Analysis
-
max time kernel
6s -
max time network
8s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/04/2024, 12:00
Static task
static1
Behavioral task
behavioral1
Sample
2e46e7307c971439115f6b451201477ac673e38db7757134888505d8713eff7d.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
2e46e7307c971439115f6b451201477ac673e38db7757134888505d8713eff7d.exe
Resource
win11-20240221-en
General
-
Target
2e46e7307c971439115f6b451201477ac673e38db7757134888505d8713eff7d.exe
-
Size
6.5MB
-
MD5
5ac036db54785817a366510d11fe27ff
-
SHA1
3ad032c1efe0bb3510af47af05fc6fe799f8ef2b
-
SHA256
2e46e7307c971439115f6b451201477ac673e38db7757134888505d8713eff7d
-
SHA512
eaa57362ddde75766a2f53dd4492722acdf4f5a2ff11db5ad88d0b2fe38ca7a51bc698d6cda283141ff86c5fa149b2ac6cd07adcadcb455773b41f006b7dbcd0
-
SSDEEP
98304:91OopDcPHB7oWB0q32sghrEGog5UFI0eDyNGfJ9cnqzdmHQuuWy4rk0yaYWngUxV:91OoSKWBz3lgi+0fYLfsvry4A0y2gQHL
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Executes dropped EXE 1 IoCs
pid Process 5108 Install.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4172 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3060 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3060 powershell.EXE -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3316 wrote to memory of 5108 3316 2e46e7307c971439115f6b451201477ac673e38db7757134888505d8713eff7d.exe 76 PID 3316 wrote to memory of 5108 3316 2e46e7307c971439115f6b451201477ac673e38db7757134888505d8713eff7d.exe 76 PID 3316 wrote to memory of 5108 3316 2e46e7307c971439115f6b451201477ac673e38db7757134888505d8713eff7d.exe 76 PID 5108 wrote to memory of 4620 5108 Install.exe 78 PID 5108 wrote to memory of 4620 5108 Install.exe 78 PID 5108 wrote to memory of 4620 5108 Install.exe 78 PID 5108 wrote to memory of 3212 5108 Install.exe 80 PID 5108 wrote to memory of 3212 5108 Install.exe 80 PID 5108 wrote to memory of 3212 5108 Install.exe 80 PID 4620 wrote to memory of 3016 4620 forfiles.exe 82 PID 4620 wrote to memory of 3016 4620 forfiles.exe 82 PID 4620 wrote to memory of 3016 4620 forfiles.exe 82 PID 3212 wrote to memory of 1800 3212 forfiles.exe 84 PID 3212 wrote to memory of 1800 3212 forfiles.exe 84 PID 3212 wrote to memory of 1800 3212 forfiles.exe 84 PID 3016 wrote to memory of 4336 3016 cmd.exe 83 PID 3016 wrote to memory of 4336 3016 cmd.exe 83 PID 3016 wrote to memory of 4336 3016 cmd.exe 83 PID 3016 wrote to memory of 1616 3016 cmd.exe 85 PID 3016 wrote to memory of 1616 3016 cmd.exe 85 PID 3016 wrote to memory of 1616 3016 cmd.exe 85 PID 1800 wrote to memory of 1020 1800 cmd.exe 86 PID 1800 wrote to memory of 1020 1800 cmd.exe 86 PID 1800 wrote to memory of 1020 1800 cmd.exe 86 PID 1800 wrote to memory of 2216 1800 cmd.exe 87 PID 1800 wrote to memory of 2216 1800 cmd.exe 87 PID 1800 wrote to memory of 2216 1800 cmd.exe 87 PID 5108 wrote to memory of 4172 5108 Install.exe 88 PID 5108 wrote to memory of 4172 5108 Install.exe 88 PID 5108 wrote to memory of 4172 5108 Install.exe 88 PID 5108 wrote to memory of 1652 5108 Install.exe 90 PID 5108 wrote to memory of 1652 5108 Install.exe 90 PID 5108 wrote to memory of 1652 5108 Install.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e46e7307c971439115f6b451201477ac673e38db7757134888505d8713eff7d.exe"C:\Users\Admin\AppData\Local\Temp\2e46e7307c971439115f6b451201477ac673e38db7757134888505d8713eff7d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\7zS395F.tmp\Install.exe.\Install.exe /MycdidinP "385118" /S2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"3⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&4⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:325⤵PID:4336
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:645⤵PID:1616
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"3⤵
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&4⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:325⤵PID:1020
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:645⤵PID:2216
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYVWElPOE" /SC once /ST 08:46:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:4172
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYVWElPOE"3⤵PID:1652
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4900
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4012
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
MD5ea99e72c1ac89aa9cc14178b1c46d50d
SHA160b896781f40e89106d0c76abd11c5b5d0832943
SHA2569cd503eed313e3c5293f192804c0f20a4eef448876f8375fbc26a25be36d5b28
SHA51203693bda0c8b693c09e416a7d0c335294f74804f336058a59612a07aa0dd918cd70958cc95feba7d3b26b2df235b0a60d0347d6ed6e353fec8c87c969f6068f1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82