5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358

General

Target

5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
Size

12.8MB
MD5

bc6e4eefac46a9a4ae1a5dcae6326dfc
SHA1

db58304458231691c1df0854b62b9da0adc14da7
SHA256

5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358
SHA512

eb7acf6a5d9d257fab4030dab300f804debd355b5ead612ae9f0c7cd1d2029a4002d850cf8e9d72d9a6e61aec0b0132ff0635ec2f1311dd640213503ef6c847d
SSDEEP

196608:+otZgs21BRWdoQlSOLM8gYQ2r4NXsUXxW4Jg6bKxzdWX0:+otZoBR30tL9gYQ2rPUpVKBI0

Score

9^/10

oss_ak

Malware Config

Signatures

detect oss ak 1 IoCs

oss ak information detected.

oss_ak

Processes:

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x0000000001021000-memory.dmp	detect_ak_stuff

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe

description	ioc	process
File opened (read-only)	\??\R:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\V:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\Y:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\E:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\H:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\K:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\L:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\M:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\U:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\Z:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\J:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\N:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\Q:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\S:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\T:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\G:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\I:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\W:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\O:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\P:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
File opened (read-only)	\??\X:	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs

Processes:

5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe

pid	process
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe

description	pid	process
Token: SeDebugPrivilege	2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
Token: SeDebugPrivilege	2204	5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe

pid process

2204 5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe

pid process

2204 5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe

C:\Users\Admin\AppData\Local\Temp\5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe
"C:\Users\Admin\AppData\Local\Temp\5345f004ad562905d75ac4fdc0fe8750786d7fd8f493223b99a4153741f9e358.exe"
1⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2204

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2204-0-0x0000000000400000-0x0000000001021000-memory.dmp

Filesize
12.1MB

Download
memory/2204-1-0x0000000076250000-0x0000000076297000-memory.dmp

Filesize
284KB

Download
memory/2204-504-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-508-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-516-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-514-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-512-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-510-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-506-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-503-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-530-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-544-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-562-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-518-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-522-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-520-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-524-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-528-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-564-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-560-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-558-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-556-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-554-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-552-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-550-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-548-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-546-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-542-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-540-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-538-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-536-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-534-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-532-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2204-526-0x0000000002DC0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads