6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a

Analysis

max time kernel
138s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 12:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Size

435KB
MD5

20b326c6e8bc0a201f9a35426b4ddb26
SHA1

ee954732903d1577440a3a71a13132f871065333
SHA256

6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a
SHA512

dc87159eae6063cee66e940c9862e726822e7484131517994afc2eb2fa40da5c35491ccc87a694bb18cb904db39c4e45374ddb4f0878e9bcfe131789463081c9
SSDEEP

3072:qqtQ5UYIYtjMCkUeiRFe41bhffUvZ+1c1r2lSKM1LD/Rl:qVnImMNUBLhj1Qr2lSt1LD/Rl

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString = "Intel Core Processor (Broadwell)"	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier = "AuthenticAMD"	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz = "4192"	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "AuthenticAMD"	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet = "3099311615"	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = "AMD64 Family 6 Model 61 Stepping 2"	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet = "3099311615"	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "Intel Core Processor (Broadwell)"	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "4192"	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "AMD64 Family 6 Model 61 Stepping 2"	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier = "AMD64 Family 6 Model 61 Stepping 2"	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier = "AMD64 Family 6 Model 61 Stepping 2"	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier = "AT compatible"	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 1884	3920	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe	85
PID 3920 wrote to memory of 1884	3920	6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe	85

C:\Users\Admin\AppData\Local\Temp\6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe
"C:\Users\Admin\AppData\Local\Temp\6d2cea89ad0049d841eafd8fc7cde50567d14294ea97666ffe280a3c1a3fd16a.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3920
- C:\windows\system32\h920ln.exe
  C:\windows\system32\h920ln.exe
  2⤵
  PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3920-0-0x00007FF6BF8B0000-0x00007FF6BF8D4000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads