Analysis
-
max time kernel
138s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-06-2022 23:34
General
-
Target
33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
-
Size
8.5MB
-
MD5
ee535a8ea4f5a528203b7fed911f0cdd
-
SHA1
5cf4a8b0b3acab1f68df9792677a4dbd4da8dca2
-
SHA256
33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9
-
SHA512
e47f3a0622977eec135c3750838aa38c1ea40d7df372cebd56b19f1297fb7dd3d0beb6ddbe6cfdd54bd8d2b02ecd40081608e93f124dc6456c48679306f0a8ce
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/reverse_winhttp
https://213.186.35.153:8080/Q1NSuetz0_jexd_EgquNYw_WOENe-eLtpUPsAQJFSgu
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Themida packer 5 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe"C:\Users\Admin\AppData\Local\Temp\33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN REV_6266 /TR "'wscript.exe' C:\Users\Admin\AppData\Roaming\{835Q-TPDQ-WI4G-5WBF-YIQX-L57Y}\\Silent.vbs C:\Users\Admin\AppData\Roaming\{835Q-TPDQ-WI4G-5WBF-YIQX-L57Y}\\REV_2807.cmd" /sc ONLOGON /RL HIGHEST /F2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\setx.exe"C:\Windows\System32\setx.exe" ProgramData "C:\ProgramData"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\patch\krn.dllFilesize
1.1MB
MD59b98d47916ead4f69ef51b56b0c2323c
SHA1290a80b4ded0efc0fd00816f373fcea81a521330
SHA25696e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA51268b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94
-
\patch\ntd2.dllFilesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/540-63-0x0000000000400000-0x0000000001836000-memory.dmpFilesize
20.2MB
-
memory/540-78-0x0000000077A20000-0x0000000077BA0000-memory.dmpFilesize
1.5MB
-
memory/540-61-0x0000000066000000-0x000000006618C000-memory.dmpFilesize
1.5MB
-
memory/540-62-0x0000000000400000-0x0000000001836000-memory.dmpFilesize
20.2MB
-
memory/540-55-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/540-64-0x0000000000400000-0x0000000001836000-memory.dmpFilesize
20.2MB
-
memory/540-65-0x0000000066000000-0x000000006618C000-memory.dmpFilesize
1.5MB
-
memory/540-68-0x0000000000400000-0x0000000001836000-memory.dmpFilesize
20.2MB
-
memory/540-69-0x0000000066000000-0x000000006618C000-memory.dmpFilesize
1.5MB
-
memory/540-56-0x0000000077A20000-0x0000000077BA0000-memory.dmpFilesize
1.5MB
-
memory/540-54-0x0000000000400000-0x0000000001836000-memory.dmpFilesize
20.2MB
-
memory/540-79-0x0000000066000000-0x000000006618C000-memory.dmpFilesize
1.5MB
-
memory/540-58-0x0000000066000000-0x000000006618C000-memory.dmpFilesize
1.5MB
-
memory/1148-73-0x0000000001000000-0x0000000002000000-memory.dmpFilesize
16.0MB
-
memory/1148-74-0x00000000016F3000-mapping.dmp
-
memory/1148-76-0x0000000001000000-0x0000000002000000-memory.dmpFilesize
16.0MB
-
memory/1148-83-0x0000000001000000-0x0000000002000000-memory.dmpFilesize
16.0MB
-
memory/1148-80-0x0000000001000000-0x0000000002000000-memory.dmpFilesize
16.0MB
-
memory/1148-81-0x0000000001000000-0x0000000002000000-memory.dmpFilesize
16.0MB
-
memory/1148-82-0x0000000001000000-0x0000000002000000-memory.dmpFilesize
16.0MB
-
memory/1148-85-0x0000000001001000-0x0000000001005000-memory.dmpFilesize
16KB
-
memory/1148-84-0x0000000077A20000-0x0000000077BA0000-memory.dmpFilesize
1.5MB
-
memory/1196-70-0x0000000000000000-mapping.dmp
-
memory/1952-77-0x0000000000000000-mapping.dmp