Analysis
-
max time kernel
175s -
max time network
245s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
12/11/2022, 22:35
Static task
static1
Behavioral task
behavioral1
Sample
efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe
Resource
win7-20220901-en
General
-
Target
efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe
-
Size
2.2MB
-
MD5
3aad6e79569fcc68f0b8530225e08743
-
SHA1
e1247952bedea6d68c471b779d673167d5e1d774
-
SHA256
efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
-
SHA512
b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d
-
SSDEEP
49152:Il8pLho6EEJZHFqdBiNz0ywwO++wddZHyo:8ULxEaHr0ywwO+RZHyo
Malware Config
Extracted
systembc
cryptotab.me:4001
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ miwkdja.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ miwkdja.exe -
Executes dropped EXE 2 IoCs
pid Process 1484 miwkdja.exe 1272 miwkdja.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion miwkdja.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion miwkdja.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion miwkdja.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion miwkdja.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine miwkdja.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine miwkdja.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1380 efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe 1484 miwkdja.exe 1272 miwkdja.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Tasks\miwkdja.job efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe File created C:\Windows\Tasks\miwkdja.job efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1380 efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe 1380 efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe 1484 miwkdja.exe 1272 miwkdja.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 980 wrote to memory of 1484 980 taskeng.exe 28 PID 980 wrote to memory of 1484 980 taskeng.exe 28 PID 980 wrote to memory of 1484 980 taskeng.exe 28 PID 980 wrote to memory of 1484 980 taskeng.exe 28 PID 980 wrote to memory of 1272 980 taskeng.exe 29 PID 980 wrote to memory of 1272 980 taskeng.exe 29 PID 980 wrote to memory of 1272 980 taskeng.exe 29 PID 980 wrote to memory of 1272 980 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe"C:\Users\Admin\AppData\Local\Temp\efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1380
-
C:\Windows\system32\taskeng.exetaskeng.exe {3F9217A9-93B4-4CE1-9931-AD3DCE7E5A62} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\ProgramData\pciu\miwkdja.exeC:\ProgramData\pciu\miwkdja.exe start22⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1484
-
-
C:\ProgramData\pciu\miwkdja.exeC:\ProgramData\pciu\miwkdja.exe start22⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1272
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD53aad6e79569fcc68f0b8530225e08743
SHA1e1247952bedea6d68c471b779d673167d5e1d774
SHA256efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
SHA512b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d
-
Filesize
2.2MB
MD53aad6e79569fcc68f0b8530225e08743
SHA1e1247952bedea6d68c471b779d673167d5e1d774
SHA256efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
SHA512b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d
-
Filesize
2.2MB
MD53aad6e79569fcc68f0b8530225e08743
SHA1e1247952bedea6d68c471b779d673167d5e1d774
SHA256efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
SHA512b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d