Overview

overview

10

Static

static

7

0ecc20f2e5...3b.exe

windows7-x64

9

0ecc20f2e5...3b.exe

windows10-2004-x64

10

Resubmissions

30-11-2022 17:41

221130-v9ts7abe25 10

30-11-2022 17:10

221130-vp2nascf3s 9

Analysis

  • max time kernel
    707s
  • max time network
    655s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe

  • Size

    2.5MB

  • MD5

    a001612855d4a8ef91a81fcc04c78923

  • SHA1

    852a3107921557748edd48175f5c14e9bd90d84a

  • SHA256

    0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b

  • SHA512

    2dfdda74dff7a57d55ee36e9cc056f06410cc07bbd5f7bcf35efa525f1cc06108a9f3ad8015abe8e81cf8564b2b49ddc51568a1613673bf1f5e4f9d9f1091173

  • SSDEEP

    49152:GoTnBCUzCLIB8whjke0k3+DNufQFbwBUreGDs1wa3zUprbFLKxvT1t+IE:GPowXD/2GreGDsPoRLKx3hE

Score
10/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs 64 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe
    "C:\Users\Admin\AppData\Local\Temp\0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3296
  • C:\Windows\system32\werfault.exe
    werfault.exe /h /shared Global\2639f722261d4b039263ed0174c28685 /t 4528 /p 2724
    1⤵
      PID:2692
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2724" "10548" "15912" "15892" "0" "0" "0" "0" "0" "0" "0" "0"
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:3512
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
        2⤵
        • Modifies system executable filetype association
        • Registers COM server for autorun
        • Checks processor information in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4392
        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
          "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3864
          • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
            C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess
            4⤵
            • Executes dropped EXE
            PID:4256
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4844
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3084
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4544
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
        1⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of WriteProcessMemory
        PID:5068

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Change Default File Association

      1
      T1042

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Virtualization/Sandbox Evasion

      1
      T1497

      Credential Access

      Discovery

      Query Registry

      6
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      6
      T1082

      Peripheral Device Discovery

      2
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
        Filesize

        1KB

        MD5

        d461574623ac317cbf7fca3e0fa38090

        SHA1

        b8b472d986a25313565781a39b41bb07a83b9fc5

        SHA256

        39f19d0a044a69fc09f5213d8d4e874e531bdae49c0242c9cd9f169c22bcbfa5

        SHA512

        d17138a2279d8b3e0b0efac8d36ce1aeba70692833f9c8c241e6bd566bad1215f7ebc523d93a87bf166c605bd01c8ec7060af33dbca98e8734fc61b4f66edacf

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
        Filesize

        434B

        MD5

        0e4947c3e03a579558345cefbde5874a

        SHA1

        e449cb356eaf1679b498549e3e60567e489f06aa

        SHA256

        b52d6454f365ea22e362679032fbe0d1fab1f4347e28360a3468e5ac6c9ccf0b

        SHA512

        1c443f6f99e16cedda47cfeae7fcf34257158b6b9f0d37cc85756731044a4c8070602ec320e8ca4a565f55032b263a61dff1684f7330f674202e5678d00714d1

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
        Filesize

        40.2MB

        MD5

        fb4aa59c92c9b3263eb07e07b91568b5

        SHA1

        6071a3e3c4338b90d892a8416b6a92fbfe25bb67

        SHA256

        e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

        SHA512

        60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
        Filesize

        40.2MB

        MD5

        fb4aa59c92c9b3263eb07e07b91568b5

        SHA1

        6071a3e3c4338b90d892a8416b6a92fbfe25bb67

        SHA256

        e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

        SHA512

        60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
        Filesize

        40.2MB

        MD5

        fb4aa59c92c9b3263eb07e07b91568b5

        SHA1

        6071a3e3c4338b90d892a8416b6a92fbfe25bb67

        SHA256

        e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

        SHA512

        60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
        Filesize

        77B

        MD5

        f0c993054eee411876b8b52d48da2a7c

        SHA1

        b81b4c2d47dc36223c83304fd4afef40a01211f7

        SHA256

        682489d01d119a47db3bc071264e8f4f29989489594942e3233f1343a16af0eb

        SHA512

        2475cd8536c23c94698237b3793195765d9e437127b3af7016dd78b7f1352770b4a880948af9b1929fe29789b0b3da5b203cf3668d0939788c385a97cc52aacb

        Download Submit
      • memory/3084-285-0x00000269B5016000-0x00000269B5019000-memory.dmp
        Filesize

        12KB

        Download
      • memory/3084-148-0x00000269B12C8000-0x00000269B12D0000-memory.dmp
        Filesize

        32KB

        Download
      • memory/3084-153-0x00000269C5000000-0x00000269C5100000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/3084-150-0x00000269B39D0000-0x00000269B39F0000-memory.dmp
        Filesize

        128KB

        Download
      • memory/3084-177-0x00000269B2D20000-0x00000269B2D40000-memory.dmp
        Filesize

        128KB

        Download
      • memory/3084-185-0x00000269B39B0000-0x00000269B39D0000-memory.dmp
        Filesize

        128KB

        Download
      • memory/3084-276-0x00000269B29B0000-0x00000269B29D0000-memory.dmp
        Filesize

        128KB

        Download
      • memory/3084-293-0x00000269B5020000-0x00000269B5024000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3084-294-0x00000269B5020000-0x00000269B5024000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3084-287-0x00000269B5016000-0x00000269B5019000-memory.dmp
        Filesize

        12KB

        Download
      • memory/3084-288-0x00000269B5016000-0x00000269B5019000-memory.dmp
        Filesize

        12KB

        Download
      • memory/3084-286-0x00000269B5016000-0x00000269B5019000-memory.dmp
        Filesize

        12KB

        Download
      • memory/3084-290-0x00000269B5020000-0x00000269B5024000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3084-291-0x00000269B5020000-0x00000269B5024000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3084-292-0x00000269B5020000-0x00000269B5024000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3296-137-0x00000000006E0000-0x0000000000D5F000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3296-132-0x00000000006E0000-0x0000000000D5F000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3296-138-0x0000000077390000-0x0000000077533000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3296-136-0x0000000077390000-0x0000000077533000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3296-135-0x00000000006E0000-0x0000000000D5F000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3296-134-0x00000000006E0000-0x0000000000D5F000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3296-133-0x00000000006E0000-0x0000000000D5F000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3864-297-0x0000000000000000-mapping.dmp
        Download
      • memory/4256-302-0x0000000000000000-mapping.dmp
        Download
      • memory/4392-283-0x0000000000000000-mapping.dmp
        Download