Analysis
-
max time kernel
228s -
max time network
291s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2022, 04:17
Static task
static1
Behavioral task
behavioral1
Sample
3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe
Resource
win10v2004-20220812-en
General
-
Target
3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe
-
Size
8.2MB
-
MD5
8aaa63d32bc201244a89f771d37c5523
-
SHA1
9f0b6da7824c11e18bfc67fef016dc4c6d034c6e
-
SHA256
3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736
-
SHA512
d75ef26bff91d50fe959a86f20db7813bf8fd6e16ac7d9b17b22401eab29841b60f79bbdd472a1fd29aff7b2f8c8a186f6baf5f29225deb7f879cb76208eaf76
-
SSDEEP
98304:0nf7Zg7kBIjYXCz76QOph+F7ccTDhUCuEw3YtVD8flWyK40uLlcKLh+5D:U0jrf6QOph+LsyTyKruJV0D
Malware Config
Extracted
systembc
89.22.225.242:4193
195.2.93.22:4193
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ hiwolos febocisi moq kadi.exe -
Executes dropped EXE 1 IoCs
pid Process 3504 hiwolos febocisi moq kadi.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion hiwolos febocisi moq kadi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion hiwolos febocisi moq kadi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hiwolos febocisi moq kadi.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe File opened for modification \??\PhysicalDrive0 hiwolos febocisi moq kadi.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 3504 hiwolos febocisi moq kadi.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3504 set thread context of 4856 3504 hiwolos febocisi moq kadi.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5072 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2844 PING.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 3504 hiwolos febocisi moq kadi.exe 3504 hiwolos febocisi moq kadi.exe 3504 hiwolos febocisi moq kadi.exe 3504 hiwolos febocisi moq kadi.exe 3504 hiwolos febocisi moq kadi.exe 3504 hiwolos febocisi moq kadi.exe 3504 hiwolos febocisi moq kadi.exe 3504 hiwolos febocisi moq kadi.exe 3504 hiwolos febocisi moq kadi.exe 3504 hiwolos febocisi moq kadi.exe 3504 hiwolos febocisi moq kadi.exe 3504 hiwolos febocisi moq kadi.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4344 wrote to memory of 5072 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 86 PID 4344 wrote to memory of 5072 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 86 PID 4344 wrote to memory of 5072 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 86 PID 4344 wrote to memory of 3504 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 88 PID 4344 wrote to memory of 3504 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 88 PID 4344 wrote to memory of 3504 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 88 PID 4344 wrote to memory of 2520 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 89 PID 4344 wrote to memory of 2520 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 89 PID 4344 wrote to memory of 2520 4344 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe 89 PID 2520 wrote to memory of 4428 2520 cmd.exe 91 PID 2520 wrote to memory of 4428 2520 cmd.exe 91 PID 2520 wrote to memory of 4428 2520 cmd.exe 91 PID 2520 wrote to memory of 2844 2520 cmd.exe 92 PID 2520 wrote to memory of 2844 2520 cmd.exe 92 PID 2520 wrote to memory of 2844 2520 cmd.exe 92 PID 3504 wrote to memory of 4856 3504 hiwolos febocisi moq kadi.exe 93 PID 3504 wrote to memory of 4856 3504 hiwolos febocisi moq kadi.exe 93 PID 3504 wrote to memory of 4856 3504 hiwolos febocisi moq kadi.exe 93 PID 3504 wrote to memory of 4856 3504 hiwolos febocisi moq kadi.exe 93 PID 3504 wrote to memory of 4856 3504 hiwolos febocisi moq kadi.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe"2⤵
- Creates scheduled task(s)
PID:5072
-
-
C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe"C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵PID:4856
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4428
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2844
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD574b67ffc2d06bbc77a8ab989ed932c04
SHA160230f37be50ed8c592aedb0cdd7e344ceca2689
SHA25676e755d18897a0991b938706181ac99cf4e7b16d7364214072de155189a38215
SHA512a66f7ae45c15cc3a54d1212ec331f575d8589895f6e4a8626a8dfeffe8be66d62b3c26ab781bc6d3e61f738b1aa64259d60651456c4d3bf3afeed8bf17fd9e56
-
C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
Filesize788.2MB
MD5f6496055561efaea4cd6e57b7035a207
SHA18810a73467c8ea7c022be01c39161d73dc124629
SHA256da069bc72528472bd28ad1b2c7dee95af3ff651267888a46e275642b6f02ae9d
SHA5129c297ab117db052af08378b0da99007535b207dbc6263410494dd25ae2471137a0a0875509d679b2e31d58454c93392042106699d5c744124755360b3fe00280
-
C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
Filesize788.2MB
MD5f6496055561efaea4cd6e57b7035a207
SHA18810a73467c8ea7c022be01c39161d73dc124629
SHA256da069bc72528472bd28ad1b2c7dee95af3ff651267888a46e275642b6f02ae9d
SHA5129c297ab117db052af08378b0da99007535b207dbc6263410494dd25ae2471137a0a0875509d679b2e31d58454c93392042106699d5c744124755360b3fe00280