5892da50e6a0f664b4d241beefa04c72b9669a47cf4ae687164ee6160f025778

General

Target

Alice.exe
Size

9.7MB
MD5

6a921995816cd918c176f2c87e262fd4
SHA1

4e5b8566f482967525959d7d75b7c06cb6330471
SHA256

5892da50e6a0f664b4d241beefa04c72b9669a47cf4ae687164ee6160f025778
SHA512

1482acc37e1f599d78ef20e084cce7fb4506f3fe0f6fe3963888caca0c626a94a86c6f287c6abe680d70fe82c2aafff8ad0361dfe91e43cb5b6b4fe9b45332b1
SSDEEP

49152:/GFNm48iZ3mvlr03+ufKo9jmc6s3lA353agB2nFE2PA2wkigOGTd4nrh8dDeblY4:/GFuo9jT6M2JiBIQYo4MoD+Fv9xIa3y

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\MuiCache	GameBar.exe
Key created	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1101742937-4171729779-750941522-1000\{00DCC5ED-90DE-408D-9214-0886DC0B96BD}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1101742937-4171729779-750941522-1000\{8AC1726A-5FA7-4FAE-8844-0850E9E62CDA}	svchost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3148	EXCEL.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1564	GameBar.exe
1004	MiniSearchHost.exe
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\Alice.exe
"C:\Users\Admin\AppData\Local\Temp\Alice.exe"
1⤵
PID:2688

C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\GameBar.exe
"C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\GameBar.exe" -ServerName:App.AppXbdkk0yrkwpcgeaem8zk81k8py1eaahny.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:4788

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\PingPop.xltm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
e7287dd4e71a21e10194c99cc8ccd823

SHA1
d12b4151bb25ca694ad8098751b4918129c322ac

SHA256
9c3bad374f6b813d2d3393e29f7e9aaca5404a001e521746d21fe7ced190f27c

SHA512
e76c126fb4f111e78772ee65afb4a06ff74d4c56432a4aa3f6c9680a0e832c257285e68f2b09e4513b4d4ca3169d865e375caa20dca32648d81010394c0c8c21

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
a48ea8097f0b11ffec74b86a72f827bb

SHA1
74018e4ad58d07aefa0f9cf14ad83d8738b712f6

SHA256
f927b288c82bf61a078b38c7226df71cf935eb9f4115779ae60f345d3caa0291

SHA512
7d732085d9c178c55d22d8b1146a196002974775e826d60bdcf27e0e7cb2c00e32de925e3fe2fc31a27476a31c81c4acf5df68b207bfdef4f00165a4b6b8dbbc

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/3148-44-0x00007FF8A23C0000-0x00007FF8A25C9000-memory.dmp

Filesize
2.0MB

Download
memory/3148-45-0x00007FF8A23C0000-0x00007FF8A25C9000-memory.dmp

Filesize
2.0MB

Download
memory/3148-36-0x00007FF862450000-0x00007FF862460000-memory.dmp

Filesize
64KB

Download
memory/3148-34-0x00007FF862450000-0x00007FF862460000-memory.dmp

Filesize
64KB

Download
memory/3148-39-0x00007FF8A23C0000-0x00007FF8A25C9000-memory.dmp

Filesize
2.0MB

Download
memory/3148-41-0x00007FF8A23C0000-0x00007FF8A25C9000-memory.dmp

Filesize
2.0MB

Download
memory/3148-42-0x00007FF8A23C0000-0x00007FF8A25C9000-memory.dmp

Filesize
2.0MB

Download
memory/3148-43-0x00007FF862450000-0x00007FF862460000-memory.dmp

Filesize
64KB

Download
memory/3148-40-0x00007FF862450000-0x00007FF862460000-memory.dmp

Filesize
64KB

Download
memory/3148-35-0x00007FF8A23C0000-0x00007FF8A25C9000-memory.dmp

Filesize
2.0MB

Download
memory/3148-38-0x00007FF862450000-0x00007FF862460000-memory.dmp

Filesize
64KB

Download
memory/3148-37-0x00007FF8A23C0000-0x00007FF8A25C9000-memory.dmp

Filesize
2.0MB

Download
memory/3148-47-0x00007FF8A23C0000-0x00007FF8A25C9000-memory.dmp

Filesize
2.0MB

Download
memory/3148-46-0x00007FF85F8B0000-0x00007FF85F8C0000-memory.dmp

Filesize
64KB

Download
memory/3148-48-0x00007FF8A23C0000-0x00007FF8A25C9000-memory.dmp

Filesize
2.0MB

Download
memory/3148-49-0x00007FF8A1770000-0x00007FF8A182D000-memory.dmp

Filesize
756KB

Download
memory/3148-50-0x00007FF8A23C0000-0x00007FF8A25C9000-memory.dmp

Filesize
2.0MB

Download
memory/3148-51-0x00007FF85F8B0000-0x00007FF85F8C0000-memory.dmp

Filesize
64KB

Download
memory/3148-64-0x00007FF862450000-0x00007FF862460000-memory.dmp

Filesize
64KB

Download
memory/3148-65-0x00007FF862450000-0x00007FF862460000-memory.dmp

Filesize
64KB

Download
memory/3148-66-0x00007FF862450000-0x00007FF862460000-memory.dmp

Filesize
64KB

Download
memory/3148-67-0x00007FF862450000-0x00007FF862460000-memory.dmp

Filesize
64KB

Download
memory/3148-68-0x00007FF8A23C0000-0x00007FF8A25C9000-memory.dmp

Filesize
2.0MB

Download
memory/3148-69-0x00007FF8A1770000-0x00007FF8A182D000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads