0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143

General

Target

0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
Size

8.6MB
MD5

bc471aa8003024e1dbf68c7f183df4b3
SHA1

27f83844d7cea0910507441cb2e9babe3c88ef13
SHA256

0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143
SHA512

c1956ed80b6c8feb1cff6eccb233f4004ba1a4225517d5d76bef80d0114a24c35b3a3cbf86e25c0c76f0f780860596a0c7375652f12ff5319845180d88dd9e5a
SSDEEP

196608:K3/NSnzJi2/aJAvcnbDROJkXijRtLvq1I7icdiiBYX:w8fyJ0AbtOJyERtLvM+3PBY

Score

7^/10

upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3044-37-0x0000000000400000-0x0000000000F21000-memory.dmp	upx
behavioral1/memory/3044-42-0x0000000000400000-0x0000000000F21000-memory.dmp	upx
behavioral1/memory/3044-43-0x0000000000400000-0x0000000000F21000-memory.dmp	upx
behavioral1/memory/3044-48-0x0000000000400000-0x0000000000F21000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\R:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\S:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\T:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\U:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\V:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\K:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\O:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\Z:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\H:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\I:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\N:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\P:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\Q:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\W:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\X:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\Y:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\G:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\J:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\M:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
File opened (read-only)	\??\E:	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28
PID 2848 wrote to memory of 3044	2848	0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe	28

C:\Users\Admin\AppData\Local\Temp\0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
"C:\Users\Admin\AppData\Local\Temp\0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe
  "C:\Users\Admin\AppData\Local\Temp\0bc040c668d22bed7df1e3d80d54a525b243f4beffe7197a9414ff48fc778143.exe"
  2⤵
  - Checks BIOS information in registry
  - Enumerates connected drives
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2848-36-0x0000000010000000-0x0000000010B45000-memory.dmp

Filesize
11.3MB

Download
memory/2848-0-0x0000000000400000-0x0000000001100000-memory.dmp

Filesize
13.0MB

Download
memory/2848-3-0x0000000010000000-0x0000000010B45000-memory.dmp

Filesize
11.3MB

Download
memory/2848-2-0x0000000010000000-0x0000000010B45000-memory.dmp

Filesize
11.3MB

Download
memory/2848-35-0x0000000000400000-0x0000000001100000-memory.dmp

Filesize
13.0MB

Download
memory/2848-21-0x0000000005EA0000-0x0000000006BA0000-memory.dmp

Filesize
13.0MB

Download
memory/2848-1-0x0000000000250000-0x0000000000253000-memory.dmp

Filesize
12KB

Download
memory/2848-33-0x0000000010000000-0x0000000010B45000-memory.dmp

Filesize
11.3MB

Download
memory/3044-39-0x0000000001100000-0x00000000013A5000-memory.dmp

Filesize
2.6MB

Download
memory/3044-18-0x00000000013B0000-0x0000000001B1B000-memory.dmp

Filesize
7.4MB

Download
memory/3044-27-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3044-38-0x0000000000401000-0x00000000010FF000-memory.dmp

Filesize
13.0MB

Download
memory/3044-31-0x0000000001100000-0x00000000013A5000-memory.dmp

Filesize
2.6MB

Download
memory/3044-25-0x00000000013B0000-0x0000000001B1B000-memory.dmp

Filesize
7.4MB

Download
memory/3044-6-0x0000000001100000-0x00000000013A5000-memory.dmp

Filesize
2.6MB

Download
memory/3044-23-0x00000000013B0000-0x0000000001B1B000-memory.dmp

Filesize
7.4MB

Download
memory/3044-20-0x00000000013B0000-0x0000000001B1B000-memory.dmp

Filesize
7.4MB

Download
memory/3044-8-0x00000000013B0000-0x0000000001B1B000-memory.dmp

Filesize
7.4MB

Download
memory/3044-14-0x00000000013B0000-0x0000000001B1B000-memory.dmp

Filesize
7.4MB

Download
memory/3044-37-0x0000000000400000-0x0000000000F21000-memory.dmp

Filesize
11.1MB

Download
memory/3044-12-0x00000000013B0000-0x0000000001B1B000-memory.dmp

Filesize
7.4MB

Download
memory/3044-10-0x00000000013B0000-0x0000000001B1B000-memory.dmp

Filesize
7.4MB

Download
memory/3044-29-0x0000000001100000-0x00000000013A5000-memory.dmp

Filesize
2.6MB

Download
memory/3044-41-0x0000000001100000-0x00000000013A5000-memory.dmp

Filesize
2.6MB

Download
memory/3044-40-0x0000000001100000-0x00000000013A5000-memory.dmp

Filesize
2.6MB

Download
memory/3044-42-0x0000000000400000-0x0000000000F21000-memory.dmp

Filesize
11.1MB

Download
memory/3044-43-0x0000000000400000-0x0000000000F21000-memory.dmp

Filesize
11.1MB

Download
memory/3044-47-0x0000000001100000-0x00000000013A5000-memory.dmp

Filesize
2.6MB

Download
memory/3044-48-0x0000000000400000-0x0000000000F21000-memory.dmp

Filesize
11.1MB

Download
memory/3044-50-0x0000000000401000-0x00000000010FF000-memory.dmp

Filesize
13.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads