Resubmissions
31/10/2022, 22:53
221031-2t11wsdhf2 925/09/2022, 04:01
220925-elhg9adbc8 1015/09/2022, 10:54
220915-mzjapsgeej 9Analysis
-
max time kernel
719s -
max time network
623s -
platform
windows10-1703_x64 -
resource
win10-20220812-es -
resource tags
arch:x64arch:x86image:win10-20220812-eslocale:es-esos:windows10-1703-x64systemwindows -
submitted
31/10/2022, 22:53
Behavioral task
behavioral1
Sample
20.zip
Resource
win10-20220812-es
General
-
Target
20.zip
-
Size
10.4MB
-
MD5
e17ed9853440c53954269dc2d97b4ab1
-
SHA1
ed6f99c188726247614b2affc95da967087c9fef
-
SHA256
44a6389937c8a2dcbadfb5d04829a2c36fbcc27b37ddc9719847801222d0cce5
-
SHA512
5b02ca10db4617026a911507f9d4a61c167b6435f36135cbfaa572669d53e18d33566db8643feae65ef1315be9f2744dc4fdeb44ec044d8a1770e751dac42bf5
-
SSDEEP
196608:yK6qD/i+k2V4c6gC7CASBtm2q3h7/1nUG3NL6GDsIZCE3K1zEkuwCCjnUdy13sx3:yK6m/PHqCASYd7dnUG92GDs3E32LbY2S
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ l4jb9w049j00h704k2exk46qooo.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ l4jb9w049j00h704k2exk46qooo.exe -
Executes dropped EXE 2 IoCs
pid Process 4416 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion l4jb9w049j00h704k2exk46qooo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion l4jb9w049j00h704k2exk46qooo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion l4jb9w049j00h704k2exk46qooo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion l4jb9w049j00h704k2exk46qooo.exe -
Loads dropped DLL 4 IoCs
pid Process 4416 l4jb9w049j00h704k2exk46qooo.exe 4416 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe -
resource yara_rule behavioral1/files/0x000700000001ac2e-160.dat themida behavioral1/files/0x000700000001ac2e-162.dat themida behavioral1/files/0x000700000001ac2e-161.dat themida behavioral1/memory/4416-172-0x0000000004960000-0x00000000064E4000-memory.dmp themida behavioral1/memory/4416-173-0x0000000004960000-0x00000000064E4000-memory.dmp themida behavioral1/memory/4416-174-0x0000000004960000-0x00000000064E4000-memory.dmp themida behavioral1/memory/4416-175-0x0000000004960000-0x00000000064E4000-memory.dmp themida behavioral1/memory/4416-176-0x0000000004960000-0x00000000064E4000-memory.dmp themida behavioral1/memory/4416-178-0x0000000004960000-0x00000000064E4000-memory.dmp themida behavioral1/memory/4416-179-0x0000000004960000-0x00000000064E4000-memory.dmp themida behavioral1/memory/4416-180-0x0000000004960000-0x00000000064E4000-memory.dmp themida behavioral1/memory/4416-181-0x0000000004960000-0x00000000064E4000-memory.dmp themida behavioral1/memory/4416-182-0x0000000004960000-0x00000000064E4000-memory.dmp themida behavioral1/memory/4416-183-0x0000000004960000-0x00000000064E4000-memory.dmp themida behavioral1/files/0x000700000001ac2e-292.dat themida behavioral1/files/0x000700000001ac2e-291.dat themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA l4jb9w049j00h704k2exk46qooo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA l4jb9w049j00h704k2exk46qooo.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4416 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No" l4jb9w049j00h704k2exk46qooo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No" l4jb9w049j00h704k2exk46qooo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "No" l4jb9w049j00h704k2exk46qooo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No" l4jb9w049j00h704k2exk46qooo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No" l4jb9w049j00h704k2exk46qooo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "No" l4jb9w049j00h704k2exk46qooo.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4416 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4416 l4jb9w049j00h704k2exk46qooo.exe 4416 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2376 7zG.exe Token: 35 2376 7zG.exe Token: SeSecurityPrivilege 2376 7zG.exe Token: SeSecurityPrivilege 2376 7zG.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 2376 7zG.exe 4416 l4jb9w049j00h704k2exk46qooo.exe 4416 l4jb9w049j00h704k2exk46qooo.exe 4416 l4jb9w049j00h704k2exk46qooo.exe 4416 l4jb9w049j00h704k2exk46qooo.exe 4416 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 4416 l4jb9w049j00h704k2exk46qooo.exe 4416 l4jb9w049j00h704k2exk46qooo.exe 4416 l4jb9w049j00h704k2exk46qooo.exe 4416 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe 5072 l4jb9w049j00h704k2exk46qooo.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4416 wrote to memory of 680 4416 l4jb9w049j00h704k2exk46qooo.exe 73 PID 4416 wrote to memory of 680 4416 l4jb9w049j00h704k2exk46qooo.exe 73 PID 4416 wrote to memory of 680 4416 l4jb9w049j00h704k2exk46qooo.exe 73 PID 680 wrote to memory of 5072 680 cmd.exe 75 PID 680 wrote to memory of 5072 680 cmd.exe 75 PID 680 wrote to memory of 5072 680 cmd.exe 75
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\20.zip1⤵PID:4148
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3012
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\" -an -ai#7zMap26490:66:7zEvent184621⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2376
-
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.ahk2⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exeC:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.ahk3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5072
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.3MB
MD5186b119d39e666a41a602ff6c9605b70
SHA199599a7c7620265b9e30dc1b7028b34ec274464c
SHA2563da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75
-
Filesize
185B
MD59882ec7fce0f08d20e7138aeffb11aca
SHA1ccdc032eabac74359032e4f418075bcd13e9781d
SHA256851dc30759f774cda21fdbdc06a3f782097ef464c488f8aa5a23e301142e042c
SHA512f5cbdd6ad3884ba20f83312720752fb2dc6a09aeffd4408d0b133ffe87616cffb0e5cbd1f3317524f2440ad41b3cc3b98c836263accad12ac1f72a924c238ca3
-
Filesize
889KB
MD503c469798bf1827d989f09f346ce95f7
SHA105e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238
-
Filesize
889KB
MD503c469798bf1827d989f09f346ce95f7
SHA105e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238
-
Filesize
889KB
MD503c469798bf1827d989f09f346ce95f7
SHA105e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238
-
Filesize
10.3MB
MD5186b119d39e666a41a602ff6c9605b70
SHA199599a7c7620265b9e30dc1b7028b34ec274464c
SHA2563da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75
-
Filesize
10.3MB
MD5186b119d39e666a41a602ff6c9605b70
SHA199599a7c7620265b9e30dc1b7028b34ec274464c
SHA2563da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75
-
Filesize
10.3MB
MD5186b119d39e666a41a602ff6c9605b70
SHA199599a7c7620265b9e30dc1b7028b34ec274464c
SHA2563da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75
-
Filesize
10.3MB
MD5186b119d39e666a41a602ff6c9605b70
SHA199599a7c7620265b9e30dc1b7028b34ec274464c
SHA2563da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75