Resubmissions
31/10/2022, 22:53
221031-2t11wsdhf2 925/09/2022, 04:01
220925-elhg9adbc8 1015/09/2022, 10:54
220915-mzjapsgeej 9Analysis
-
max time kernel
712s -
max time network
515s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-es -
resource tags
arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
31/10/2022, 22:53
Behavioral task
behavioral1
Sample
20.zip
Resource
win10-20220812-es
General
-
Target
20.zip
-
Size
10.4MB
-
MD5
e17ed9853440c53954269dc2d97b4ab1
-
SHA1
ed6f99c188726247614b2affc95da967087c9fef
-
SHA256
44a6389937c8a2dcbadfb5d04829a2c36fbcc27b37ddc9719847801222d0cce5
-
SHA512
5b02ca10db4617026a911507f9d4a61c167b6435f36135cbfaa572669d53e18d33566db8643feae65ef1315be9f2744dc4fdeb44ec044d8a1770e751dac42bf5
-
SSDEEP
196608:yK6qD/i+k2V4c6gC7CASBtm2q3h7/1nUG3NL6GDsIZCE3K1zEkuwCCjnUdy13sx3:yK6m/PHqCASYd7dnUG92GDs3E32LbY2S
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ l4jb9w049j00h704k2exk46qooo.exe -
Executes dropped EXE 4 IoCs
pid Process 1308 l4jb9w049j00h704k2exk46qooo.exe 4136 l4jb9w049j00h704k2exk46qooo.exe 3980 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion l4jb9w049j00h704k2exk46qooo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion l4jb9w049j00h704k2exk46qooo.exe -
Loads dropped DLL 2 IoCs
pid Process 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe -
resource yara_rule behavioral2/files/0x0003000000000727-136.dat themida behavioral2/files/0x0003000000000727-139.dat themida behavioral2/files/0x0003000000000727-140.dat themida behavioral2/memory/3328-141-0x0000000004660000-0x00000000061E4000-memory.dmp themida behavioral2/memory/3328-142-0x0000000004660000-0x00000000061E4000-memory.dmp themida behavioral2/memory/3328-144-0x0000000004660000-0x00000000061E4000-memory.dmp themida behavioral2/memory/3328-145-0x0000000004660000-0x00000000061E4000-memory.dmp themida behavioral2/memory/3328-146-0x0000000004660000-0x00000000061E4000-memory.dmp themida behavioral2/memory/3328-147-0x0000000004660000-0x00000000061E4000-memory.dmp themida behavioral2/memory/3328-148-0x0000000004660000-0x00000000061E4000-memory.dmp themida behavioral2/memory/3328-149-0x0000000004660000-0x00000000061E4000-memory.dmp themida behavioral2/memory/3328-150-0x0000000004660000-0x00000000061E4000-memory.dmp themida behavioral2/memory/3328-151-0x0000000004660000-0x00000000061E4000-memory.dmp themida behavioral2/memory/3328-152-0x0000000004660000-0x00000000061E4000-memory.dmp themida behavioral2/memory/3328-153-0x0000000004660000-0x00000000061E4000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA l4jb9w049j00h704k2exk46qooo.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 50 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3328 l4jb9w049j00h704k2exk46qooo.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "No" l4jb9w049j00h704k2exk46qooo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No" l4jb9w049j00h704k2exk46qooo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No" l4jb9w049j00h704k2exk46qooo.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3328 l4jb9w049j00h704k2exk46qooo.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 336 7zG.exe Token: 35 336 7zG.exe Token: SeSecurityPrivilege 336 7zG.exe Token: SeSecurityPrivilege 336 7zG.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 336 7zG.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe 3328 l4jb9w049j00h704k2exk46qooo.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\20.zip1⤵PID:4172
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3284
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\" -an -ai#7zMap8665:66:7zEvent17251⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:336
-
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"1⤵
- Executes dropped EXE
PID:1308
-
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"1⤵
- Executes dropped EXE
PID:4136
-
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"1⤵
- Executes dropped EXE
PID:3980
-
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.3MB
MD5186b119d39e666a41a602ff6c9605b70
SHA199599a7c7620265b9e30dc1b7028b34ec274464c
SHA2563da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75
-
Filesize
10.3MB
MD5186b119d39e666a41a602ff6c9605b70
SHA199599a7c7620265b9e30dc1b7028b34ec274464c
SHA2563da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75
-
Filesize
10.3MB
MD5186b119d39e666a41a602ff6c9605b70
SHA199599a7c7620265b9e30dc1b7028b34ec274464c
SHA2563da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75
-
Filesize
185B
MD59882ec7fce0f08d20e7138aeffb11aca
SHA1ccdc032eabac74359032e4f418075bcd13e9781d
SHA256851dc30759f774cda21fdbdc06a3f782097ef464c488f8aa5a23e301142e042c
SHA512f5cbdd6ad3884ba20f83312720752fb2dc6a09aeffd4408d0b133ffe87616cffb0e5cbd1f3317524f2440ad41b3cc3b98c836263accad12ac1f72a924c238ca3
-
Filesize
889KB
MD503c469798bf1827d989f09f346ce95f7
SHA105e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238
-
Filesize
889KB
MD503c469798bf1827d989f09f346ce95f7
SHA105e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238
-
Filesize
889KB
MD503c469798bf1827d989f09f346ce95f7
SHA105e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238
-
Filesize
889KB
MD503c469798bf1827d989f09f346ce95f7
SHA105e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238
-
Filesize
889KB
MD503c469798bf1827d989f09f346ce95f7
SHA105e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238