3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
Size

2.0MB
MD5

504a844c869ee157494cd95e6f2ccd30
SHA1

f0b2d97d7abc916473211141816df126eb978cee
SHA256

3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939
SHA512

b0c8142fe292ccb6fb1eb533188fa0594e09ee40c9ac083313a4ddb5e2927c55fb14d2eed0189bbe2dd7ef4cca37821353c817fcdc2fefad0bd5b94b5ccab9ab
SSDEEP

49152:gDwk0y1heAeC0c+21ACCZtgcZEomhthlpR:jkgC0c3ACCZKomhtxR

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe

Loads dropped DLL 1 IoCs

pid	Process
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
Token: SeDebugPrivilege	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
Token: SeDebugPrivilege	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 368	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	5
PID 1304 wrote to memory of 368	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	5
PID 1304 wrote to memory of 368	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	5
PID 1304 wrote to memory of 368	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	5
PID 1304 wrote to memory of 368	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	5
PID 1304 wrote to memory of 368	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	5
PID 1304 wrote to memory of 384	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	4
PID 1304 wrote to memory of 384	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	4
PID 1304 wrote to memory of 384	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	4
PID 1304 wrote to memory of 384	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	4
PID 1304 wrote to memory of 384	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	4
PID 1304 wrote to memory of 384	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	4
PID 1304 wrote to memory of 420	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	3
PID 1304 wrote to memory of 420	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	3
PID 1304 wrote to memory of 420	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	3
PID 1304 wrote to memory of 420	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	3
PID 1304 wrote to memory of 420	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	3
PID 1304 wrote to memory of 420	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	3
PID 1304 wrote to memory of 464	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	2
PID 1304 wrote to memory of 464	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	2
PID 1304 wrote to memory of 464	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	2
PID 1304 wrote to memory of 464	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	2
PID 1304 wrote to memory of 464	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	2
PID 1304 wrote to memory of 464	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	2
PID 1304 wrote to memory of 480	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	1
PID 1304 wrote to memory of 480	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	1
PID 1304 wrote to memory of 480	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	1
PID 1304 wrote to memory of 480	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	1
PID 1304 wrote to memory of 480	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	1
PID 1304 wrote to memory of 480	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	1
PID 1304 wrote to memory of 488	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	24
PID 1304 wrote to memory of 488	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	24
PID 1304 wrote to memory of 488	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	24
PID 1304 wrote to memory of 488	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	24
PID 1304 wrote to memory of 488	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	24
PID 1304 wrote to memory of 488	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	24
PID 1304 wrote to memory of 588	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	23
PID 1304 wrote to memory of 588	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	23
PID 1304 wrote to memory of 588	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	23
PID 1304 wrote to memory of 588	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	23
PID 1304 wrote to memory of 588	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	23
PID 1304 wrote to memory of 588	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	23
PID 1304 wrote to memory of 664	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	22
PID 1304 wrote to memory of 664	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	22
PID 1304 wrote to memory of 664	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	22
PID 1304 wrote to memory of 664	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	22
PID 1304 wrote to memory of 664	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	22
PID 1304 wrote to memory of 664	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	22
PID 1304 wrote to memory of 748	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	21
PID 1304 wrote to memory of 748	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	21
PID 1304 wrote to memory of 748	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	21
PID 1304 wrote to memory of 748	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	21
PID 1304 wrote to memory of 748	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	21
PID 1304 wrote to memory of 748	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	21
PID 1304 wrote to memory of 804	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	7
PID 1304 wrote to memory of 804	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	7
PID 1304 wrote to memory of 804	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	7
PID 1304 wrote to memory of 804	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	7
PID 1304 wrote to memory of 804	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	7
PID 1304 wrote to memory of 804	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	7
PID 1304 wrote to memory of 844	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	20
PID 1304 wrote to memory of 844	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	20
PID 1304 wrote to memory of 844	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	20
PID 1304 wrote to memory of 844	1304	3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe	20

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:804
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1176
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:792
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1724
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1112
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1056
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:288
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:340
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:868
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:844
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:664
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1876

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe
  "C:\Users\Admin\AppData\Local\Temp\3fce2e995b012f661a59fda9609e5eb546236aa941a1609c04dacab658050939.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\UUWiseHelper.dll

Filesize
228KB

MD5
7c0415db33190179697196004e57d7c4

SHA1
08490854f84d7a8034a6945ff146d4862b15b5a7

SHA256
aa058b89e25c14072acfac4f9159b7d74b20955e3940088e1037d87ca90d9ec1

SHA512
dfd070b4ac5686510251be2564af7cc361246234808b0cb6537ea80e0d3717c061f90c0d4044c7e16d5d875def730ed0ed56ba3d4f7dd580dbdf9e7aab7dd1b7

Download Submit
memory/1304-54-0x0000000000400000-0x000000000074B000-memory.dmp

Filesize
3.3MB

Download
memory/1304-55-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1304-56-0x0000000077B70000-0x0000000077CF0000-memory.dmp

Filesize
1.5MB

Download
memory/1304-57-0x0000000000400000-0x000000000074B000-memory.dmp

Filesize
3.3MB

Download
memory/1304-60-0x0000000000400000-0x000000000074B000-memory.dmp

Filesize
3.3MB

Download
memory/1304-61-0x0000000077B70000-0x0000000077CF0000-memory.dmp

Filesize
1.5MB

Download
memory/1304-62-0x0000000000400000-0x000000000074B000-memory.dmp

Filesize
3.3MB

Download
memory/1304-63-0x0000000077B70000-0x0000000077CF0000-memory.dmp

Filesize
1.5MB

Download