Analysis
-
max time kernel
86s -
max time network
102s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 08:25
Behavioral task
behavioral1
Sample
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe
Resource
win10v2004-20221111-en
General
-
Target
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe
-
Size
7.1MB
-
MD5
6c90fa5b5c9de97a444b366ec0d14255
-
SHA1
90cd4499a264ac9e589a0a0c98e0258067aa22a7
-
SHA256
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897
-
SHA512
538d64476d2f163f7ac3b1021e287c5ae4e041c24fe2065ca970b017015fb420b34cd5f18ff69a3e62c747ac9a64b5574de2189b0ab849dbadc72070e3f21717
-
SSDEEP
98304:AB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:RcUG4raKu24YY7HVT4hV0AD6QgqKRgX
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exedescription ioc process File created C:\Users\Admin\Pictures\UnblockStop.crw.getfuckedretard 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe -
Loads dropped DLL 1 IoCs
Processes:
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exepid process 748 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/748-54-0x0000000000030000-0x0000000000750000-memory.dmp agile_net -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\e65fffb7-3d5c-4db1-92e4-3612a04c6c8b\AgileDotNetRT.dll themida behavioral1/memory/748-57-0x0000000073BE0000-0x0000000074365000-memory.dmp themida behavioral1/memory/748-58-0x0000000073BE0000-0x0000000074365000-memory.dmp themida behavioral1/memory/748-60-0x0000000073BE0000-0x0000000074365000-memory.dmp themida behavioral1/memory/748-62-0x0000000073BE0000-0x0000000074365000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe\"" 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe -
Processes:
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\screensaver.png" 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exepid process 748 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exepid process 748 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe 748 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe 748 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exedescription pid process Token: SeDebugPrivilege 748 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe"C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Modifies extensions of user files
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD51e275530f75ec0222ad0a49117819936
SHA1c469db9377442dc65d1c4c6cc5985b28cb1c26e2
SHA256d8519a2a1f40baeb1ee2e6eb1aca27745e5dcab7c046d65b27246e24af57d2bb
SHA51276af1a2193a3b4dc6adc31c9d160b368c6d1a6368af1e99065b53c01cd1c6a93533167a570e6ea68959eeb06b24664f182ad7eef5d7f1ecbfc4cd55e83a72061