Analysis
-
max time kernel
76s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-09-2022 15:30
Behavioral task
behavioral1
Sample
a4ee9f4729596748dec32a90e27547c0.exe
Resource
win7-20220812-en
General
-
Target
a4ee9f4729596748dec32a90e27547c0.exe
-
Size
6.1MB
-
MD5
a4ee9f4729596748dec32a90e27547c0
-
SHA1
d8bf8f8e877babd4ee74a63a02e866b8f5e7fd6f
-
SHA256
250e065988da19ed97e3a9ea5c185059688fbe3c9c240f207dc518377ec53ef9
-
SHA512
a09a930fed406e2affdbddc725a48405032a02ef877d1c8a3fe50e9344339955b5b4511c6107e430a13e2d2cbd5c7eb636c9e729f6232c9e6f9fa9b2f3e59631
-
SSDEEP
98304:+Mu3f/jr6blqCtAZhO0oNtHjgKPUbzSTcLYUkwf8M2m51AjLrLrQ/J:+Vf/v6bl3tNXtoQcLs/M2mDAjPLA
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
a4ee9f4729596748dec32a90e27547c0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a4ee9f4729596748dec32a90e27547c0.exe -
Executes dropped EXE 1 IoCs
Processes:
DllResource.exepid process 1740 DllResource.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a4ee9f4729596748dec32a90e27547c0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a4ee9f4729596748dec32a90e27547c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a4ee9f4729596748dec32a90e27547c0.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1900 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
a4ee9f4729596748dec32a90e27547c0.exepid process 1784 a4ee9f4729596748dec32a90e27547c0.exe -
Processes:
resource yara_rule behavioral1/memory/1784-55-0x0000000000400000-0x0000000001022000-memory.dmp themida behavioral1/memory/1784-61-0x0000000000400000-0x0000000001022000-memory.dmp themida \Users\Admin\TypeRes\DllResource.exe themida C:\Users\Admin\TypeRes\DllResource.exe themida behavioral1/memory/1740-70-0x0000000000400000-0x0000000001022000-memory.dmp themida behavioral1/memory/1784-72-0x0000000000400000-0x0000000001022000-memory.dmp themida -
Processes:
a4ee9f4729596748dec32a90e27547c0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a4ee9f4729596748dec32a90e27547c0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
a4ee9f4729596748dec32a90e27547c0.exepid process 1784 a4ee9f4729596748dec32a90e27547c0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
a4ee9f4729596748dec32a90e27547c0.exepid process 1784 a4ee9f4729596748dec32a90e27547c0.exe 1784 a4ee9f4729596748dec32a90e27547c0.exe 1784 a4ee9f4729596748dec32a90e27547c0.exe 1784 a4ee9f4729596748dec32a90e27547c0.exe 1784 a4ee9f4729596748dec32a90e27547c0.exe 1784 a4ee9f4729596748dec32a90e27547c0.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
a4ee9f4729596748dec32a90e27547c0.execmd.exedescription pid process target process PID 1784 wrote to memory of 1720 1784 a4ee9f4729596748dec32a90e27547c0.exe schtasks.exe PID 1784 wrote to memory of 1720 1784 a4ee9f4729596748dec32a90e27547c0.exe schtasks.exe PID 1784 wrote to memory of 1720 1784 a4ee9f4729596748dec32a90e27547c0.exe schtasks.exe PID 1784 wrote to memory of 1720 1784 a4ee9f4729596748dec32a90e27547c0.exe schtasks.exe PID 1784 wrote to memory of 1740 1784 a4ee9f4729596748dec32a90e27547c0.exe DllResource.exe PID 1784 wrote to memory of 1740 1784 a4ee9f4729596748dec32a90e27547c0.exe DllResource.exe PID 1784 wrote to memory of 1740 1784 a4ee9f4729596748dec32a90e27547c0.exe DllResource.exe PID 1784 wrote to memory of 1740 1784 a4ee9f4729596748dec32a90e27547c0.exe DllResource.exe PID 1784 wrote to memory of 1900 1784 a4ee9f4729596748dec32a90e27547c0.exe cmd.exe PID 1784 wrote to memory of 1900 1784 a4ee9f4729596748dec32a90e27547c0.exe cmd.exe PID 1784 wrote to memory of 1900 1784 a4ee9f4729596748dec32a90e27547c0.exe cmd.exe PID 1784 wrote to memory of 1900 1784 a4ee9f4729596748dec32a90e27547c0.exe cmd.exe PID 1900 wrote to memory of 1700 1900 cmd.exe chcp.com PID 1900 wrote to memory of 1700 1900 cmd.exe chcp.com PID 1900 wrote to memory of 1700 1900 cmd.exe chcp.com PID 1900 wrote to memory of 1700 1900 cmd.exe chcp.com PID 1900 wrote to memory of 1020 1900 cmd.exe PING.EXE PID 1900 wrote to memory of 1020 1900 cmd.exe PING.EXE PID 1900 wrote to memory of 1020 1900 cmd.exe PING.EXE PID 1900 wrote to memory of 1020 1900 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4ee9f4729596748dec32a90e27547c0.exe"C:\Users\Admin\AppData\Local\Temp\a4ee9f4729596748dec32a90e27547c0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\TypeRes\DllResource.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\TypeRes\DllResource.exe"C:\Users\Admin\TypeRes\DllResource.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a4ee9f4729596748dec32a90e27547c0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\TypeRes\DllResource.exeFilesize
609.0MB
MD5f7b2eb527171d7ad644e5d4be1d036ba
SHA10dd9f911fbccf4b2fb6757c63d15d8e75ee2d0c2
SHA2562b65afca36c5c50ed692fee7fcc9b9f235f5a7ed5e7d5e77ec39a07d3b3fff0d
SHA512a92da8d4ee5cbd7ac9e7b6923578a4ac9db9def545eac49f3dd2507e7a2d1842fd4a551a80ccdc0e3b4495bc0f0ac284f0cb4bad3b8144c2ffe33010e05da74b
-
\Users\Admin\TypeRes\DllResource.exeFilesize
613.1MB
MD5256a8b6045ddef279bd3d35cbb2d817c
SHA190511a578e163c56062c76096fba718db651ce1b
SHA256181d199555cecbfb481b16641e0a0aaa3def0d13b9d625ef166ed02ca0b1d00a
SHA51226311a2164714c427f8ffaefa5d37acb6e5b62663baa37a8e96b03811d58424fbc77ba18c2b9e9313645bb44d4c72c61efca56d4b907af91d26fe8ccae086644
-
memory/1020-75-0x0000000000000000-mapping.dmp
-
memory/1700-73-0x0000000000000000-mapping.dmp
-
memory/1720-64-0x0000000000000000-mapping.dmp
-
memory/1740-70-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/1740-66-0x0000000000000000-mapping.dmp
-
memory/1784-69-0x0000000010AA0000-0x00000000116C2000-memory.dmpFilesize
12.1MB
-
memory/1784-54-0x00000000762F1000-0x00000000762F3000-memory.dmpFilesize
8KB
-
memory/1784-63-0x00000000032F0000-0x000000000346F000-memory.dmpFilesize
1.5MB
-
memory/1784-59-0x00000000032F0000-0x000000000346F000-memory.dmpFilesize
1.5MB
-
memory/1784-58-0x0000000002B60000-0x00000000032F0000-memory.dmpFilesize
7.6MB
-
memory/1784-61-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/1784-62-0x0000000002B60000-0x00000000032F0000-memory.dmpFilesize
7.6MB
-
memory/1784-60-0x00000000032F0000-0x000000000346F000-memory.dmpFilesize
1.5MB
-
memory/1784-57-0x0000000002B60000-0x00000000032F0000-memory.dmpFilesize
7.6MB
-
memory/1784-76-0x00000000032F0000-0x000000000346F000-memory.dmpFilesize
1.5MB
-
memory/1784-72-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/1784-56-0x0000000077D80000-0x0000000077F00000-memory.dmpFilesize
1.5MB
-
memory/1784-74-0x0000000077D80000-0x0000000077F00000-memory.dmpFilesize
1.5MB
-
memory/1784-55-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/1900-71-0x0000000000000000-mapping.dmp