8781e11a5f24dad83e300bc8294a010d07cddf763b018671b7c3d59cd8ee6d7b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04e2cc3513f0421a0913487e67d671ff.exe
Size

149KB
MD5

04e2cc3513f0421a0913487e67d671ff
SHA1

0754fa81ce7cf431c9ab837169deb42a3ceced1b
SHA256

8781e11a5f24dad83e300bc8294a010d07cddf763b018671b7c3d59cd8ee6d7b
SHA512

b4559db87027e6b54f19f047532ca8e38da4305d2d970f56be8fe98267c9a31bcb8175416a3201f27e728b4089dd8fe06e6ef318539e4d60033ad56ccd992b09
SSDEEP

3072:n5tmujV0ksSgSJbvPjbGRi53fMJX/GDOOU3qnizDIpjTZRsmK/XvuboWiR:nCu7JbvPmRJuDOj3qQDIZTZqm

Score

7^/10

upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	04e2cc3513f0421a0913487e67d671ff.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2828-0-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 2900	2828	04e2cc3513f0421a0913487e67d671ff.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2820	2900	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2828	04e2cc3513f0421a0913487e67d671ff.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2828	04e2cc3513f0421a0913487e67d671ff.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2900	2828	04e2cc3513f0421a0913487e67d671ff.exe	28
PID 2828 wrote to memory of 2900	2828	04e2cc3513f0421a0913487e67d671ff.exe	28
PID 2828 wrote to memory of 2900	2828	04e2cc3513f0421a0913487e67d671ff.exe	28
PID 2828 wrote to memory of 2900	2828	04e2cc3513f0421a0913487e67d671ff.exe	28
PID 2828 wrote to memory of 2900	2828	04e2cc3513f0421a0913487e67d671ff.exe	28
PID 2828 wrote to memory of 2900	2828	04e2cc3513f0421a0913487e67d671ff.exe	28
PID 2900 wrote to memory of 2820	2900	svchost.exe	29
PID 2900 wrote to memory of 2820	2900	svchost.exe	29
PID 2900 wrote to memory of 2820	2900	svchost.exe	29
PID 2900 wrote to memory of 2820	2900	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\04e2cc3513f0421a0913487e67d671ff.exe
"C:\Users\Admin\AppData\Local\Temp\04e2cc3513f0421a0913487e67d671ff.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 156
    3⤵
    - Program crash
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2828-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2828-1-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2828-2-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2828-9-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2900-3-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2900-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2900-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2900-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download