b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236

Analysis

max time kernel
148s
max time network
143s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
Size

296KB
MD5

5ba8c5594acd396176fd2d5b7bb8af6b
SHA1

437753354ad6ffe383882e4d85089a887c5c6e32
SHA256

b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236
SHA512

977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d
SSDEEP

6144:KdAUtnJuC7JjSQ7Ek1t29xZb4fuusuOHW8tcm+kgnW2iCnroS4blBNvUsFmo:Ebn8C7JmnxZbeu4CWIv+kUvsD/NvUsF1

Score

9^/10

evasion persistence

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	explorer.exe

Executes dropped EXE 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

2016 explorer.exe
520 explorer.exe

pid	process
2016	explorer.exe
520	explorer.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	explorer.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe

Loads dropped DLL 5 IoCs

Processes:

b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeb03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exe

pid	process
1112	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
1112	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
2036	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
2016	explorer.exe
2016	explorer.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WF9iXmlYVg==\\explorer.exe"	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WF9iXmlYVg==\\explorer.exe"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exe

description	pid	process	target process
PID 1112 set thread context of 2036	1112	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
PID 2016 set thread context of 520	2016	explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe	nsis_installer_2

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2036	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
Token: SeDebugPrivilege	520	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeb03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exe

description	pid	process	target process
PID 1112 wrote to memory of 2036	1112	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
PID 1112 wrote to memory of 2036	1112	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
PID 1112 wrote to memory of 2036	1112	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
PID 1112 wrote to memory of 2036	1112	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
PID 1112 wrote to memory of 2036	1112	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
PID 1112 wrote to memory of 2036	1112	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
PID 1112 wrote to memory of 2036	1112	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
PID 1112 wrote to memory of 2036	1112	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
PID 1112 wrote to memory of 2036	1112	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
PID 1112 wrote to memory of 2036	1112	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
PID 2036 wrote to memory of 2016	2036	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	explorer.exe
PID 2036 wrote to memory of 2016	2036	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	explorer.exe
PID 2036 wrote to memory of 2016	2036	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	explorer.exe
PID 2036 wrote to memory of 2016	2036	b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe	explorer.exe
PID 2016 wrote to memory of 520	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 520	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 520	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 520	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 520	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 520	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 520	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 520	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 520	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 520	2016	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
"C:\Users\Admin\AppData\Local\Temp\b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
"C:\Users\Admin\AppData\Local\Temp\b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe C:\Users\Admin\AppData\Local\Temp\B03AB8~1.EXE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe
"C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe"
4⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\10 AFK.mp3
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\74_443558.png
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe
Filesize
296KB

MD5
5ba8c5594acd396176fd2d5b7bb8af6b

SHA1
437753354ad6ffe383882e4d85089a887c5c6e32

SHA256
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236

SHA512
977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d

Download Submit
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe
Filesize
296KB

MD5
5ba8c5594acd396176fd2d5b7bb8af6b

SHA1
437753354ad6ffe383882e4d85089a887c5c6e32

SHA256
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236

SHA512
977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d

Download Submit
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe
Filesize
296KB

MD5
5ba8c5594acd396176fd2d5b7bb8af6b

SHA1
437753354ad6ffe383882e4d85089a887c5c6e32

SHA256
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236

SHA512
977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d

Download Submit
C:\Users\Admin\AppData\Roaming\awjdkawl91uiaowjk1
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nso22B0.tmp\pantsuit.dll
Filesize
52KB

MD5
3a38af1114b120dafbdae75b98463462

SHA1
f1734f6dc23896a347543e4d1d37ab330f5b2f7e

SHA256
576c75d790cfb8aa505352850416e2f1aed938e8f394b912a2264185351afe1c

SHA512
c88bfaad6ab24672c8fd48d52e8116e88fe1b1cb348a003414e16aec95c9001f860f03b45364c92360a59e6a2b4a963939ef4acd3f0f678b3e03da3eb4038180

Download Submit
\Users\Admin\AppData\Local\Temp\nso22B0.tmp\splash.dll
Filesize
4KB

MD5
cbc07e5cb9791d3b7e17aec4af55fa63

SHA1
01f8876012714a99bd660c0b6acc4ca31ac9b3f7

SHA256
b3c7a9947ee68e937d805012b4bfeb1b9efb5650101e95c20f7e481735d6e431

SHA512
0d830bc59c1b9aa43b696d9cc36a1a4a1bb40df642caf25f34fc2da0d851e110e8538ce0d3413223bbbe6a5408e64a0146e08a2d2ba803ce046ec8cd0905b46f

Download Submit
\Users\Admin\AppData\Local\Temp\nso32E6.tmp\pantsuit.dll
Filesize
52KB

MD5
3a38af1114b120dafbdae75b98463462

SHA1
f1734f6dc23896a347543e4d1d37ab330f5b2f7e

SHA256
576c75d790cfb8aa505352850416e2f1aed938e8f394b912a2264185351afe1c

SHA512
c88bfaad6ab24672c8fd48d52e8116e88fe1b1cb348a003414e16aec95c9001f860f03b45364c92360a59e6a2b4a963939ef4acd3f0f678b3e03da3eb4038180

Download Submit
\Users\Admin\AppData\Local\Temp\nso32E6.tmp\splash.dll
Filesize
4KB

MD5
cbc07e5cb9791d3b7e17aec4af55fa63

SHA1
01f8876012714a99bd660c0b6acc4ca31ac9b3f7

SHA256
b3c7a9947ee68e937d805012b4bfeb1b9efb5650101e95c20f7e481735d6e431

SHA512
0d830bc59c1b9aa43b696d9cc36a1a4a1bb40df642caf25f34fc2da0d851e110e8538ce0d3413223bbbe6a5408e64a0146e08a2d2ba803ce046ec8cd0905b46f

Download Submit
\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe
Filesize
296KB

MD5
5ba8c5594acd396176fd2d5b7bb8af6b

SHA1
437753354ad6ffe383882e4d85089a887c5c6e32

SHA256
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236

SHA512
977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d

Download Submit
memory/520-90-0x00000000004105EA-mapping.dmp

Download
memory/520-94-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/520-95-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/520-96-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1112-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/2016-72-0x0000000000000000-mapping.dmp

Download
memory/2036-74-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2036-70-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2036-69-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2036-68-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2036-65-0x00000000004105EA-mapping.dmp

Download
memory/2036-63-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2036-64-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2036-62-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2036-60-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2036-58-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2036-57-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download