3a4ce5c299b6fcecad76b505dd00c88dcaca801a92b01e25faf3bd50fbce2d08

General

Target

015cb1433ad5d4f7cfb72fefba6cc36b.exe
Size

1.6MB
MD5

015cb1433ad5d4f7cfb72fefba6cc36b
SHA1

bec1e1bf9e16a16caa4dce200cb54dc9af5ef12a
SHA256

3a4ce5c299b6fcecad76b505dd00c88dcaca801a92b01e25faf3bd50fbce2d08
SHA512

ddd761f209408e52f762bb4f41be60d07d6388497fb4603f4b2038a2c916c0f94fa96a61ccc610bacd6c522f2960b9bcbdd6af8197f1cd60c19912f00c38036b
SSDEEP

49152:hiPgURpYKe5ejnaFNmHBSKRIivbEGENkxSAX3l:A3R7JntBqiTEGENnAnl

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	015cb1433ad5d4f7cfb72fefba6cc36b.exe

Loads dropped DLL 2 IoCs

pid	Process
3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe
3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231239FA-F9CC-0C32-ACF0-2262136C2F78}\ProgID\ = "SAPI.SpLexicon.1"	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231239FA-F9CC-0C32-ACF0-2262136C2F78}\Version	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231239FA-F9CC-0C32-ACF0-2262136C2F78}\VersionIndependentProgID\ = "SAPI.SpLexicon"	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231239FA-F9CC-0C32-ACF0-2262136C2F78}\ = "SpLexicon Class"	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231239FA-F9CC-0C32-ACF0-2262136C2F78}\ProgID	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231239FA-F9CC-0C32-ACF0-2262136C2F78}\TypeLib	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231239FA-F9CC-0C32-ACF0-2262136C2F78}\TypeLib\ = "{C866CA3A-32F7-11D2-9602-00C04F8EE628}"	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231239FA-F9CC-0C32-ACF0-2262136C2F78}\Version\ = "5.4"	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231239FA-F9CC-0C32-ACF0-2262136C2F78}	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231239FA-F9CC-0C32-ACF0-2262136C2F78}\InprocServer32	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231239FA-F9CC-0C32-ACF0-2262136C2F78}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll"	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231239FA-F9CC-0C32-ACF0-2262136C2F78}\InprocServer32\ThreadingModel = "Both"	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231239FA-F9CC-0C32-ACF0-2262136C2F78}\VersionIndependentProgID	015cb1433ad5d4f7cfb72fefba6cc36b.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:F8662B30	015cb1433ad5d4f7cfb72fefba6cc36b.exe
File opened for modification	C:\ProgramData\TEMP:F8662B30	015cb1433ad5d4f7cfb72fefba6cc36b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe
Token: SeIncBasePriorityPrivilege	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94
PID 3640 wrote to memory of 1548	3640	015cb1433ad5d4f7cfb72fefba6cc36b.exe	94

C:\Users\Admin\AppData\Local\Temp\015cb1433ad5d4f7cfb72fefba6cc36b.exe
"C:\Users\Admin\AppData\Local\Temp\015cb1433ad5d4f7cfb72fefba6cc36b.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Users\Admin\AppData\Local\Temp\015cb1433ad5d4f7cfb72fefba6cc36b.exe
  "C:\Users\Admin\AppData\Local\Temp\015cb1433ad5d4f7cfb72fefba6cc36b.exe"
  2⤵
  PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MBX@E38@2A20F38.###

Filesize
2KB

MD5
b61b2e6ec1837c4a4cca350da492d0d6

SHA1
94e8db87c57ce6c1e669b3c677e0d86c7bfce721

SHA256
a2a5f9f34ab73591c5d4884448e8e8e569daae6f36e89d5dbd6c3ad7a12c0994

SHA512
5519a1951cce1cf5af4ff58fe34c89e8682d3bd48a2175b9b776e53d1e8f371f5c093402330a8f251a8d5f22f0712e37ecc326ea0677b5f717a767d8fb9f6b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBX@E38@2A20F48.###

Filesize
2KB

MD5
dcf5a857f6c55d929ff2b20f9d3c348a

SHA1
5e10ae28c6d38e5090ea19e7d9736d6ef4cbb823

SHA256
d051099a6185411991a3d6f0a467d6219ef6f4047f0ab4f103a554a4e68cac98

SHA512
dd84750d82b264ea81d9d72d524d474a21070e72a27dd7ec12e438cb9ff51bb46695ecbefb541ffbe842c476b005014ac32abaeca5301653da345a6318929ea6

Download Submit
memory/1548-40-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/1548-46-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3640-23-0x0000000051B80000-0x0000000051BA4000-memory.dmp

Filesize
144KB

Download
memory/3640-33-0x00000000007B0000-0x00000000007FD000-memory.dmp

Filesize
308KB

Download
memory/3640-13-0x00000000007B0000-0x00000000007FD000-memory.dmp

Filesize
308KB

Download
memory/3640-16-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3640-29-0x0000000051B00000-0x0000000051B1E000-memory.dmp

Filesize
120KB

Download
memory/3640-31-0x0000000051B00000-0x0000000051B1E000-memory.dmp

Filesize
120KB

Download
memory/3640-24-0x0000000051B80000-0x0000000051BA4000-memory.dmp

Filesize
144KB

Download
memory/3640-0-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3640-22-0x0000000051B80000-0x0000000051BA4000-memory.dmp

Filesize
144KB

Download
memory/3640-12-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3640-32-0x00000000007B0000-0x00000000007FD000-memory.dmp

Filesize
308KB

Download
memory/3640-14-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3640-34-0x00000000007B0000-0x00000000007FD000-memory.dmp

Filesize
308KB

Download
memory/3640-37-0x00000000007B0000-0x00000000007FD000-memory.dmp

Filesize
308KB

Download
memory/3640-43-0x0000000051B00000-0x0000000051B1E000-memory.dmp

Filesize
120KB

Download
memory/3640-42-0x0000000051B80000-0x0000000051BA4000-memory.dmp

Filesize
144KB

Download
memory/3640-11-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3640-10-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3640-9-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3640-41-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3640-2-0x00000000007B0000-0x00000000007FD000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing