Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 09:19
Static task
static1
Behavioral task
behavioral1
Sample
1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe
Resource
win10v2004-20240426-en
General
-
Target
1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe
-
Size
10.3MB
-
MD5
d2e8cfb12ce010eecd8ac33dae650027
-
SHA1
3b988d0bca1bf4dde9d3cce7ed9e03015a932e0e
-
SHA256
1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a
-
SHA512
d7764753a51b825ff66a89a7e18342d811fff40c7d0ca18b217f6dfc6b3e7a0c9446e7dd8266d4ce64eeb17acac66d8aaa9fedebf4018fc857bd66ca2d2f3fb8
-
SSDEEP
196608:ScvijmrWdYtMEY1nxKU5ltd1VNTdfgxBD29qfHJhIdg6DnoVOX:ScvkuSDnzHd7SjCephIr
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ²Ôñ·µÀ¶Ü.exe -
Executes dropped EXE 4 IoCs
pid Process 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1948 ²Ôñ·µÀ¶Ü.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 3764 ²Ôñ·µÀ¶Ü.exe -
resource yara_rule behavioral2/memory/4516-11-0x0000000003FE0000-0x0000000003FEB000-memory.dmp upx behavioral2/memory/4516-13-0x0000000004100000-0x0000000004108000-memory.dmp upx behavioral2/memory/4516-12-0x00000000040F0000-0x00000000040FB000-memory.dmp upx behavioral2/memory/4072-36-0x00000000040F0000-0x00000000040F8000-memory.dmp upx behavioral2/memory/4072-35-0x00000000040E0000-0x00000000040EB000-memory.dmp upx behavioral2/memory/4072-34-0x0000000003FD0000-0x0000000003FDB000-memory.dmp upx behavioral2/memory/4072-40-0x00000000040F0000-0x00000000040F8000-memory.dmp upx behavioral2/files/0x0001000000000032-85.dat upx behavioral2/memory/1948-86-0x0000000000400000-0x0000000001027000-memory.dmp upx behavioral2/memory/1948-88-0x0000000000400000-0x0000000001027000-memory.dmp upx behavioral2/memory/1948-90-0x0000000000400000-0x0000000001027000-memory.dmp upx -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe File opened (read-only) \??\F: 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe File opened for modification \??\PhysicalDrive0 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ²Ôñ·µÀ¶Ü.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ²Ôñ·µÀ¶Ü.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ²Ôñ·µÀ¶Ü.exe -
Enumerates system info in registry 2 TTPs 10 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName ²Ôñ·µÀ¶Ü.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion ²Ôñ·µÀ¶Ü.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion ²Ôñ·µÀ¶Ü.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4516 wrote to memory of 4072 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 86 PID 4516 wrote to memory of 4072 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 86 PID 4516 wrote to memory of 4072 4516 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 86 PID 4072 wrote to memory of 1948 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 92 PID 4072 wrote to memory of 1948 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 92 PID 4072 wrote to memory of 1948 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 92 PID 4072 wrote to memory of 1560 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 96 PID 4072 wrote to memory of 1560 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 96 PID 4072 wrote to memory of 1560 4072 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 96 PID 1560 wrote to memory of 3764 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 98 PID 1560 wrote to memory of 3764 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 98 PID 1560 wrote to memory of 3764 1560 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe"C:\Users\Admin\AppData\Local\Temp\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516 -
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe"F:\²Ôñ·µÀ¶Ü(΢¶Ë)\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072 -
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\²Ôñ·µÀ¶Ü.exe"F:\²Ôñ·µÀ¶Ü(΢¶Ë)\²Ôñ·µÀ¶Ü.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
PID:1948
-
-
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exeF:\²Ôñ·µÀ¶Ü(΢¶Ë)\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560 -
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\²Ôñ·µÀ¶Ü.exe"F:\²Ôñ·µÀ¶Ü(΢¶Ë)\²Ôñ·µÀ¶Ü.exe"4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
PID:3764
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.3MB
MD5d2e8cfb12ce010eecd8ac33dae650027
SHA13b988d0bca1bf4dde9d3cce7ed9e03015a932e0e
SHA2561a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a
SHA512d7764753a51b825ff66a89a7e18342d811fff40c7d0ca18b217f6dfc6b3e7a0c9446e7dd8266d4ce64eeb17acac66d8aaa9fedebf4018fc857bd66ca2d2f3fb8
-
Filesize
53B
MD5e5666f715e663e72dcfda51d9f4fea6f
SHA193fc4cb8b23e7ad69d96b021ca74127394c668e8
SHA2565576df7017eea51de1039ea8b1a8576f0a0b1c65beb513cfcc6f27acf66bed7f
SHA512d8230587cec9c05e5b096a6897086cae54307a19379e21ddd0db0681cd67ab5f170ae6b995d27f38dee12403f8412ef7f0c848e0985d145cbb563c5cc8b300cf
-
Filesize
4.9MB
MD53d962aa83c022d0cd5e6b62bcd42e03b
SHA140ea7aaed96708e8796e0e95a8350cca7c481be9
SHA256f029682c2a565d84f81af6710c65cf80e4fa3a0ae2ce83348c17bb9ae011895a
SHA51273fec89ac082f4c0713423c8ff89880130f9bebb084ac97ad52735b3501c35bc7da1c54a50d124e0dc18b0cc4a6eb04ca3b9b7b039816b63f261f3b1d3f91375