Analysis
-
max time kernel
300s -
max time network
311s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
22/11/2022, 05:33
Behavioral task
behavioral1
Sample
ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe
Resource
win10-20220812-en
General
-
Target
ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe
-
Size
799.1MB
-
MD5
c92f10574719f64de71f15142e927922
-
SHA1
bc1c5d3a8481f8fda448c55d821da9b2f55fed66
-
SHA256
ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de
-
SHA512
b0a51feeb6053602eb56a354b25e1ef7d39856e1daa648a8186546476b7f67358c4c40978035fbf246df00323587cfc309506a60a1e5354a86ac6f8c81db87d6
-
SSDEEP
98304:NjtiC2lkD5L18CJVE0CGTtHdxpXP3UDSMOKS6gqiLZFIfbdSK3m:VtP58CrZf3iVrS6gqCZFcxD2
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\cache\\minloapi.exe," reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ minloapi.exe -
Executes dropped EXE 1 IoCs
pid Process 4512 minloapi.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion minloapi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion minloapi.exe -
resource yara_rule behavioral2/memory/2656-161-0x0000000000CD0000-0x0000000001968000-memory.dmp themida behavioral2/memory/2656-162-0x0000000000CD0000-0x0000000001968000-memory.dmp themida behavioral2/memory/2656-265-0x0000000000CD0000-0x0000000001968000-memory.dmp themida behavioral2/files/0x000600000001abf3-317.dat themida behavioral2/files/0x000600000001abf3-325.dat themida behavioral2/memory/4512-364-0x0000000000180000-0x0000000000E18000-memory.dmp themida behavioral2/memory/4512-365-0x0000000000180000-0x0000000000E18000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA minloapi.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 4512 minloapi.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 4852 PING.EXE 4816 PING.EXE 4720 PING.EXE -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 4512 minloapi.exe 4512 minloapi.exe 4512 minloapi.exe 4512 minloapi.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe Token: SeDebugPrivilege 4512 minloapi.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2656 wrote to memory of 5092 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 67 PID 2656 wrote to memory of 5092 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 67 PID 2656 wrote to memory of 5092 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 67 PID 5092 wrote to memory of 4816 5092 cmd.exe 69 PID 5092 wrote to memory of 4816 5092 cmd.exe 69 PID 5092 wrote to memory of 4816 5092 cmd.exe 69 PID 2656 wrote to memory of 4996 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 70 PID 2656 wrote to memory of 4996 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 70 PID 2656 wrote to memory of 4996 2656 ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe 70 PID 4996 wrote to memory of 4720 4996 cmd.exe 72 PID 4996 wrote to memory of 4720 4996 cmd.exe 72 PID 4996 wrote to memory of 4720 4996 cmd.exe 72 PID 5092 wrote to memory of 3952 5092 cmd.exe 73 PID 5092 wrote to memory of 3952 5092 cmd.exe 73 PID 5092 wrote to memory of 3952 5092 cmd.exe 73 PID 4996 wrote to memory of 4852 4996 cmd.exe 74 PID 4996 wrote to memory of 4852 4996 cmd.exe 74 PID 4996 wrote to memory of 4852 4996 cmd.exe 74 PID 4996 wrote to memory of 4512 4996 cmd.exe 75 PID 4996 wrote to memory of 4512 4996 cmd.exe 75 PID 4996 wrote to memory of 4512 4996 cmd.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe"C:\Users\Admin\AppData\Local\Temp\ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\cache\minloapi.exe,"2⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 373⤵
- Runs ping.exe
PID:4816
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\cache\minloapi.exe,"3⤵
- Modifies WinLogon for persistence
PID:3952
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 44 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\cache\minloapi.exe" && ping 127.0.0.1 -n 44 > nul && "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\cache\minloapi.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 443⤵
- Runs ping.exe
PID:4720
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 443⤵
- Runs ping.exe
PID:4852
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\cache\minloapi.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\cache\minloapi.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
799.1MB
MD5c92f10574719f64de71f15142e927922
SHA1bc1c5d3a8481f8fda448c55d821da9b2f55fed66
SHA256ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de
SHA512b0a51feeb6053602eb56a354b25e1ef7d39856e1daa648a8186546476b7f67358c4c40978035fbf246df00323587cfc309506a60a1e5354a86ac6f8c81db87d6
-
Filesize
799.1MB
MD5c92f10574719f64de71f15142e927922
SHA1bc1c5d3a8481f8fda448c55d821da9b2f55fed66
SHA256ba137558e3d88cd6d9bb8b5d06662b6de3c878fcbec37cac07a617538df045de
SHA512b0a51feeb6053602eb56a354b25e1ef7d39856e1daa648a8186546476b7f67358c4c40978035fbf246df00323587cfc309506a60a1e5354a86ac6f8c81db87d6