22e8296dcc096f37d2de3d53f2e4c291bcc1ecff63eaab74676a531343225074

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6vCuCcOa0q4Qfuu.exe
Size

8.8MB
MD5

a8ef06b1272a44e36d271e7764ecea59
SHA1

62126ef7097f68eddfe0620143b13682481913b6
SHA256

22e8296dcc096f37d2de3d53f2e4c291bcc1ecff63eaab74676a531343225074
SHA512

237615240b64b1d716287279ae20d5e62861624c73f353585fcd5c77a9994bbb5cb5f980befd8eec06d3ed7859b6fdb7a807aaf9fb5d1989bb939d33bb056dec
SSDEEP

196608:RPRKC5SM3Gxg6M1NzReRjqZ0i5rG/6BolhEAb79w+2hMMgEtKW3jF:3KjMsgLjMRQ1DaPZ7D2mJEtNF

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6vCuCcOa0q4Qfuu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6vCuCcOa0q4Qfuu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	6vCuCcOa0q4Qfuu.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4992	6vCuCcOa0q4Qfuu.exe
4992	6vCuCcOa0q4Qfuu.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4992	6vCuCcOa0q4Qfuu.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4992	6vCuCcOa0q4Qfuu.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 264	4992	6vCuCcOa0q4Qfuu.exe	87
PID 4992 wrote to memory of 264	4992	6vCuCcOa0q4Qfuu.exe	87

C:\Users\Admin\AppData\Local\Temp\6vCuCcOa0q4Qfuu.exe
"C:\Users\Admin\AppData\Local\Temp\6vCuCcOa0q4Qfuu.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4992-0-0x00007FF6721B0000-0x00007FF672548000-memory.dmp

Filesize
3.6MB

Download
memory/4992-1-0x00007FFE5EE50000-0x00007FFE5EE52000-memory.dmp

Filesize
8KB

Download
memory/4992-6-0x00007FF671870000-0x00007FF672E60000-memory.dmp

Filesize
21.9MB

Download
memory/4992-8-0x00007FF671880000-0x00007FF6719CA000-memory.dmp

Filesize
1.3MB

Download
memory/4992-7-0x000002E0835D0000-0x000002E0836D0000-memory.dmp

Filesize
1024KB

Download
memory/4992-12-0x000002E083880000-0x000002E084E70000-memory.dmp

Filesize
21.9MB

Download
memory/4992-18-0x000002E083BC0000-0x000002E084BC0000-memory.dmp

Filesize
16.0MB

Download
memory/4992-20-0x000002E081C30000-0x000002E081C31000-memory.dmp

Filesize
4KB

Download
memory/4992-21-0x000002E083CC0000-0x000002E084CC0000-memory.dmp

Filesize
16.0MB

Download
memory/4992-23-0x000002E083CC0000-0x000002E084CC0000-memory.dmp

Filesize
16.0MB

Download
memory/4992-26-0x00007FF6721B0000-0x00007FF672548000-memory.dmp

Filesize
3.6MB

Download
memory/4992-27-0x00007FF671870000-0x00007FF672E60000-memory.dmp

Filesize
21.9MB

Download
memory/4992-29-0x000002E083880000-0x000002E084E70000-memory.dmp

Filesize
21.9MB

Download
memory/4992-31-0x000002E083BC0000-0x000002E084BC0000-memory.dmp

Filesize
16.0MB

Download
memory/4992-33-0x000002E081C30000-0x000002E081C31000-memory.dmp

Filesize
4KB

Download
memory/4992-34-0x000002E083CC0000-0x000002E084CC0000-memory.dmp

Filesize
16.0MB

Download
memory/4992-36-0x000002E083CC0000-0x000002E084CC0000-memory.dmp

Filesize
16.0MB

Download