57b80fc0c440f8957dd6a737da00e22d
SSDEEP

6144:FlYXwhXH+tLoh8skk1osMC9KAv9E1ycvVVEbC3Do:FHCoWskk1HM8v9Sv7n30

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1081bf3c40aba19ced51d6a075e0b380_JC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1081bf3c40aba19ced51d6a075e0b380_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
116	1081bf3c40aba19ced51d6a075e0b380_JC.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	rundll32.exe
Token: SeDebugPrivilege	624	winlogon.exe
Token: SeShutdownPrivilege	376	dwm.exe
Token: SeCreatePagefilePrivilege	376	dwm.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 2264	116	1081bf3c40aba19ced51d6a075e0b380_JC.exe	83
PID 116 wrote to memory of 2264	116	1081bf3c40aba19ced51d6a075e0b380_JC.exe	83
PID 116 wrote to memory of 2264	116	1081bf3c40aba19ced51d6a075e0b380_JC.exe	83
PID 116 wrote to memory of 2264	116	1081bf3c40aba19ced51d6a075e0b380_JC.exe	83
PID 116 wrote to memory of 2264	116	1081bf3c40aba19ced51d6a075e0b380_JC.exe	83
PID 116 wrote to memory of 2264	116	1081bf3c40aba19ced51d6a075e0b380_JC.exe	83
PID 116 wrote to memory of 2264	116	1081bf3c40aba19ced51d6a075e0b380_JC.exe	83
PID 2264 wrote to memory of 624	2264	rundll32.exe	3
PID 2264 wrote to memory of 376	2264	rundll32.exe	10
PID 2264 wrote to memory of 2424	2264	rundll32.exe	22
PID 624 wrote to memory of 2424	624	winlogon.exe	22
PID 2264 wrote to memory of 2564	2264	rundll32.exe	58
PID 624 wrote to memory of 2564	624	winlogon.exe	58
PID 624 wrote to memory of 3116	624	winlogon.exe	52
PID 624 wrote to memory of 3244	624	winlogon.exe	51

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:376

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\1081bf3c40aba19ced51d6a075e0b380_JC.exe
"C:\Users\Admin\AppData\Local\Temp\1081bf3c40aba19ced51d6a075e0b380_JC.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\system32\rundll32.exe
  -mv wal.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3244

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3116

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mzddbt.uwh

Filesize
1KB

MD5
098a5eb28d3ffabffb00e4a8be0243ea

SHA1
f9ed1f9fb243dc1a4ae229b2992c5d5fc8f3d433

SHA256
42810fddf6646ece2f117c61d3eeb932ffbbd7f7c1a0ff4f37534d6f395ef08f

SHA512
57e7f90828b8b997bb5531b14e5514c9aa7de8b012c0e3d62dd4faa2b9cb2cd543fa7ec62bede03d8b4b3a789892b1a0b9661431c69ebacd311c72eed86d3be3

Download Submit
memory/116-19-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/116-34-0x0000000000960000-0x00000000009EE000-memory.dmp

Filesize
568KB

Download
memory/116-2-0x0000000000960000-0x00000000009EE000-memory.dmp

Filesize
568KB

Download
memory/116-10-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/116-11-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/116-13-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/116-15-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/116-1-0x0000000000960000-0x00000000009EE000-memory.dmp

Filesize
568KB

Download
memory/116-12-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/116-0-0x0000000000960000-0x00000000009EE000-memory.dmp

Filesize
568KB

Download
memory/116-17-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/116-20-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/116-9-0x0000000000960000-0x00000000009EE000-memory.dmp

Filesize
568KB

Download
memory/376-37-0x00000193099B0000-0x0000019309A3B000-memory.dmp

Filesize
556KB

Download
memory/376-46-0x00000193099B0000-0x0000019309A3B000-memory.dmp

Filesize
556KB

Download
memory/376-54-0x00000193099B0000-0x0000019309A3B000-memory.dmp

Filesize
556KB

Download
memory/376-44-0x00000193099B0000-0x0000019309A3B000-memory.dmp

Filesize
556KB

Download
memory/376-51-0x00000193099B0000-0x0000019309A3B000-memory.dmp

Filesize
556KB

Download
memory/376-43-0x00000193099B0000-0x0000019309A3B000-memory.dmp

Filesize
556KB

Download
memory/376-40-0x00000193099B0000-0x0000019309A3B000-memory.dmp

Filesize
556KB

Download
memory/376-62-0x00000193099B0000-0x0000019309A3B000-memory.dmp

Filesize
556KB

Download
memory/376-59-0x00000193099B0000-0x0000019309A3B000-memory.dmp

Filesize
556KB

Download
memory/624-27-0x000002B2C72C0000-0x000002B2C734B000-memory.dmp

Filesize
556KB

Download
memory/624-38-0x000002B2C72C0000-0x000002B2C734B000-memory.dmp

Filesize
556KB

Download
memory/624-36-0x000002B2C72C0000-0x000002B2C734B000-memory.dmp

Filesize
556KB

Download
memory/624-63-0x000002B2C72C0000-0x000002B2C734B000-memory.dmp

Filesize
556KB

Download
memory/624-31-0x000002B2C72C0000-0x000002B2C734B000-memory.dmp

Filesize
556KB

Download
memory/2264-48-0x00000000004A0000-0x000000000052B000-memory.dmp

Filesize
556KB

Download
memory/2264-23-0x00000000004A0000-0x000000000052B000-memory.dmp

Filesize
556KB

Download
memory/2264-14-0x00000000004A0000-0x000000000052B000-memory.dmp

Filesize
556KB

Download
memory/2264-26-0x00000000004A0000-0x000000000052B000-memory.dmp

Filesize
556KB

Download
memory/2264-28-0x00000000004A0000-0x000000000052B000-memory.dmp

Filesize
556KB

Download
memory/2264-16-0x00000000004A0000-0x000000000052B000-memory.dmp

Filesize
556KB

Download
memory/2264-24-0x00000000004A0000-0x000000000052B000-memory.dmp

Filesize
556KB

Download
memory/2264-22-0x00000000004A0000-0x000000000052B000-memory.dmp

Filesize
556KB

Download
memory/2424-68-0x00000240B5E70000-0x00000240B5EFB000-memory.dmp

Filesize
556KB

Download
memory/2424-74-0x00000240B5E70000-0x00000240B5EFB000-memory.dmp

Filesize
556KB

Download
memory/2424-57-0x00000240B5DE0000-0x00000240B5E6B000-memory.dmp

Filesize
556KB

Download
memory/2424-60-0x00000240B5E70000-0x00000240B5EFB000-memory.dmp

Filesize
556KB

Download
memory/2424-47-0x00000240B5E70000-0x00000240B5EFB000-memory.dmp

Filesize
556KB

Download
memory/2424-83-0x00000240B5E70000-0x00000240B5EFB000-memory.dmp

Filesize
556KB

Download
memory/2424-64-0x00000240B5E70000-0x00000240B5EFB000-memory.dmp

Filesize
556KB

Download
memory/2424-79-0x00000240B5E70000-0x00000240B5EFB000-memory.dmp

Filesize
556KB

Download
memory/2424-58-0x00000240B5E70000-0x00000240B5EFB000-memory.dmp

Filesize
556KB

Download
memory/2424-45-0x00000240B5DE0000-0x00000240B5E6B000-memory.dmp

Filesize
556KB

Download
memory/2564-71-0x0000024AED9E0000-0x0000024AEDA6B000-memory.dmp

Filesize
556KB

Download
memory/2564-73-0x0000024AEDA70000-0x0000024AEDAFB000-memory.dmp

Filesize
556KB

Download
memory/2564-67-0x0000024AED9E0000-0x0000024AEDA6B000-memory.dmp

Filesize
556KB

Download
memory/2564-56-0x0000024AEDA70000-0x0000024AEDAFB000-memory.dmp

Filesize
556KB

Download
memory/2564-87-0x0000024AED9E0000-0x0000024AEDA6B000-memory.dmp

Filesize
556KB

Download
memory/2564-78-0x0000024AED9E0000-0x0000024AEDA6B000-memory.dmp

Filesize
556KB

Download
memory/2564-53-0x0000024AED9E0000-0x0000024AEDA6B000-memory.dmp

Filesize
556KB

Download
memory/2564-82-0x0000024AED9E0000-0x0000024AEDA6B000-memory.dmp

Filesize
556KB

Download
memory/3116-81-0x0000000002930000-0x00000000029BB000-memory.dmp

Filesize
556KB

Download
memory/3116-65-0x0000000002930000-0x00000000029BB000-memory.dmp

Filesize
556KB

Download
memory/3116-70-0x0000000002930000-0x00000000029BB000-memory.dmp

Filesize
556KB

Download
memory/3116-80-0x0000000002930000-0x00000000029BB000-memory.dmp

Filesize
556KB

Download
memory/3116-86-0x0000000002930000-0x00000000029BB000-memory.dmp

Filesize
556KB

Download
memory/3244-85-0x0000016086D40000-0x0000016086DCB000-memory.dmp

Filesize
556KB

Download
memory/3244-88-0x0000016086D40000-0x0000016086DCB000-memory.dmp

Filesize
556KB

Download
memory/3244-75-0x0000016086D40000-0x0000016086DCB000-memory.dmp

Filesize
556KB

Download