f71be5a1b3f5a867f29b4a7d765affe4826c8366450ca6cc2b2839a4c34fa0f0

General

Target

f71be5a1b3f5a867f29b4a7d765affe4826c8366450ca6cc2b2839a4c34fa0f0.bin.exe
Size

3.8MB
MD5

79a7de437dad73c33490fc8dd3f9d6c5
SHA1

3ebd89f9bf858ae9f6d460fde0875ef2061c8535
SHA256

f71be5a1b3f5a867f29b4a7d765affe4826c8366450ca6cc2b2839a4c34fa0f0
SHA512

152990cbc3ccf22d08326a2e5f58cb0f8c96f7d5e20a82a90b894061df85cef800b6e26ee325ced9cea468e7f83fee3f6a6277efdb7d95db81f6517e824e0f73

Score

9^/10

Suspicious use of FindShellTrayWindow 4 IoCs

Suspicious use of SendNotifyMessage 4 IoCs

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 3468	3676	f71be5a1b3f5a867f29b4a7d765affe4826c8366450ca6cc2b2839a4c34fa0f0.bin.exe	67
PID 3676 wrote to memory of 3468	3676	f71be5a1b3f5a867f29b4a7d765affe4826c8366450ca6cc2b2839a4c34fa0f0.bin.exe	67
PID 3676 wrote to memory of 3468	3676	f71be5a1b3f5a867f29b4a7d765affe4826c8366450ca6cc2b2839a4c34fa0f0.bin.exe	67
PID 3676 wrote to memory of 3440	3676	f71be5a1b3f5a867f29b4a7d765affe4826c8366450ca6cc2b2839a4c34fa0f0.bin.exe	68
PID 3676 wrote to memory of 3440	3676	f71be5a1b3f5a867f29b4a7d765affe4826c8366450ca6cc2b2839a4c34fa0f0.bin.exe	68
PID 3676 wrote to memory of 3440	3676	f71be5a1b3f5a867f29b4a7d765affe4826c8366450ca6cc2b2839a4c34fa0f0.bin.exe	68
PID 3440 wrote to memory of 2960	3440	start.exe	70
PID 3440 wrote to memory of 2960	3440	start.exe	70
PID 3440 wrote to memory of 2960	3440	start.exe	70

Executes dropped EXE 2 IoCs

pid	Process
3440	start.exe
2960	ESETNOD.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2960	ESETNOD.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings	f71be5a1b3f5a867f29b4a7d765affe4826c8366450ca6cc2b2839a4c34fa0f0.bin.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ESETNOD.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ESETNOD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ESETNOD.exe

C:\Users\Admin\AppData\Local\Temp\f71be5a1b3f5a867f29b4a7d765affe4826c8366450ca6cc2b2839a4c34fa0f0.bin.exe
"C:\Users\Admin\AppData\Local\Temp\f71be5a1b3f5a867f29b4a7d765affe4826c8366450ca6cc2b2839a4c34fa0f0.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Modifies registry class
PID:3676
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ключи.txt
  2⤵
  PID:3468
- C:\Users\Admin\AppData\Local\Temp\start.exe
  "C:\Users\Admin\AppData\Local\Temp\start.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\ESETNOD.exe
    ESETNOD.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks whether UAC is enabled
    - Checks BIOS information in registry
    PID:2960