Analysis
-
max time kernel
180s -
max time network
310s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
15/11/2022, 04:17
Static task
static1
Behavioral task
behavioral1
Sample
3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe
Resource
win10v2004-20220812-en
General
-
Target
3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe
-
Size
8.2MB
-
MD5
8aaa63d32bc201244a89f771d37c5523
-
SHA1
9f0b6da7824c11e18bfc67fef016dc4c6d034c6e
-
SHA256
3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736
-
SHA512
d75ef26bff91d50fe959a86f20db7813bf8fd6e16ac7d9b17b22401eab29841b60f79bbdd472a1fd29aff7b2f8c8a186f6baf5f29225deb7f879cb76208eaf76
-
SSDEEP
98304:0nf7Zg7kBIjYXCz76QOph+F7ccTDhUCuEw3YtVD8flWyK40uLlcKLh+5D:U0jrf6QOph+LsyTyKruJV0D
Malware Config
Extracted
systembc
89.22.225.242:4193
195.2.93.22:4193
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ hiwolos febocisi moq kadi.exe -
Executes dropped EXE 1 IoCs
pid Process 268 hiwolos febocisi moq kadi.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion hiwolos febocisi moq kadi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion hiwolos febocisi moq kadi.exe -
Deletes itself 1 IoCs
pid Process 852 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hiwolos febocisi moq kadi.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe File opened for modification \??\PhysicalDrive0 hiwolos febocisi moq kadi.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 268 hiwolos febocisi moq kadi.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 268 set thread context of 1968 268 hiwolos febocisi moq kadi.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1408 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1224 PING.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 268 hiwolos febocisi moq kadi.exe 268 hiwolos febocisi moq kadi.exe 268 hiwolos febocisi moq kadi.exe 268 hiwolos febocisi moq kadi.exe 268 hiwolos febocisi moq kadi.exe 268 hiwolos febocisi moq kadi.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1408 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 28 PID 1972 wrote to memory of 1408 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 28 PID 1972 wrote to memory of 1408 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 28 PID 1972 wrote to memory of 1408 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 28 PID 1972 wrote to memory of 268 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 30 PID 1972 wrote to memory of 268 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 30 PID 1972 wrote to memory of 268 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 30 PID 1972 wrote to memory of 268 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 30 PID 1972 wrote to memory of 852 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 31 PID 1972 wrote to memory of 852 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 31 PID 1972 wrote to memory of 852 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 31 PID 1972 wrote to memory of 852 1972 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 31 PID 852 wrote to memory of 1296 852 cmd.exe 33 PID 852 wrote to memory of 1296 852 cmd.exe 33 PID 852 wrote to memory of 1296 852 cmd.exe 33 PID 852 wrote to memory of 1296 852 cmd.exe 33 PID 852 wrote to memory of 1224 852 cmd.exe 34 PID 852 wrote to memory of 1224 852 cmd.exe 34 PID 852 wrote to memory of 1224 852 cmd.exe 34 PID 852 wrote to memory of 1224 852 cmd.exe 34 PID 268 wrote to memory of 1968 268 hiwolos febocisi moq kadi.exe 35 PID 268 wrote to memory of 1968 268 hiwolos febocisi moq kadi.exe 35 PID 268 wrote to memory of 1968 268 hiwolos febocisi moq kadi.exe 35 PID 268 wrote to memory of 1968 268 hiwolos febocisi moq kadi.exe 35 PID 268 wrote to memory of 1968 268 hiwolos febocisi moq kadi.exe 35 PID 268 wrote to memory of 1968 268 hiwolos febocisi moq kadi.exe 35 PID 268 wrote to memory of 1968 268 hiwolos febocisi moq kadi.exe 35 PID 268 wrote to memory of 1968 268 hiwolos febocisi moq kadi.exe 35 PID 268 wrote to memory of 1968 268 hiwolos febocisi moq kadi.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe"2⤵
- Creates scheduled task(s)
PID:1408
-
-
C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe"C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1296
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1224
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD574b67ffc2d06bbc77a8ab989ed932c04
SHA160230f37be50ed8c592aedb0cdd7e344ceca2689
SHA25676e755d18897a0991b938706181ac99cf4e7b16d7364214072de155189a38215
SHA512a66f7ae45c15cc3a54d1212ec331f575d8589895f6e4a8626a8dfeffe8be66d62b3c26ab781bc6d3e61f738b1aa64259d60651456c4d3bf3afeed8bf17fd9e56
-
C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
Filesize772.2MB
MD56752f9e74ce8c10ea46352228228d788
SHA1e236cdbf55c547e5df9461f1724d5fa586ae1333
SHA256df8079b096dcc5fda083029446356ca46ee8fd5ccc44e9128bbec26ec417f03e
SHA512222e76486e9ed8f8a616b7511b4a69f6ec9fd38f0056a11a473dec0c0aeb042f416c3c093a97986633dbe15b3d441195e46b90e3b29cbbe68aa92f9c1b9a67f9
-
C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
Filesize659.7MB
MD5e87eb1d4291c6b6b65298d92a9427cd6
SHA1aa2a61ec619b8f7212324785397d22b9094fcd8b
SHA256b43a9fcd2cfa60b0141837cbe09249050df7c899e76f476beea993ee842abf04
SHA512bd7b0c566cb35472511361dfb48db7bf9e6282e93bfd2f3c5715a844ba2833cdb408b652dde985457020c8a75e915fea0b739bd64ee0930b5c2449a651cd2412
-
\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
Filesize772.2MB
MD56752f9e74ce8c10ea46352228228d788
SHA1e236cdbf55c547e5df9461f1724d5fa586ae1333
SHA256df8079b096dcc5fda083029446356ca46ee8fd5ccc44e9128bbec26ec417f03e
SHA512222e76486e9ed8f8a616b7511b4a69f6ec9fd38f0056a11a473dec0c0aeb042f416c3c093a97986633dbe15b3d441195e46b90e3b29cbbe68aa92f9c1b9a67f9
-
\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
Filesize772.2MB
MD56752f9e74ce8c10ea46352228228d788
SHA1e236cdbf55c547e5df9461f1724d5fa586ae1333
SHA256df8079b096dcc5fda083029446356ca46ee8fd5ccc44e9128bbec26ec417f03e
SHA512222e76486e9ed8f8a616b7511b4a69f6ec9fd38f0056a11a473dec0c0aeb042f416c3c093a97986633dbe15b3d441195e46b90e3b29cbbe68aa92f9c1b9a67f9