metasploit | 33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9

General

Target

33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Size

8.5MB
MD5

ee535a8ea4f5a528203b7fed911f0cdd
SHA1

5cf4a8b0b3acab1f68df9792677a4dbd4da8dca2
SHA256

33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9
SHA512

e47f3a0622977eec135c3750838aa38c1ea40d7df372cebd56b19f1297fb7dd3d0beb6ddbe6cfdd54bd8d2b02ecd40081608e93f124dc6456c48679306f0a8ce

Score

10^/10

metasploit backdoor evasion themida trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_winhttp

C2

https://213.186.35.153:8080/Q1NSuetz0_jexd_EgquNYw_WOENe-eLtpUPsAQJFSgu

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MSBuild.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/540-58-0x0000000066000000-0x000000006618C000-memory.dmp	upx
behavioral1/memory/540-61-0x0000000066000000-0x000000006618C000-memory.dmp	upx
behavioral1/memory/540-65-0x0000000066000000-0x000000006618C000-memory.dmp	upx
behavioral1/memory/540-69-0x0000000066000000-0x000000006618C000-memory.dmp	upx
behavioral1/memory/540-79-0x0000000066000000-0x000000006618C000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exeMSBuild.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MSBuild.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

MSBuild.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine	MSBuild.exe

Loads dropped DLL 2 IoCs

Processes:

33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe

pid	process
540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/540-54-0x0000000000400000-0x0000000001836000-memory.dmp	themida
behavioral1/memory/540-62-0x0000000000400000-0x0000000001836000-memory.dmp	themida
behavioral1/memory/540-63-0x0000000000400000-0x0000000001836000-memory.dmp	themida
behavioral1/memory/540-64-0x0000000000400000-0x0000000001836000-memory.dmp	themida
behavioral1/memory/540-68-0x0000000000400000-0x0000000001836000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exeMSBuild.exe

pid process

540 33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
1148 MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe

description	pid	process	target process
PID 540 set thread context of 1148	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1196 schtasks.exe

pid	process
1196	schtasks.exe

Modifies registry class 64 IoCs

Processes:

33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}\ProxyStubClsid32	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C466B8-499F-101B-BB78-00AA00383CBB}\ProxyStubClsid32	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7500A6BA-EB65-11D1-938D-0000F87557C9}\TypeLib	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBB76011-C508-11D1-A3E3-00A0C90AEA82}	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C5-4442-11D1-8906-00A0C9110049}	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\ = "DataBindings"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F2-7697-11D1-A1E9-00A0C90F2731}\TypeLib\Version = "6.0"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\ProxyStubClsid32	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E43FD401-8715-11D1-98E7-00A0C9702442}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\ProxyStubClsid32	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\TypeLib	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{737361EC-467F-11D1-810F-0000F87557AA}\TypeLib\Version = "6.0"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}\TypeLib	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\ = "AsyncProperty_VB5"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C3-4442-11D1-8906-00A0C9110049}	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{737361EC-467F-11D1-810F-0000F87557AA}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\ProxyStubClsid32	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\ = "DataObjectFiles"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\TypeLib\Version = "6.0"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F1-7697-11D1-A1E9-00A0C90F2731}\TypeLib\Version = "6.0"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}\6.0\9\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\REV_1907.DLL\\3"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4495AD01-C993-11D1-A3E4-00A0C90AEA82}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{737361EC-467F-11D1-810F-0000F87557AA}\ProxyStubClsid32	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F2-7697-11D1-A1E9-00A0C90F2731}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C49FF0-B294-11D0-9488-00A0C91110ED}\TypeLib\Version = "6.0"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C2-4442-11D1-8906-00A0C9110049}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\ProxyStubClsid32	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C49FF0-B294-11D0-9488-00A0C91110ED}	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C2-4442-11D1-8906-00A0C9110049}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C3-4442-11D1-8906-00A0C9110049}\TypeLib\Version = "6.0"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C5-4442-11D1-8906-00A0C9110049}\TypeLib\Version = "6.0"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4495AD01-C993-11D1-A3E4-00A0C90AEA82}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E43FD401-8715-11D1-98E7-00A0C9702442}\ProxyStubClsid32	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C1-4442-11D1-8906-00A0C9110049}\TypeLib\Version = "6.0"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ThreadingModel = "Apartment"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\TypeLib	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}\ = "_DClass"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C49FF0-B294-11D0-9488-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C1-4442-11D1-8906-00A0C9110049}\ = "_DDataBoundClass"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C2-4442-11D1-8906-00A0C9110049}\ = "_DDataSourceClass"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C5-4442-11D1-8906-00A0C9110049}\ProxyStubClsid32	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\TypeLib\Version = "6.0"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E43FD401-8715-11D1-98E7-00A0C9702442}	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E43FD401-8715-11D1-98E7-00A0C9702442}\TypeLib\Version = "6.0"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}\ = "SelectedControls"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7500A6BA-EB65-11D1-938D-0000F87557C9}\TypeLib\Version = "6.0"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C49FF0-B294-11D0-9488-00A0C91110ED}\ = "DataMembers"	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exeMSBuild.exe

pid process

540 33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
1148 MSBuild.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe

pid process

540 33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe

description	pid	process	target process
PID 540 wrote to memory of 1196	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	schtasks.exe
PID 540 wrote to memory of 1196	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	schtasks.exe
PID 540 wrote to memory of 1196	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	schtasks.exe
PID 540 wrote to memory of 1196	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	schtasks.exe
PID 540 wrote to memory of 1148	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	MSBuild.exe
PID 540 wrote to memory of 1148	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	MSBuild.exe
PID 540 wrote to memory of 1148	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	MSBuild.exe
PID 540 wrote to memory of 1148	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	MSBuild.exe
PID 540 wrote to memory of 1148	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	MSBuild.exe
PID 540 wrote to memory of 1148	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	MSBuild.exe
PID 540 wrote to memory of 1148	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	MSBuild.exe
PID 540 wrote to memory of 1148	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	MSBuild.exe
PID 540 wrote to memory of 1148	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	MSBuild.exe
PID 540 wrote to memory of 1148	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	MSBuild.exe
PID 540 wrote to memory of 1148	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	MSBuild.exe
PID 540 wrote to memory of 1148	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	MSBuild.exe
PID 540 wrote to memory of 1952	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	setx.exe
PID 540 wrote to memory of 1952	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	setx.exe
PID 540 wrote to memory of 1952	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	setx.exe
PID 540 wrote to memory of 1952	540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe	setx.exe

C:\Users\Admin\AppData\Local\Temp\33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
"C:\Users\Admin\AppData\Local\Temp\33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN REV_6266 /TR "'wscript.exe' C:\Users\Admin\AppData\Roaming\{835Q-TPDQ-WI4G-5WBF-YIQX-L57Y}\\Silent.vbs C:\Users\Admin\AppData\Roaming\{835Q-TPDQ-WI4G-5WBF-YIQX-L57Y}\\REV_2807.cmd" /sc ONLOGON /RL HIGHEST /F
  2⤵
  - Creates scheduled task(s)
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1148
- C:\Windows\SysWOW64\setx.exe
  "C:\Windows\System32\setx.exe" ProgramData "C:\ProgramData"
  2⤵
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\patch\krn.dll

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
\patch\ntd2.dll

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
memory/540-63-0x0000000000400000-0x0000000001836000-memory.dmp

Filesize
20.2MB

Download
memory/540-78-0x0000000077A20000-0x0000000077BA0000-memory.dmp

Filesize
1.5MB

Download
memory/540-61-0x0000000066000000-0x000000006618C000-memory.dmp

Filesize
1.5MB

Download
memory/540-62-0x0000000000400000-0x0000000001836000-memory.dmp

Filesize
20.2MB

Download
memory/540-55-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/540-64-0x0000000000400000-0x0000000001836000-memory.dmp

Filesize
20.2MB

Download
memory/540-65-0x0000000066000000-0x000000006618C000-memory.dmp

Filesize
1.5MB

Download
memory/540-68-0x0000000000400000-0x0000000001836000-memory.dmp

Filesize
20.2MB

Download
memory/540-69-0x0000000066000000-0x000000006618C000-memory.dmp

Filesize
1.5MB

Download
memory/540-56-0x0000000077A20000-0x0000000077BA0000-memory.dmp

Filesize
1.5MB

Download
memory/540-54-0x0000000000400000-0x0000000001836000-memory.dmp

Filesize
20.2MB

Download
memory/540-79-0x0000000066000000-0x000000006618C000-memory.dmp

Filesize
1.5MB

Download
memory/540-58-0x0000000066000000-0x000000006618C000-memory.dmp

Filesize
1.5MB

Download
memory/1148-73-0x0000000001000000-0x0000000002000000-memory.dmp

Filesize
16.0MB

Download
memory/1148-74-0x00000000016F3000-mapping.dmp

Download
memory/1148-76-0x0000000001000000-0x0000000002000000-memory.dmp

Filesize
16.0MB

Download
memory/1148-83-0x0000000001000000-0x0000000002000000-memory.dmp

Filesize
16.0MB

Download
memory/1148-80-0x0000000001000000-0x0000000002000000-memory.dmp

Filesize
16.0MB

Download
memory/1148-81-0x0000000001000000-0x0000000002000000-memory.dmp

Filesize
16.0MB

Download
memory/1148-82-0x0000000001000000-0x0000000002000000-memory.dmp

Filesize
16.0MB

Download
memory/1148-85-0x0000000001001000-0x0000000001005000-memory.dmp

Filesize
16KB

Download
memory/1148-84-0x0000000077A20000-0x0000000077BA0000-memory.dmp

Filesize
1.5MB

Download
memory/1196-70-0x0000000000000000-mapping.dmp

Download
memory/1952-77-0x0000000000000000-mapping.dmp

Download

pid	process
540	33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
1148	MSBuild.exe

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads