Analysis
-
max time kernel
187s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 20:35
Static task
static1
Behavioral task
behavioral1
Sample
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
Resource
win10v2004-20221111-en
General
-
Target
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe
-
Size
296KB
-
MD5
5ba8c5594acd396176fd2d5b7bb8af6b
-
SHA1
437753354ad6ffe383882e4d85089a887c5c6e32
-
SHA256
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236
-
SHA512
977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d
-
SSDEEP
6144:KdAUtnJuC7JjSQ7Ek1t29xZb4fuusuOHW8tcm+kgnW2iCnroS4blBNvUsFmo:Ebn8C7JmnxZbeu4CWIv+kUvsD/NvUsF1
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exesplwow64.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions splwow64.exe -
Executes dropped EXE 2 IoCs
Processes:
splwow64.exesplwow64.exepid process 4984 splwow64.exe 864 splwow64.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exesplwow64.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools splwow64.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exesplwow64.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion splwow64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion splwow64.exe -
Loads dropped DLL 4 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exesplwow64.exepid process 676 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe 676 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe 4984 splwow64.exe 4984 splwow64.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exesplwow64.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\splwow64.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WF9iXmlYVg==\\splwow64.exe" b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\splwow64.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WF9iXmlYVg==\\splwow64.exe" splwow64.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exesplwow64.exedescription pid process target process PID 676 set thread context of 364 676 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 4984 set thread context of 864 4984 splwow64.exe splwow64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\splwow64.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\splwow64.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\splwow64.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\splwow64.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\splwow64.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\splwow64.exe nsis_installer_2 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exesplwow64.exedescription pid process Token: SeDebugPrivilege 364 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe Token: SeDebugPrivilege 864 splwow64.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exeb03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exesplwow64.exedescription pid process target process PID 676 wrote to memory of 364 676 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 676 wrote to memory of 364 676 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 676 wrote to memory of 364 676 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 676 wrote to memory of 364 676 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 676 wrote to memory of 364 676 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 676 wrote to memory of 364 676 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 676 wrote to memory of 364 676 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 676 wrote to memory of 364 676 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 676 wrote to memory of 364 676 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe PID 364 wrote to memory of 4984 364 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe splwow64.exe PID 364 wrote to memory of 4984 364 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe splwow64.exe PID 364 wrote to memory of 4984 364 b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe splwow64.exe PID 4984 wrote to memory of 864 4984 splwow64.exe splwow64.exe PID 4984 wrote to memory of 864 4984 splwow64.exe splwow64.exe PID 4984 wrote to memory of 864 4984 splwow64.exe splwow64.exe PID 4984 wrote to memory of 864 4984 splwow64.exe splwow64.exe PID 4984 wrote to memory of 864 4984 splwow64.exe splwow64.exe PID 4984 wrote to memory of 864 4984 splwow64.exe splwow64.exe PID 4984 wrote to memory of 864 4984 splwow64.exe splwow64.exe PID 4984 wrote to memory of 864 4984 splwow64.exe splwow64.exe PID 4984 wrote to memory of 864 4984 splwow64.exe splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe"C:\Users\Admin\AppData\Local\Temp\b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe"C:\Users\Admin\AppData\Local\Temp\b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\splwow64.exeC:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\splwow64.exe C:\Users\Admin\AppData\Local\Temp\B03AB8~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\splwow64.exe"C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\splwow64.exe"4⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nslEC9F.tmp\pantsuit.dllFilesize
52KB
MD53a38af1114b120dafbdae75b98463462
SHA1f1734f6dc23896a347543e4d1d37ab330f5b2f7e
SHA256576c75d790cfb8aa505352850416e2f1aed938e8f394b912a2264185351afe1c
SHA512c88bfaad6ab24672c8fd48d52e8116e88fe1b1cb348a003414e16aec95c9001f860f03b45364c92360a59e6a2b4a963939ef4acd3f0f678b3e03da3eb4038180
-
C:\Users\Admin\AppData\Local\Temp\nslEC9F.tmp\splash.dllFilesize
4KB
MD5cbc07e5cb9791d3b7e17aec4af55fa63
SHA101f8876012714a99bd660c0b6acc4ca31ac9b3f7
SHA256b3c7a9947ee68e937d805012b4bfeb1b9efb5650101e95c20f7e481735d6e431
SHA5120d830bc59c1b9aa43b696d9cc36a1a4a1bb40df642caf25f34fc2da0d851e110e8538ce0d3413223bbbe6a5408e64a0146e08a2d2ba803ce046ec8cd0905b46f
-
C:\Users\Admin\AppData\Local\Temp\nsy691C.tmp\pantsuit.dllFilesize
52KB
MD53a38af1114b120dafbdae75b98463462
SHA1f1734f6dc23896a347543e4d1d37ab330f5b2f7e
SHA256576c75d790cfb8aa505352850416e2f1aed938e8f394b912a2264185351afe1c
SHA512c88bfaad6ab24672c8fd48d52e8116e88fe1b1cb348a003414e16aec95c9001f860f03b45364c92360a59e6a2b4a963939ef4acd3f0f678b3e03da3eb4038180
-
C:\Users\Admin\AppData\Local\Temp\nsy691C.tmp\splash.dllFilesize
4KB
MD5cbc07e5cb9791d3b7e17aec4af55fa63
SHA101f8876012714a99bd660c0b6acc4ca31ac9b3f7
SHA256b3c7a9947ee68e937d805012b4bfeb1b9efb5650101e95c20f7e481735d6e431
SHA5120d830bc59c1b9aa43b696d9cc36a1a4a1bb40df642caf25f34fc2da0d851e110e8538ce0d3413223bbbe6a5408e64a0146e08a2d2ba803ce046ec8cd0905b46f
-
C:\Users\Admin\AppData\Roaming\10 AFK.mp3MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\74_443558.pngMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\splwow64.exeFilesize
296KB
MD55ba8c5594acd396176fd2d5b7bb8af6b
SHA1437753354ad6ffe383882e4d85089a887c5c6e32
SHA256b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236
SHA512977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d
-
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\splwow64.exeFilesize
296KB
MD55ba8c5594acd396176fd2d5b7bb8af6b
SHA1437753354ad6ffe383882e4d85089a887c5c6e32
SHA256b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236
SHA512977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d
-
C:\Users\Admin\AppData\Roaming\WF9iXmlYVg==\splwow64.exeFilesize
296KB
MD55ba8c5594acd396176fd2d5b7bb8af6b
SHA1437753354ad6ffe383882e4d85089a887c5c6e32
SHA256b03ab81fd715e5f63720ecfeaefe4cce0aa1a4e455964bf5f3cfc7728db5a236
SHA512977ac03d5766b5c1162c7624765b1716b76dadac8820c2c0c257dc02645eb97dcedd775859b4030d3119a0a3f54346d7f7cbb5adb04a2a607adeb9884e927d1d
-
C:\Users\Admin\AppData\Roaming\awjdkawl91uiaowjk1Filesize
505B
MD529cb8a24078cd4caac4d224cbe8a1756
SHA1beb9c70529cffc7e9b6bda451839c61bcc88f22b
SHA256d05b8aed949eb6d3e9865f6cb1ec33d5a71d78898abc09ef072b65b70c087ffd
SHA512fa774a3a81c9439c56b3b620788e5ebfa9f91579ce81235aee6b2ace7bc4641ecb0a513536127d772ab61dcd7173c67a19351156dc79083fd647be559fc31a8a
-
memory/364-138-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/364-141-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/364-137-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/364-135-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/364-134-0x0000000000000000-mapping.dmp
-
memory/864-148-0x0000000000000000-mapping.dmp
-
memory/864-152-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/864-153-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/864-154-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/4984-139-0x0000000000000000-mapping.dmp