Analysis
-
max time kernel
296s -
max time network
330s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22/11/2022, 05:33
Behavioral task
behavioral1
Sample
ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe
Resource
win10-20220812-en
General
-
Target
ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe
-
Size
799.1MB
-
MD5
c92f10574719f64de71f15142e927922
-
SHA1
bc1c5d3a8481f8fda448c55d821da9b2f55fed66
-
SHA256
ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de
-
SHA512
b0a51feeb6053602eb56a354b25e1ef7d39856e1daa648a8186546476b7f67358c4c40978035fbf246df00323587cfc309506a60a1e5354a86ac6f8c81db87d6
-
SSDEEP
98304:NjtiC2lkD5L18CJVE0CGTtHdxpXP3UDSMOKS6gqiLZFIfbdSK3m:VtP58CrZf3iVrS6gqCZFcxD2
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\cache\\minloapi.exe," reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ minloapi.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe -
Executes dropped EXE 1 IoCs
pid Process 1776 minloapi.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion minloapi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion minloapi.exe -
Loads dropped DLL 1 IoCs
pid Process 900 cmd.exe -
resource yara_rule behavioral1/memory/1952-60-0x0000000000A20000-0x00000000016B8000-memory.dmp themida behavioral1/memory/1952-61-0x0000000000A20000-0x00000000016B8000-memory.dmp themida behavioral1/memory/1952-68-0x0000000000A20000-0x00000000016B8000-memory.dmp themida behavioral1/files/0x000900000001311d-72.dat themida behavioral1/files/0x000900000001311d-74.dat themida behavioral1/files/0x000900000001311d-77.dat themida behavioral1/memory/1776-80-0x0000000000BF0000-0x0000000001888000-memory.dmp themida behavioral1/memory/1776-81-0x0000000000BF0000-0x0000000001888000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA minloapi.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 1776 minloapi.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 1760 PING.EXE 1176 PING.EXE 1524 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 1776 minloapi.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe Token: SeDebugPrivilege 1776 minloapi.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1952 wrote to memory of 1688 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 26 PID 1952 wrote to memory of 1688 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 26 PID 1952 wrote to memory of 1688 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 26 PID 1952 wrote to memory of 1688 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 26 PID 1688 wrote to memory of 1760 1688 cmd.exe 28 PID 1688 wrote to memory of 1760 1688 cmd.exe 28 PID 1688 wrote to memory of 1760 1688 cmd.exe 28 PID 1688 wrote to memory of 1760 1688 cmd.exe 28 PID 1952 wrote to memory of 900 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 29 PID 1952 wrote to memory of 900 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 29 PID 1952 wrote to memory of 900 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 29 PID 1952 wrote to memory of 900 1952 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 29 PID 900 wrote to memory of 1176 900 cmd.exe 31 PID 900 wrote to memory of 1176 900 cmd.exe 31 PID 900 wrote to memory of 1176 900 cmd.exe 31 PID 900 wrote to memory of 1176 900 cmd.exe 31 PID 1688 wrote to memory of 1072 1688 cmd.exe 32 PID 1688 wrote to memory of 1072 1688 cmd.exe 32 PID 1688 wrote to memory of 1072 1688 cmd.exe 32 PID 1688 wrote to memory of 1072 1688 cmd.exe 32 PID 900 wrote to memory of 1524 900 cmd.exe 33 PID 900 wrote to memory of 1524 900 cmd.exe 33 PID 900 wrote to memory of 1524 900 cmd.exe 33 PID 900 wrote to memory of 1524 900 cmd.exe 33 PID 900 wrote to memory of 1776 900 cmd.exe 34 PID 900 wrote to memory of 1776 900 cmd.exe 34 PID 900 wrote to memory of 1776 900 cmd.exe 34 PID 900 wrote to memory of 1776 900 cmd.exe 34 PID 900 wrote to memory of 1776 900 cmd.exe 34 PID 900 wrote to memory of 1776 900 cmd.exe 34 PID 900 wrote to memory of 1776 900 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe"C:\Users\Admin\AppData\Local\Temp\ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe,"2⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 353⤵
- Runs ping.exe
PID:1760
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe,"3⤵
- Modifies WinLogon for persistence
PID:1072
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 44 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe" && ping 127.0.0.1 -n 44 > nul && "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 443⤵
- Runs ping.exe
PID:1176
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 443⤵
- Runs ping.exe
PID:1524
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\cache\minloapi.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
458.2MB
MD5bc36587f73aa15c52000a3fd07f873b8
SHA1fc7fce66cc0f5dce6a7a273fc9703d12395e3170
SHA256a257194b29be0402869cec6b971f26072526c1ce600a3b7478b4baebc1fd2b92
SHA5125f57a739011c2c161870e4603b673d7d98ef72c07dcd185232a11e0429bda50a1feb40fead39d0ea0c00d1a82e97c9893a44660fd94b521fe732c795bc234cb9
-
Filesize
164.8MB
MD50fe38ecb2aa5b77258ebf273abf0508b
SHA1050f0603a36b0c5b26e653bdf32f439db3abe38e
SHA2563a18e0137083ec6029089c347d1ace0f7c088ece768a304759c012311e70ea39
SHA512ead7cbea69ce8f7d62e1ec377e48c2941c03c30ffc556f67f5b8baf52f01d14b3a4fcae7e13cb0ed6fd026722b807b3d6208a46355be9865867f148f3a9367cd
-
Filesize
469.5MB
MD5363e3518281e384049d5831a46664188
SHA1057e277f691f246b65dd723d41a3f4e4a5e7f10d
SHA256368177659b34765aa6f919853dcd7c4095a0e8890152486c696ba7505ccd5a5e
SHA512aecbadf675feeedc60c4cd5da74ae50d2ea4a7d428b156d62a3a869c8e4036fb3686c2413be4d5a77a9f2aa0aa976840b54bdf84f23c49ddb6b0896bc5167ddc