Resubmissions

22/11/2022, 06:53

221122-hnvgdagf3v 10

22/11/2022, 05:33

221122-f8tpgabe75 10

Analysis

  • max time kernel
    296s
  • max time network
    330s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    22/11/2022, 05:33

General

  • Target

    ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe

  • Size

    799.1MB

  • MD5

    c92f10574719f64de71f15142e927922

  • SHA1

    bc1c5d3a8481f8fda448c55d821da9b2f55fed66

  • SHA256

    ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de

  • SHA512

    b0a51feeb6053602eb56a354b25e1ef7d39856e1daa648a8186546476b7f67358c4c40978035fbf246df00323587cfc309506a60a1e5354a86ac6f8c81db87d6

  • SSDEEP

    98304:NjtiC2lkD5L18CJVE0CGTtHdxpXP3UDSMOKS6gqiLZFIfbdSK3m:VtP58CrZf3iVrS6gqCZFcxD2

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe
    "C:\Users\Admin\AppData\Local\Temp\ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe,"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 35
        3⤵
        • Runs ping.exe
        PID:1760
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe,"
        3⤵
        • Modifies WinLogon for persistence
        PID:1072
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 44 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe" && ping 127.0.0.1 -n 44 > nul && "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 44
        3⤵
        • Runs ping.exe
        PID:1176
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 44
        3⤵
        • Runs ping.exe
        PID:1524
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1776

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe

          Filesize

          458.2MB

          MD5

          bc36587f73aa15c52000a3fd07f873b8

          SHA1

          fc7fce66cc0f5dce6a7a273fc9703d12395e3170

          SHA256

          a257194b29be0402869cec6b971f26072526c1ce600a3b7478b4baebc1fd2b92

          SHA512

          5f57a739011c2c161870e4603b673d7d98ef72c07dcd185232a11e0429bda50a1feb40fead39d0ea0c00d1a82e97c9893a44660fd94b521fe732c795bc234cb9

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe

          Filesize

          164.8MB

          MD5

          0fe38ecb2aa5b77258ebf273abf0508b

          SHA1

          050f0603a36b0c5b26e653bdf32f439db3abe38e

          SHA256

          3a18e0137083ec6029089c347d1ace0f7c088ece768a304759c012311e70ea39

          SHA512

          ead7cbea69ce8f7d62e1ec377e48c2941c03c30ffc556f67f5b8baf52f01d14b3a4fcae7e13cb0ed6fd026722b807b3d6208a46355be9865867f148f3a9367cd

        • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe

          Filesize

          469.5MB

          MD5

          363e3518281e384049d5831a46664188

          SHA1

          057e277f691f246b65dd723d41a3f4e4a5e7f10d

          SHA256

          368177659b34765aa6f919853dcd7c4095a0e8890152486c696ba7505ccd5a5e

          SHA512

          aecbadf675feeedc60c4cd5da74ae50d2ea4a7d428b156d62a3a869c8e4036fb3686c2413be4d5a77a9f2aa0aa976840b54bdf84f23c49ddb6b0896bc5167ddc

        • memory/1776-81-0x0000000000BF0000-0x0000000001888000-memory.dmp

          Filesize

          12.6MB

        • memory/1776-80-0x0000000000BF0000-0x0000000001888000-memory.dmp

          Filesize

          12.6MB

        • memory/1776-76-0x0000000077240000-0x00000000773C0000-memory.dmp

          Filesize

          1.5MB

        • memory/1952-61-0x0000000000A20000-0x00000000016B8000-memory.dmp

          Filesize

          12.6MB

        • memory/1952-60-0x0000000000A20000-0x00000000016B8000-memory.dmp

          Filesize

          12.6MB

        • memory/1952-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

          Filesize

          8KB

        • memory/1952-59-0x0000000000A20000-0x00000000016B8000-memory.dmp

          Filesize

          12.6MB

        • memory/1952-69-0x0000000077240000-0x00000000773C0000-memory.dmp

          Filesize

          1.5MB

        • memory/1952-56-0x0000000077240000-0x00000000773C0000-memory.dmp

          Filesize

          1.5MB

        • memory/1952-68-0x0000000000A20000-0x00000000016B8000-memory.dmp

          Filesize

          12.6MB

        • memory/1952-55-0x0000000000A20000-0x00000000016B8000-memory.dmp

          Filesize

          12.6MB

        • memory/1952-63-0x0000000002DC0000-0x0000000002DD8000-memory.dmp

          Filesize

          96KB

        • memory/1952-62-0x0000000002D90000-0x0000000002DC0000-memory.dmp

          Filesize

          192KB