Analysis
-
max time kernel
134s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
10/11/2022, 12:01
Static task
static1
Behavioral task
behavioral1
Sample
614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe
Resource
win7-20220901-en
General
-
Target
614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe
-
Size
2.5MB
-
MD5
efa05fbe474e6b3b28e3bc4ba1a74a54
-
SHA1
540f0d462bfa9bf688ee0dd3a9aaead7aeec0fa1
-
SHA256
614d8a0cfd93b3ab2f4e01ea490ba9d350f7ea786a18b54785581777df71b371
-
SHA512
e2f673c268b96b891cdf3832e3cc554ffa2bd192eee6b6983612f8fe8483994fe071c084394b2ad1aa3659fb354d1c3fd07308bdbc5f78345763e6ba504b18f5
-
SSDEEP
49152:wrk48V+6H3aJjU/IbKijgent+AjT368LGvQJtOMxqw+Uc7Vxh0:1t3aFU/TijRnPn3ZLGvCtOMQw+r
Malware Config
Extracted
systembc
n20b28tu.info:4248
n20b28tu88.info:4248
slavelever.info:4248
slavelevereoewl.info:4248
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ solpkqf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ solpkqf.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 828 solpkqf.exe 1236 solpkqf.exe -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion solpkqf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion solpkqf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion solpkqf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion solpkqf.exe -
Deletes itself 1 IoCs
pid Process 828 solpkqf.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1308 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe 1540 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe 828 solpkqf.exe 1236 solpkqf.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Tasks\wow64.job solpkqf.exe File opened for modification C:\Windows\Tasks\wow64.job solpkqf.exe File created C:\Windows\Tasks\wow64.job 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe File opened for modification C:\Windows\Tasks\wow64.job 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe File created C:\Windows\Tasks\oaevlvomkdgngxmgxmb.job 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1308 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe 1540 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe 828 solpkqf.exe 1236 solpkqf.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 112 wrote to memory of 1540 112 taskeng.exe 28 PID 112 wrote to memory of 1540 112 taskeng.exe 28 PID 112 wrote to memory of 1540 112 taskeng.exe 28 PID 112 wrote to memory of 1540 112 taskeng.exe 28 PID 112 wrote to memory of 828 112 taskeng.exe 29 PID 112 wrote to memory of 828 112 taskeng.exe 29 PID 112 wrote to memory of 828 112 taskeng.exe 29 PID 112 wrote to memory of 828 112 taskeng.exe 29 PID 112 wrote to memory of 828 112 taskeng.exe 29 PID 112 wrote to memory of 828 112 taskeng.exe 29 PID 112 wrote to memory of 828 112 taskeng.exe 29 PID 112 wrote to memory of 1236 112 taskeng.exe 30 PID 112 wrote to memory of 1236 112 taskeng.exe 30 PID 112 wrote to memory of 1236 112 taskeng.exe 30 PID 112 wrote to memory of 1236 112 taskeng.exe 30 PID 112 wrote to memory of 1236 112 taskeng.exe 30 PID 112 wrote to memory of 1236 112 taskeng.exe 30 PID 112 wrote to memory of 1236 112 taskeng.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe"C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1308
-
C:\Windows\system32\taskeng.exetaskeng.exe {C6C12CCE-2D26-4D36-9D3E-CBFF469B745C} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exeC:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe start2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1540
-
-
C:\Windows\TEMP\solpkqf.exeC:\Windows\TEMP\solpkqf.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Deletes itself
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:828
-
-
C:\Windows\TEMP\solpkqf.exeC:\Windows\TEMP\solpkqf.exe start2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1236
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5dd3a5df905b4aca6028903b83919514a
SHA1801fc5875148a0a648e6e246dcbd1ce0ad6c007f
SHA25656ac1a8dc72d7a18f0af4f434e32479b14f67c3fe99c3bb23d38492e51412957
SHA51234bee5e5d9f645f4757762b85a8765919058baf7fc4aad8f11d8f2f80ff80d2daa931c29b83e8437242a9ca2718794a97caa2881ec40a6d68811e386b08e6af1
-
Filesize
334B
MD5c9aa4261c3c9e6ea9675cb37e655ed51
SHA17fbcbc6269fe8424a2990f7a41eafc6a3e353216
SHA2567a2a24da7f326f70910eeafa3b1314af78f4b918021af978549039101993f0da
SHA5122ea17c241637a38b1a6912f7da62cef8fa6c35df601adf2aca73e45e53d8f2edb12d1e02ba9949b8b39777edf9a0db61346f7c10cc2b8b284541284aa91a771d
-
Filesize
2.0MB
MD5dd3a5df905b4aca6028903b83919514a
SHA1801fc5875148a0a648e6e246dcbd1ce0ad6c007f
SHA25656ac1a8dc72d7a18f0af4f434e32479b14f67c3fe99c3bb23d38492e51412957
SHA51234bee5e5d9f645f4757762b85a8765919058baf7fc4aad8f11d8f2f80ff80d2daa931c29b83e8437242a9ca2718794a97caa2881ec40a6d68811e386b08e6af1
-
Filesize
2.0MB
MD5dd3a5df905b4aca6028903b83919514a
SHA1801fc5875148a0a648e6e246dcbd1ce0ad6c007f
SHA25656ac1a8dc72d7a18f0af4f434e32479b14f67c3fe99c3bb23d38492e51412957
SHA51234bee5e5d9f645f4757762b85a8765919058baf7fc4aad8f11d8f2f80ff80d2daa931c29b83e8437242a9ca2718794a97caa2881ec40a6d68811e386b08e6af1