6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139

General

Target

6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
Size

8.1MB
MD5

93041dc965baae2994df1676f7b01ebd
SHA1

fcabf1cbf6aa99908a9b061f83c269befc3bb276
SHA256

6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139
SHA512

8336edeca0ee32e923dc92f6ebdf3149277ae136e715187419b37b80083c8f9014a8167a8f36a372c8dd4bfe6179b9a26bea24523a4b76b869b370173673c68a
SSDEEP

196608:y4HKDQBKkXy+XVt815j5tDobSUFQVwRfRqJ1ay0cjZGr3nrEn:yaK0BK+wvj5t0ZFQGRfRzf7rG

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\O:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\P:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\S:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\B:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\G:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\N:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\R:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\A:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\L:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\M:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\Q:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\U:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\Y:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\Z:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\H:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\J:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\T:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\V:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\W:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\X:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\E:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
File opened (read-only)	\??\I:	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs

pid	Process
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
2480	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe

C:\Users\Admin\AppData\Local\Temp\6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe
"C:\Users\Admin\AppData\Local\Temp\6d65a33d9b2fbb32b52d9d9cb6d9504b664aef4041937ad2c6f54e795d847139.exe"
1⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2480-0-0x0000000000400000-0x000000000139A000-memory.dmp

Filesize
15.6MB

Download
memory/2480-1-0x00000000776E0000-0x0000000077727000-memory.dmp

Filesize
284KB

Download
memory/2480-522-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-524-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-520-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-518-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-516-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-514-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-512-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-510-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-508-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-506-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-504-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-503-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-526-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-540-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-564-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-562-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-560-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-558-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-556-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-554-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-552-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-550-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-548-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-546-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-544-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-542-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-538-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-536-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-534-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-532-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-530-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download
memory/2480-529-0x00000000032A0000-0x00000000033B1000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads