Analysis
-
max time kernel
268s -
max time network
299s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
07-11-2022 22:22
General
-
Target
99c08c22c427d7b3ad1d8ac8bc371597030cd477b15dfb494a3a66d65fbc99dd.exe
-
Size
3.5MB
-
MD5
50153b21abcf5baf17ef600b56cec717
-
SHA1
6ea0838ace157f1c71bca27acffd0fe57a9027e1
-
SHA256
99c08c22c427d7b3ad1d8ac8bc371597030cd477b15dfb494a3a66d65fbc99dd
-
SHA512
765a949f58b680302c68cdc87ae20decc433eacbaf477d1da7d26800e30f1db1ca12bc007f79b500cfc684e6f91c08fc8c0a76d57cb67c63231680287a18b1f0
-
SSDEEP
98304:B9IaoMTrov0++pMy12yVMVVMG6BbKUbF4:B+W/m0+y9eVVMGkDB4
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 1 IoCs
-
Themida packer 18 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 5 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\99c08c22c427d7b3ad1d8ac8bc371597030cd477b15dfb494a3a66d65fbc99dd.exe"C:\Users\Admin\AppData\Local\Temp\99c08c22c427d7b3ad1d8ac8bc371597030cd477b15dfb494a3a66d65fbc99dd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /C schtasks /create /tn oeItRUniJV /tr C:\Users\Admin\AppData\Roaming\oeItRUniJV\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn oeItRUniJV /tr C:\Users\Admin\AppData\Roaming\oeItRUniJV\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {129980F0-D520-41B2-988B-7045BDAAAEE8} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\oeItRUniJV\svcupdater.exeC:\Users\Admin\AppData\Roaming\oeItRUniJV\svcupdater.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD550153b21abcf5baf17ef600b56cec717
SHA16ea0838ace157f1c71bca27acffd0fe57a9027e1
SHA25699c08c22c427d7b3ad1d8ac8bc371597030cd477b15dfb494a3a66d65fbc99dd
SHA512765a949f58b680302c68cdc87ae20decc433eacbaf477d1da7d26800e30f1db1ca12bc007f79b500cfc684e6f91c08fc8c0a76d57cb67c63231680287a18b1f0
-
Filesize
3.5MB
MD550153b21abcf5baf17ef600b56cec717
SHA16ea0838ace157f1c71bca27acffd0fe57a9027e1
SHA25699c08c22c427d7b3ad1d8ac8bc371597030cd477b15dfb494a3a66d65fbc99dd
SHA512765a949f58b680302c68cdc87ae20decc433eacbaf477d1da7d26800e30f1db1ca12bc007f79b500cfc684e6f91c08fc8c0a76d57cb67c63231680287a18b1f0
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
1.7MB
-
Filesize
11.3MB
-
Filesize
1.7MB