Analysis
-
max time kernel
68s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
10/11/2022, 13:02
Static task
static1
Behavioral task
behavioral1
Sample
dd3a5df905b4aca6028903b83919514a.exe
Resource
win7-20220901-en
General
-
Target
dd3a5df905b4aca6028903b83919514a.exe
-
Size
2.0MB
-
MD5
dd3a5df905b4aca6028903b83919514a
-
SHA1
801fc5875148a0a648e6e246dcbd1ce0ad6c007f
-
SHA256
56ac1a8dc72d7a18f0af4f434e32479b14f67c3fe99c3bb23d38492e51412957
-
SHA512
34bee5e5d9f645f4757762b85a8765919058baf7fc4aad8f11d8f2f80ff80d2daa931c29b83e8437242a9ca2718794a97caa2881ec40a6d68811e386b08e6af1
-
SSDEEP
49152:ML53Cyfyr0BZjZHInzzo74PgYwaL/Dftfss:G15qY3NozzRPeoDftf
Malware Config
Extracted
systembc
slavelever.info:4248
slavelevereoewl.info:4248
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dd3a5df905b4aca6028903b83919514a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dd3a5df905b4aca6028903b83919514a.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dd3a5df905b4aca6028903b83919514a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dd3a5df905b4aca6028903b83919514a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dd3a5df905b4aca6028903b83919514a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dd3a5df905b4aca6028903b83919514a.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine dd3a5df905b4aca6028903b83919514a.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1048 dd3a5df905b4aca6028903b83919514a.exe 888 dd3a5df905b4aca6028903b83919514a.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\wow64.job dd3a5df905b4aca6028903b83919514a.exe File opened for modification C:\Windows\Tasks\wow64.job dd3a5df905b4aca6028903b83919514a.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1048 dd3a5df905b4aca6028903b83919514a.exe 888 dd3a5df905b4aca6028903b83919514a.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 992 wrote to memory of 888 992 taskeng.exe 28 PID 992 wrote to memory of 888 992 taskeng.exe 28 PID 992 wrote to memory of 888 992 taskeng.exe 28 PID 992 wrote to memory of 888 992 taskeng.exe 28 PID 992 wrote to memory of 888 992 taskeng.exe 28 PID 992 wrote to memory of 888 992 taskeng.exe 28 PID 992 wrote to memory of 888 992 taskeng.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd3a5df905b4aca6028903b83919514a.exe"C:\Users\Admin\AppData\Local\Temp\dd3a5df905b4aca6028903b83919514a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1048
-
C:\Windows\system32\taskeng.exetaskeng.exe {6BA5B8A4-ED58-4357-8B18-308408FF3003} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Local\Temp\dd3a5df905b4aca6028903b83919514a.exeC:\Users\Admin\AppData\Local\Temp\dd3a5df905b4aca6028903b83919514a.exe start2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:888
-