4de6fc36aa1682389c6a198f8e774a53b0303e4faacf9501f9c72fb612cf190b

General

Target

259ae2a596f486056670c41de64d222f.exe
Size

2.1MB
MD5

259ae2a596f486056670c41de64d222f
SHA1

5e58f48864aa6b9697cc353b20eee65b3f3de40b
SHA256

4de6fc36aa1682389c6a198f8e774a53b0303e4faacf9501f9c72fb612cf190b
SHA512

5d62761c1fad77adfd6f17d4ac380d785149e552e39d242065bbf8a05de7b5e16f7431fd1812b02d642c403fb9988e2b0e22acbb99ec6d26110393b17729c416
SSDEEP

49152:PTrrxMiCV1ZEvkKR4PSahurNhELTty+CYxaK9:PTD+ZMVRqS3hSw+C29

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	259ae2a596f486056670c41de64d222f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	259ae2a596f486056670c41de64d222f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	259ae2a596f486056670c41de64d222f.exe

C:\Users\Admin\AppData\Local\Temp\259ae2a596f486056670c41de64d222f.exe
"C:\Users\Admin\AppData\Local\Temp\259ae2a596f486056670c41de64d222f.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of AdjustPrivilegeToken
PID:976
- C:\Users\Admin\AppData\Local\Temp\%BinderSecond%.exe
  "C:\Users\Admin\AppData\Local\Temp\%BinderSecond%.exe"
  2⤵
  PID:3720
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe"
    3⤵
    PID:3088
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Startup" /t REG_SZ /d C:\Users\Public\Documents\TiWorker /f
      4⤵
      PID:4724
- C:\Users\Admin\AppData\Local\Temp\%BinderFirst%.exe
  "C:\Users\Admin\AppData\Local\Temp\%BinderFirst%.exe"
  2⤵
  PID:4920

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
1⤵
PID:1928
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Startup" /t REG_SZ /d C:\Users\Public\Documents\TiWorker /f
  2⤵
  PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\%BinderFirst%.exe

Filesize
42KB

MD5
454434b285073b72c25fddbc3049415f

SHA1
48596c6e1c1ef1cd0eb563dc2e8daf1a61644235

SHA256
c88b6dc623809469e7e09dc878b929b3bc0ff3b27a38d5e9f7bae62e7483e01f

SHA512
cb3ceb6262aa706258782c589060447e72268e7def825f5f692aaa2574c7709b7e883e85306070ab67b7bd86c5447a4120c644f4241d6db80313c3bfaa9fe498

Download Submit
C:\Users\Admin\AppData\Local\Temp\%BinderSecond%.exe

Filesize
40KB

MD5
63cd96055be7e645ed2d0ca55daaddc3

SHA1
37be00fae1d61c89b4ef7219ece2ee773d8b1f68

SHA256
0c6b8f2a78760e6d806a106222072a72983ceaa85dc8b180564d54ba02678799

SHA512
3510528361c219561b3ea0d35ddc54ccf1b96b828e2f53b7a5bf27a80d7d894b6500f49d9f2848ba190a91076288df19af5d1c54da59da292b1d9e494c482720

Download Submit
C:\Users\Admin\AppData\Local\Temp\%BinderSecond%.exe

Filesize
71KB

MD5
e192504deef2c4f2eaac8454751be46e

SHA1
70debe61ae33510ee8bd112ab83fe7c2786f1175

SHA256
c63e831497bc6544d8681eaf327514479ee45809ef9bdd6ace48ec157aa9e8f2

SHA512
6a82488400c7071f786b99a29631d58d80ef37e6e806f96874e2a7047f709d180e3fae9f192f07dee85b75305772eb5b1cef82391dc0f89e499eda2941409268

Download Submit
C:\Users\Admin\AppData\Local\Temp\%BinderSecond%.exe

Filesize
47KB

MD5
b698df04dcf82cafefe933c44d3708cc

SHA1
db4477f0a84866bad288a7d0a8c22bcd56fba336

SHA256
be721d73ce572e38d6f45d3ad35ddaf93d4fc3d4751bacdfde76781080a372db

SHA512
3f439ef82badfa5284ae6fe8d5bd009cd836059c4440465505635fe29b6f7882a5a1cb4fe00cd368d4aa39faa0a3fe8e25f2c8da08e34b93b9bb1c6710a57143

Download Submit
memory/976-44-0x00007FFCF9120000-0x00007FFCF9BE1000-memory.dmp

Filesize
10.8MB

Download
memory/976-41-0x00007FF7A2870000-0x00007FF7A2E44000-memory.dmp

Filesize
5.8MB

Download
memory/976-5-0x0000000022F70000-0x0000000022F80000-memory.dmp

Filesize
64KB

Download
memory/976-3-0x00007FF7A2870000-0x00007FF7A2E44000-memory.dmp

Filesize
5.8MB

Download
memory/976-2-0x00007FF7A2870000-0x00007FF7A2E44000-memory.dmp

Filesize
5.8MB

Download
memory/976-4-0x00007FFCF9120000-0x00007FFCF9BE1000-memory.dmp

Filesize
10.8MB

Download
memory/976-40-0x0000000022DF0000-0x0000000022EF2000-memory.dmp

Filesize
1.0MB

Download
memory/976-1-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/976-0-0x00007FF7A2870000-0x00007FF7A2E44000-memory.dmp

Filesize
5.8MB

Download
memory/976-43-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-47-0x0000019D48730000-0x0000019D48740000-memory.dmp

Filesize
64KB

Download
memory/3720-30-0x00007FF6B0B20000-0x00007FF6B0EB0000-memory.dmp

Filesize
3.6MB

Download
memory/3720-33-0x00007FF6B0B20000-0x00007FF6B0EB0000-memory.dmp

Filesize
3.6MB

Download
memory/3720-42-0x00007FFCF9120000-0x00007FFCF9BE1000-memory.dmp

Filesize
10.8MB

Download
memory/3720-56-0x00007FFCF9120000-0x00007FFCF9BE1000-memory.dmp

Filesize
10.8MB

Download
memory/3720-57-0x00007FF6B0B20000-0x00007FF6B0EB0000-memory.dmp

Filesize
3.6MB

Download
memory/3720-37-0x0000019D48640000-0x0000019D48690000-memory.dmp

Filesize
320KB

Download
memory/3720-34-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-36-0x00007FF6B0B20000-0x00007FF6B0EB0000-memory.dmp

Filesize
3.6MB

Download
memory/3720-58-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/4920-32-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/4920-46-0x000002752EE50000-0x000002752EE60000-memory.dmp

Filesize
64KB

Download
memory/4920-31-0x0000000000F50000-0x00000000012DC000-memory.dmp

Filesize
3.5MB

Download
memory/4920-52-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/4920-51-0x0000000000F50000-0x00000000012DC000-memory.dmp

Filesize
3.5MB

Download
memory/4920-50-0x00007FFCF9120000-0x00007FFCF9BE1000-memory.dmp

Filesize
10.8MB

Download
memory/4920-35-0x0000000000F50000-0x00000000012DC000-memory.dmp

Filesize
3.5MB

Download
memory/4920-39-0x00007FFCF9120000-0x00007FFCF9BE1000-memory.dmp

Filesize
10.8MB

Download
memory/4920-25-0x0000000000F50000-0x00000000012DC000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing