Analysis Overview
SHA256
3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736
Threat Level: Known bad
The file 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736 was found to be: Known bad.
Malicious Activity Summary
SystemBC
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Checks BIOS information in registry
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Runs ping.exe
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-15 11:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-15 11:31
Reported
2022-11-15 11:33
Platform
win10-20220901-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
SystemBC
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe | N/A |
| N/A | N/A | C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4492 set thread context of 1948 | N/A | C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe
"C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe"
C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
"C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.5:443 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 8.8.8.8:53 | bing.aksaradata.web.id | udp |
| N/A | 89.22.225.242:4193 | tcp |
Files
memory/2764-117-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-118-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-119-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-120-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-121-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-122-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-123-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-124-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-125-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-126-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-128-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-127-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-130-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-131-0x00000000012A0000-0x0000000001AD0000-memory.dmp
memory/2764-132-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-133-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-134-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-135-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-137-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-136-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-129-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-138-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-139-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-140-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-141-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-142-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-143-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-144-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-145-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-146-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-147-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-148-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-149-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-150-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-151-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-152-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-153-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-154-0x00000000012A0000-0x0000000001AD0000-memory.dmp
memory/2764-155-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-156-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-157-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-158-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-159-0x00000000012A0000-0x0000000001AD0000-memory.dmp
memory/2764-161-0x00000000039E0000-0x0000000003EB9000-memory.dmp
memory/2764-163-0x00000000038B0000-0x00000000039A4000-memory.dmp
memory/2764-164-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-165-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-166-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-167-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-168-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-169-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-170-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-172-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-171-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-173-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-174-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-175-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-177-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-176-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-178-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-179-0x00000000039E0000-0x0000000003EB9000-memory.dmp
memory/2764-180-0x00000000038B0000-0x00000000039A4000-memory.dmp
memory/2764-181-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-182-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-183-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-184-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-185-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-186-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/2764-187-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/4972-188-0x0000000000000000-mapping.dmp
memory/4972-189-0x0000000077450000-0x00000000775DE000-memory.dmp
memory/4492-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
| MD5 | 26ba946c7c58efd7299717995b4ec2a2 |
| SHA1 | 8b608f1813a8f7ea3da4bf39f59bdc5381ea5a49 |
| SHA256 | f541d135d44c7fa376ec86e04cab29e2ba69624585cf427a7e8205d320c01eb6 |
| SHA512 | 923cd18bf9f95c4de25ba881d42e8b40979e4ba2c88080407e7cebd34e811baad4e727ba0eb8c6306efa854d514d759c662ed1ad1d41d6eb35a5c9c70eb00eef |
memory/532-209-0x0000000000000000-mapping.dmp
memory/2764-217-0x00000000012A0000-0x0000000001AD0000-memory.dmp
C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
| MD5 | bdfec0b1acdef636f45c63d4d9af18dd |
| SHA1 | 5b679910970936ec7b41e5f74a9ba55a0fe7da60 |
| SHA256 | 04b87abbcc5a9c693a57875c48cc23c38f7721a66a9f54a4e74f94b8a228d19f |
| SHA512 | ed61850f280b1dc49e08c0440df0317a90ad30a91ea3abf264bdc1ef56a14b429cd53d78574d08e03a5566fbb41c410ed0955369b0f9c6a16416013dabcb0fdc |
memory/4492-233-0x0000000000080000-0x00000000008B0000-memory.dmp
memory/1224-239-0x0000000000000000-mapping.dmp
memory/4928-251-0x0000000000000000-mapping.dmp
memory/4492-285-0x0000000000080000-0x00000000008B0000-memory.dmp
C:\ProgramData\mntemp
| MD5 | 74b67ffc2d06bbc77a8ab989ed932c04 |
| SHA1 | 60230f37be50ed8c592aedb0cdd7e344ceca2689 |
| SHA256 | 76e755d18897a0991b938706181ac99cf4e7b16d7364214072de155189a38215 |
| SHA512 | a66f7ae45c15cc3a54d1212ec331f575d8589895f6e4a8626a8dfeffe8be66d62b3c26ab781bc6d3e61f738b1aa64259d60651456c4d3bf3afeed8bf17fd9e56 |
memory/4492-293-0x0000000003410000-0x00000000038E3000-memory.dmp
memory/4492-299-0x0000000003250000-0x0000000003349000-memory.dmp
memory/4492-306-0x0000000003410000-0x00000000038E3000-memory.dmp
memory/4492-307-0x0000000003250000-0x0000000003349000-memory.dmp
memory/4492-309-0x0000000010000000-0x0000000010062000-memory.dmp
memory/4492-342-0x0000000000080000-0x00000000008B0000-memory.dmp
memory/1948-355-0x0000000000400000-0x0000000000407000-memory.dmp