Analysis
-
max time kernel
147s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 02:55
Static task
static1
Behavioral task
behavioral1
Sample
fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe
Resource
win7-20221111-en
General
-
Target
fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe
-
Size
468KB
-
MD5
d6d8d85a9e8d51ebccc5c2dbce142103
-
SHA1
2c59c931260a5802a038c777186dddce11397fe2
-
SHA256
fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34
-
SHA512
99aee273d75170ac28df316049a332536639bbd2676aafddfcb7f67763c02e88bd75d2bbd967f8b966997db98f38e370c4af0c215152875968c3fe347799866f
-
SSDEEP
12288:VuC+3L0bELfWKFS/8Mm9+YCY2aTOqidxjut:V9WKAfYI4YCY2aPin
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ttv.exe -
Executes dropped EXE 1 IoCs
pid Process 1608 ttv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe -
Loads dropped DLL 21 IoCs
pid Process 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks for any installed AV software in registry 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\AVAST Software\Avast ttv.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira ttv.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avira ttv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
resource yara_rule behavioral2/files/0x0007000000022e08-137.dat nsis_installer_1 behavioral2/files/0x0007000000022e08-137.dat nsis_installer_2 behavioral2/files/0x0007000000022e08-138.dat nsis_installer_1 behavioral2/files/0x0007000000022e08-138.dat nsis_installer_2 -
Modifies registry class 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}\id0 = "24112022" ttv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F} ttv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe 1608 ttv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1608 ttv.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1200 wrote to memory of 1608 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 84 PID 1200 wrote to memory of 1608 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 84 PID 1200 wrote to memory of 1608 1200 fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe"C:\Users\Admin\AppData\Local\Temp\fcc09a5be47bc5bfa35f32270bc00353dd5c6ce327760b61b8b9af7952be1f34.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\ttv.exe"C:\Users\Admin\AppData\Local\Temp\ttv.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1608
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5e03876429de52398e49cf9b308ec97e2
SHA1c540ca346d63666d40f7d64bec1fdc742ec9b7ae
SHA256515f58aaad94e1a3c00577e258f9592f5e6eea32e0343392f4611852acf0f906
SHA512c25ac014c77573af44d44f28ad547bd08f0c6f5b342d5d6269fcbd2dc92f8c2b859ea4091bec9c4e4ad8482b8951b03b526d4bfaddf8f802487d30348aaf627c
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
25KB
MD59d8ce05f532dc7b5742831ec8a63c2d8
SHA1b014365f723c78a84bcdf8a46cfa016eb2b8dbc5
SHA256fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982
SHA51298f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe
-
Filesize
25KB
MD59d8ce05f532dc7b5742831ec8a63c2d8
SHA1b014365f723c78a84bcdf8a46cfa016eb2b8dbc5
SHA256fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982
SHA51298f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe
-
Filesize
25KB
MD59d8ce05f532dc7b5742831ec8a63c2d8
SHA1b014365f723c78a84bcdf8a46cfa016eb2b8dbc5
SHA256fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982
SHA51298f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe
-
Filesize
25KB
MD59d8ce05f532dc7b5742831ec8a63c2d8
SHA1b014365f723c78a84bcdf8a46cfa016eb2b8dbc5
SHA256fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982
SHA51298f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe
-
Filesize
25KB
MD59d8ce05f532dc7b5742831ec8a63c2d8
SHA1b014365f723c78a84bcdf8a46cfa016eb2b8dbc5
SHA256fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982
SHA51298f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe
-
Filesize
25KB
MD59d8ce05f532dc7b5742831ec8a63c2d8
SHA1b014365f723c78a84bcdf8a46cfa016eb2b8dbc5
SHA256fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982
SHA51298f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe
-
Filesize
25KB
MD59d8ce05f532dc7b5742831ec8a63c2d8
SHA1b014365f723c78a84bcdf8a46cfa016eb2b8dbc5
SHA256fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982
SHA51298f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe
-
Filesize
25KB
MD59d8ce05f532dc7b5742831ec8a63c2d8
SHA1b014365f723c78a84bcdf8a46cfa016eb2b8dbc5
SHA256fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982
SHA51298f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf
-
Filesize
421KB
MD56dc6162eb7668d389a944758104a510c
SHA18b58ce1d888c240b5b4dbb3f6eb43940039c0717
SHA256736059a8284e13018c2eb0fb3c2969dd68e10d66e5d338ab05a7edb5c7782ca9
SHA5129d8183b76bea06c1c219aee5247ffd92ceb49b9dcdffebe46f84ed914853c44501108f76d39fc455519b7ecd9c45a15824a65755726f4082da670b0132e1bf83
-
Filesize
421KB
MD56dc6162eb7668d389a944758104a510c
SHA18b58ce1d888c240b5b4dbb3f6eb43940039c0717
SHA256736059a8284e13018c2eb0fb3c2969dd68e10d66e5d338ab05a7edb5c7782ca9
SHA5129d8183b76bea06c1c219aee5247ffd92ceb49b9dcdffebe46f84ed914853c44501108f76d39fc455519b7ecd9c45a15824a65755726f4082da670b0132e1bf83