21f0c149f9d2ee4f03403df5efb255095530a22c76516749a0f09df3971717d6

General

Target

7711b7d19789c424f28ab621d63f9d40N.exe
Size

884KB
MD5

7711b7d19789c424f28ab621d63f9d40
SHA1

e4772a15bcca42cdd6d4910752ab396f9756ff4d
SHA256

21f0c149f9d2ee4f03403df5efb255095530a22c76516749a0f09df3971717d6
SHA512

6bc75ca775b04ebf5feb17534531d9790914c4ac98dd09e203f6f7233d1593d0756359fbe2a3caa82586dc074a86362c91a861556014fd356fc921714f568c61
SSDEEP

24576:vpk0nLZh0K8rNaSxYnsdWgyb7ww+ZKu7hsVTd/:vpkan0K2aSf4ww+ZKomTd/

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7711b7d19789c424f28ab621d63f9d40N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	7711b7d19789c424f28ab621d63f9d40N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	7711b7d19789c424f28ab621d63f9d40N.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	7711b7d19789c424f28ab621d63f9d40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	7711b7d19789c424f28ab621d63f9d40N.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8FEC8BC-84E7-F712-EBBC-9E6E8FE51280}	7711b7d19789c424f28ab621d63f9d40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8FEC8BC-84E7-F712-EBBC-9E6E8FE51280}\ = "Publication Services Change Data"	7711b7d19789c424f28ab621d63f9d40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8FEC8BC-84E7-F712-EBBC-9E6E8FE51280}\InProcServer32	7711b7d19789c424f28ab621d63f9d40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8FEC8BC-84E7-F712-EBBC-9E6E8FE51280}\InProcServer32\ = "%SystemRoot%\\SysWow64\\provsvc.dll"	7711b7d19789c424f28ab621d63f9d40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8FEC8BC-84E7-F712-EBBC-9E6E8FE51280}\InProcServer32\ThreadingModel = "Both"	7711b7d19789c424f28ab621d63f9d40N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2292	7711b7d19789c424f28ab621d63f9d40N.exe
2292	7711b7d19789c424f28ab621d63f9d40N.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2292	2180	7711b7d19789c424f28ab621d63f9d40N.exe	30
PID 2180 wrote to memory of 2292	2180	7711b7d19789c424f28ab621d63f9d40N.exe	30
PID 2180 wrote to memory of 2292	2180	7711b7d19789c424f28ab621d63f9d40N.exe	30
PID 2180 wrote to memory of 2292	2180	7711b7d19789c424f28ab621d63f9d40N.exe	30
PID 2180 wrote to memory of 2292	2180	7711b7d19789c424f28ab621d63f9d40N.exe	30
PID 2180 wrote to memory of 2292	2180	7711b7d19789c424f28ab621d63f9d40N.exe	30

C:\Users\Admin\AppData\Local\Temp\7711b7d19789c424f28ab621d63f9d40N.exe
"C:\Users\Admin\AppData\Local\Temp\7711b7d19789c424f28ab621d63f9d40N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\7711b7d19789c424f28ab621d63f9d40N.exe
  "C:\Users\Admin\AppData\Local\Temp\7711b7d19789c424f28ab621d63f9d40N.exe"
  2⤵
  - Checks BIOS information in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HTM54D4.tmp

Filesize
6KB

MD5
3f8a36588f96a6504e9efc98c52b868a

SHA1
b94f0f96c4640fd789d6be29e8ee60dbcc04cc0e

SHA256
807589fff0300e0fb07be7e879c5c9110be7cbbb5947bd8b095b226cbe7bd7de

SHA512
97fe9b45ac3577f8acba402ca8da464ffc72852d6e762cd450f618dab698510409d42704a728ab32248a63feb02e08ea7f9f8a2ee154a3deb99eeb1ec5d90b95

Download Submit
memory/2180-1-0x0000000002690000-0x000000000284A000-memory.dmp

Filesize
1.7MB

Download
memory/2180-0-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/2180-27-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/2292-16-0x00000000005C0000-0x0000000000616000-memory.dmp

Filesize
344KB

Download
memory/2292-11-0x00000000005C0000-0x0000000000616000-memory.dmp

Filesize
344KB

Download
memory/2292-9-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/2292-8-0x0000000000507000-0x0000000000508000-memory.dmp

Filesize
4KB

Download
memory/2292-3-0x00000000005C0000-0x0000000000616000-memory.dmp

Filesize
344KB

Download
memory/2292-2-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing