Analysis
-
max time kernel
204s -
max time network
268s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
13/11/2022, 05:14
Static task
static1
Behavioral task
behavioral1
Sample
efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe
Resource
win7-20220901-en
General
-
Target
efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe
-
Size
2.2MB
-
MD5
3aad6e79569fcc68f0b8530225e08743
-
SHA1
e1247952bedea6d68c471b779d673167d5e1d774
-
SHA256
efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
-
SHA512
b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d
-
SSDEEP
49152:Il8pLho6EEJZHFqdBiNz0ywwO++wddZHyo:8ULxEaHr0ywwO+RZHyo
Malware Config
Extracted
systembc
cryptotab.me:4001
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ptbwe.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ptbwe.exe -
Executes dropped EXE 2 IoCs
pid Process 856 ptbwe.exe 1820 ptbwe.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ptbwe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ptbwe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ptbwe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ptbwe.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine ptbwe.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine ptbwe.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1128 efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe 856 ptbwe.exe 1820 ptbwe.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\ptbwe.job efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe File opened for modification C:\Windows\Tasks\ptbwe.job efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1128 efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe 1128 efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe 856 ptbwe.exe 1820 ptbwe.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 836 wrote to memory of 856 836 taskeng.exe 28 PID 836 wrote to memory of 856 836 taskeng.exe 28 PID 836 wrote to memory of 856 836 taskeng.exe 28 PID 836 wrote to memory of 856 836 taskeng.exe 28 PID 836 wrote to memory of 1820 836 taskeng.exe 29 PID 836 wrote to memory of 1820 836 taskeng.exe 29 PID 836 wrote to memory of 1820 836 taskeng.exe 29 PID 836 wrote to memory of 1820 836 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe"C:\Users\Admin\AppData\Local\Temp\efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1128
-
C:\Windows\system32\taskeng.exetaskeng.exe {83A76972-6FAD-4620-A3F9-0347C79D407F} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\ProgramData\jtfnc\ptbwe.exeC:\ProgramData\jtfnc\ptbwe.exe start22⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:856
-
-
C:\ProgramData\jtfnc\ptbwe.exeC:\ProgramData\jtfnc\ptbwe.exe start22⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1820
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD53aad6e79569fcc68f0b8530225e08743
SHA1e1247952bedea6d68c471b779d673167d5e1d774
SHA256efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
SHA512b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d
-
Filesize
2.2MB
MD53aad6e79569fcc68f0b8530225e08743
SHA1e1247952bedea6d68c471b779d673167d5e1d774
SHA256efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
SHA512b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d
-
Filesize
2.2MB
MD53aad6e79569fcc68f0b8530225e08743
SHA1e1247952bedea6d68c471b779d673167d5e1d774
SHA256efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
SHA512b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d