Analysis
-
max time kernel
206s -
max time network
284s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:40
Static task
static1
Behavioral task
behavioral1
Sample
f1fd2b7e551b16db977e670266a1f905.exe
Resource
win7-20221111-en
General
-
Target
f1fd2b7e551b16db977e670266a1f905.exe
-
Size
2.0MB
-
MD5
f1fd2b7e551b16db977e670266a1f905
-
SHA1
7508ad4cbea2e4928c24d58c30bffde57e08b457
-
SHA256
6c278ae9867cbc45cc7be476e60e455f525655e872b2a8231d36490262dbb7bb
-
SHA512
c5625741c46b99dc936b9e844c83072ffb8f7e3b8ebcb7629670e9880835fd9b0794b3446193702ad621d9da772da154cc37025e68cab23c076fc9c6ddaec0f2
-
SSDEEP
49152:w+kVp8hPXfLoABGZLnv5FmANUc9k4LLXW9bYfhof736:wA18ABGZLnv5FeV4/XOYfAz
Malware Config
Extracted
systembc
slavelever.info:4248
slavelevereoewl.info:4248
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
f1fd2b7e551b16db977e670266a1f905.exef1fd2b7e551b16db977e670266a1f905.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f1fd2b7e551b16db977e670266a1f905.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f1fd2b7e551b16db977e670266a1f905.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f1fd2b7e551b16db977e670266a1f905.exef1fd2b7e551b16db977e670266a1f905.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f1fd2b7e551b16db977e670266a1f905.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f1fd2b7e551b16db977e670266a1f905.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f1fd2b7e551b16db977e670266a1f905.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f1fd2b7e551b16db977e670266a1f905.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
f1fd2b7e551b16db977e670266a1f905.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine f1fd2b7e551b16db977e670266a1f905.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
f1fd2b7e551b16db977e670266a1f905.exef1fd2b7e551b16db977e670266a1f905.exepid process 432 f1fd2b7e551b16db977e670266a1f905.exe 1944 f1fd2b7e551b16db977e670266a1f905.exe -
Drops file in Windows directory 2 IoCs
Processes:
f1fd2b7e551b16db977e670266a1f905.exedescription ioc process File created C:\Windows\Tasks\wow64.job f1fd2b7e551b16db977e670266a1f905.exe File opened for modification C:\Windows\Tasks\wow64.job f1fd2b7e551b16db977e670266a1f905.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f1fd2b7e551b16db977e670266a1f905.exef1fd2b7e551b16db977e670266a1f905.exepid process 432 f1fd2b7e551b16db977e670266a1f905.exe 1944 f1fd2b7e551b16db977e670266a1f905.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
taskeng.exedescription pid process target process PID 1948 wrote to memory of 1944 1948 taskeng.exe f1fd2b7e551b16db977e670266a1f905.exe PID 1948 wrote to memory of 1944 1948 taskeng.exe f1fd2b7e551b16db977e670266a1f905.exe PID 1948 wrote to memory of 1944 1948 taskeng.exe f1fd2b7e551b16db977e670266a1f905.exe PID 1948 wrote to memory of 1944 1948 taskeng.exe f1fd2b7e551b16db977e670266a1f905.exe PID 1948 wrote to memory of 1944 1948 taskeng.exe f1fd2b7e551b16db977e670266a1f905.exe PID 1948 wrote to memory of 1944 1948 taskeng.exe f1fd2b7e551b16db977e670266a1f905.exe PID 1948 wrote to memory of 1944 1948 taskeng.exe f1fd2b7e551b16db977e670266a1f905.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1fd2b7e551b16db977e670266a1f905.exe"C:\Users\Admin\AppData\Local\Temp\f1fd2b7e551b16db977e670266a1f905.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {EEB6C6CD-2FBC-45AA-AC60-4B26806A3B35} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f1fd2b7e551b16db977e670266a1f905.exeC:\Users\Admin\AppData\Local\Temp\f1fd2b7e551b16db977e670266a1f905.exe start2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/432-54-0x0000000000400000-0x000000000089A000-memory.dmpFilesize
4.6MB
-
memory/432-55-0x0000000077150000-0x00000000772D0000-memory.dmpFilesize
1.5MB
-
memory/432-56-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/432-57-0x0000000000400000-0x000000000089A000-memory.dmpFilesize
4.6MB
-
memory/432-58-0x0000000077150000-0x00000000772D0000-memory.dmpFilesize
1.5MB
-
memory/1944-59-0x0000000000000000-mapping.dmp
-
memory/1944-60-0x0000000000400000-0x000000000089A000-memory.dmpFilesize
4.6MB
-
memory/1944-62-0x0000000077150000-0x00000000772D0000-memory.dmpFilesize
1.5MB
-
memory/1944-63-0x0000000000400000-0x000000000089A000-memory.dmpFilesize
4.6MB
-
memory/1944-64-0x0000000077150000-0x00000000772D0000-memory.dmpFilesize
1.5MB