82dafb798ca802bab60723c42d94d8b4c094a824f925561ea4515fa33193a81e

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231020-es
resource tags

arch:x64arch:x86image:win7-20231020-eslocale:es-esos:windows7-x64systemwindows
submitted
03/11/2023, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8022EmisorZQCK1427Fact_A0904-51454426.exe
Size

115.2MB
MD5

27345a4e1ba76d43846b9c3ddc55d40a
SHA1

33831162ff19c187542e6f733dccba41ecb9191b
SHA256

008a39ade4ed9e08b88262f629a4e53dc32c2ce72e6599e0181089d43b540c4a
SHA512

57dbd726cbbd086fbb08d6f4e7912a954bfa4596a2268dfc92b60dc26e048af10c5369cb53f656b45ce8c47c657ed83bde8155186037bb1691eda8d8e28afb76
SSDEEP

98304:6TloAxlJ3DP/Yf1IOIldRoFzaGIRCxNKp5ZnYVET1+JUoKSJo:6ZoAx3c98d5GV8p5ZnAo+Wum

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	8022EmisorZQCK1427Fact_A0904-51454426.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8022EmisorZQCK1427Fact_A0904-51454426.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	8022EmisorZQCK1427Fact_A0904-51454426.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	8022EmisorZQCK1427Fact_A0904-51454426.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	8022EmisorZQCK1427Fact_A0904-51454426.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	8022EmisorZQCK1427Fact_A0904-51454426.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2848	8022EmisorZQCK1427Fact_A0904-51454426.exe
2848	8022EmisorZQCK1427Fact_A0904-51454426.exe
2848	8022EmisorZQCK1427Fact_A0904-51454426.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2848	8022EmisorZQCK1427Fact_A0904-51454426.exe
2848	8022EmisorZQCK1427Fact_A0904-51454426.exe

C:\Users\Admin\AppData\Local\Temp\8022EmisorZQCK1427Fact_A0904-51454426.exe
"C:\Users\Admin\AppData\Local\Temp\8022EmisorZQCK1427Fact_A0904-51454426.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2848-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000076E60000-0x0000000076F60000-memory.dmp

Filesize
1024KB

Download
memory/2848-2-0x0000000076E60000-0x0000000076F60000-memory.dmp

Filesize
1024KB

Download
memory/2848-3-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2848-4-0x0000000001390000-0x0000000002390000-memory.dmp

Filesize
16.0MB

Download
memory/2848-5-0x0000000001390000-0x0000000002390000-memory.dmp

Filesize
16.0MB

Download
memory/2848-6-0x0000000001390000-0x0000000002390000-memory.dmp

Filesize
16.0MB

Download
memory/2848-7-0x0000000076E60000-0x0000000076F60000-memory.dmp

Filesize
1024KB

Download