Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 20:35
Static task
static1
Behavioral task
behavioral1
Sample
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
Resource
win10v2004-20221111-en
General
-
Target
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
-
Size
296KB
-
MD5
5ba8c5594acd396176fd2d5b7bb8af6b
-
SHA1
437753354ad6ffe383882e4d85089a887c5c6e32
-
SHA256
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236
-
SHA512
977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d
-
SSDEEP
6144:KdAUtnJuC7JjSQ7Ek1t29xZb4fuusuOHW8tcm+kgnW2iCnroS4blBNvUsFmo:Ebn8C7JmnxZbeu4CWIv+kUvsD/NvUsF1
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
explorer.exeexplorer.exepid process 2016 explorer.exe 520 explorer.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools explorer.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe -
Loads dropped DLL 5 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeb03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exepid process 1112 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe 1112 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe 2036 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe 2016 explorer.exe 2016 explorer.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WF9iXmlYVg==\\explorer.exe" b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WF9iXmlYVg==\\explorer.exe" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exedescription pid process target process PID 1112 set thread context of 2036 1112 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 2016 set thread context of 520 2016 explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe nsis_installer_1 \Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe nsis_installer_2 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2036 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe Token: SeDebugPrivilege 520 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeb03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeexplorer.exedescription pid process target process PID 1112 wrote to memory of 2036 1112 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 1112 wrote to memory of 2036 1112 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 1112 wrote to memory of 2036 1112 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 1112 wrote to memory of 2036 1112 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 1112 wrote to memory of 2036 1112 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 1112 wrote to memory of 2036 1112 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 1112 wrote to memory of 2036 1112 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 1112 wrote to memory of 2036 1112 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 1112 wrote to memory of 2036 1112 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 1112 wrote to memory of 2036 1112 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 2036 wrote to memory of 2016 2036 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe explorer.exe PID 2036 wrote to memory of 2016 2036 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe explorer.exe PID 2036 wrote to memory of 2016 2036 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe explorer.exe PID 2036 wrote to memory of 2016 2036 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe explorer.exe PID 2016 wrote to memory of 520 2016 explorer.exe explorer.exe PID 2016 wrote to memory of 520 2016 explorer.exe explorer.exe PID 2016 wrote to memory of 520 2016 explorer.exe explorer.exe PID 2016 wrote to memory of 520 2016 explorer.exe explorer.exe PID 2016 wrote to memory of 520 2016 explorer.exe explorer.exe PID 2016 wrote to memory of 520 2016 explorer.exe explorer.exe PID 2016 wrote to memory of 520 2016 explorer.exe explorer.exe PID 2016 wrote to memory of 520 2016 explorer.exe explorer.exe PID 2016 wrote to memory of 520 2016 explorer.exe explorer.exe PID 2016 wrote to memory of 520 2016 explorer.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe"C:\Users\Admin\AppData\Local\Temp\b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe"C:\Users\Admin\AppData\Local\Temp\b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exeC:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe C:\Users\Admin\AppData\Local\Temp\B03AB8~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe"C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exe"4⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\10 AFK.mp3MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\74_443558.pngMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exeFilesize
296KB
MD55ba8c5594acd396176fd2d5b7bb8af6b
SHA1437753354ad6ffe383882e4d85089a887c5c6e32
SHA256b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236
SHA512977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d
-
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exeFilesize
296KB
MD55ba8c5594acd396176fd2d5b7bb8af6b
SHA1437753354ad6ffe383882e4d85089a887c5c6e32
SHA256b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236
SHA512977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d
-
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exeFilesize
296KB
MD55ba8c5594acd396176fd2d5b7bb8af6b
SHA1437753354ad6ffe383882e4d85089a887c5c6e32
SHA256b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236
SHA512977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d
-
C:\Users\Admin\AppData\Roaming\awjdkawl91uiaowjk1MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\nso22B0.tmp\pantsuit.dllFilesize
52KB
MD53a38af1114b120dafbdae75b98463462
SHA1f1734f6dc23896a347543e4d1d37ab330f5b2f7e
SHA256576c75d790cfb8aa505352850416e2f1aed938e8f394b912a2264185351afe1c
SHA512c88bfaad6ab24672c8fd48d52e8116e88fe1b1cb348a003414e16aec95c9001f860f03b45364c92360a59e6a2b4a963939ef4acd3f0f678b3e03da3eb4038180
-
\Users\Admin\AppData\Local\Temp\nso22B0.tmp\splash.dllFilesize
4KB
MD5cbc07e5cb9791d3b7e17aec4af55fa63
SHA101f8876012714a99bd660c0b6acc4ca31ac9b3f7
SHA256b3c7a9947ee68e937d805012b4bfeb1b9efb5650101e95c20f7e481735d6e431
SHA5120d830bc59c1b9aa43b696d9cc36a1a4a1bb40df642caf25f34fc2da0d851e110e8538ce0d3413223bbbe6a5408e64a0146e08a2d2ba803ce046ec8cd0905b46f
-
\Users\Admin\AppData\Local\Temp\nso32E6.tmp\pantsuit.dllFilesize
52KB
MD53a38af1114b120dafbdae75b98463462
SHA1f1734f6dc23896a347543e4d1d37ab330f5b2f7e
SHA256576c75d790cfb8aa505352850416e2f1aed938e8f394b912a2264185351afe1c
SHA512c88bfaad6ab24672c8fd48d52e8116e88fe1b1cb348a003414e16aec95c9001f860f03b45364c92360a59e6a2b4a963939ef4acd3f0f678b3e03da3eb4038180
-
\Users\Admin\AppData\Local\Temp\nso32E6.tmp\splash.dllFilesize
4KB
MD5cbc07e5cb9791d3b7e17aec4af55fa63
SHA101f8876012714a99bd660c0b6acc4ca31ac9b3f7
SHA256b3c7a9947ee68e937d805012b4bfeb1b9efb5650101e95c20f7e481735d6e431
SHA5120d830bc59c1b9aa43b696d9cc36a1a4a1bb40df642caf25f34fc2da0d851e110e8538ce0d3413223bbbe6a5408e64a0146e08a2d2ba803ce046ec8cd0905b46f
-
\Users\Admin\AppData\Roaming\WF9iXmlYVg==\explorer.exeFilesize
296KB
MD55ba8c5594acd396176fd2d5b7bb8af6b
SHA1437753354ad6ffe383882e4d85089a887c5c6e32
SHA256b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236
SHA512977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d
-
memory/520-90-0x00000000004105EA-mapping.dmp
-
memory/520-94-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/520-95-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/520-96-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1112-54-0x0000000075F51000-0x0000000075F53000-memory.dmpFilesize
8KB
-
memory/2016-72-0x0000000000000000-mapping.dmp
-
memory/2036-74-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2036-70-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2036-69-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2036-68-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2036-65-0x00000000004105EA-mapping.dmp
-
memory/2036-63-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2036-64-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2036-62-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2036-60-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2036-58-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2036-57-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB