Overview

overview

9

Static

static

76816732db...1d.exe

windows7-x64

9

76816732db...1d.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    140s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 03:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe

  • Size

    1.8MB

  • MD5

    0dffd34640eb0bf4a199ee3ed018ae52

  • SHA1

    fd381c88c26c51e6a5a313a9b83b9d185e6f86f9

  • SHA256

    76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d

  • SHA512

    4eaa7678c80fcc3779ed07e4f27f0a42630c98e1727850fabd547be395a5d2ae2e40350a3db445934f79e059eff660f160d9f649521edb5cc5f0d72e896d002a

  • SSDEEP

    24576:3B/E0QwpHP5IX2Zfxh5sVuRmG4WLKPBHmOnrRbPqnpMd5itymGqEFNIjsgW:R/d9pvxMuR4WwH5rhOpeUtRELIog

Score
9/10
bootkitevasionpersistence

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 56 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe
    "C:\Users\Admin\AppData\Local\Temp\76816732db8051f52654c9969f4b6d028b8a8ab327fe79c26653e86d43ace11d.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Users\Admin\AppData\Local\Temp\DNF3 2012-09-05 22.41.exe
      "C:\Users\Admin\AppData\Local\Temp\DNF3 2012-09-05 22.41.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Program Files (x86)\Common Files\Shared\svchost.exe
        "C:\Program Files (x86)\Common Files\Shared\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Program Files (x86)\Common Files\Shared\Guarder.exe
          2956*C:\Program Files (x86)\Common Files\Shared\svchost.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1396
    • C:\Users\Admin\AppData\Local\Temp\dnf小岚0907A全屏秒杀全屏爆炸.exe
      "C:\Users\Admin\AppData\Local\Temp\dnf小岚0907A全屏秒杀全屏爆炸.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" www.dnfxiaolan.com
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3084
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" www.dnfxiaolan.com
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:212
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:212 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4384

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Common Files\Shared\Guarder.exe
          Filesize

          4.1MB

          MD5

          6b7fc45ec32c45984e9842f8a7e8c976

          SHA1

          b99341eb2b8e8dd4a5268e5e61c8b9fa4b289d20

          SHA256

          31c3b60f7a318d275ca8c15bd5a1330d0da1b561d3e109984187c19fc5fc4da9

          SHA512

          5b567667f111eeaf49a77177fa492a7f7394aa92bfcfc5ff4e6042bbef1661ebd9ac726d3cae8fe31dd14b9fe53c3c1ed7037a4826a5b7781e5f3c0d1f6f544e

          Download Submit

        • C:\Program Files (x86)\Common Files\Shared\Guarder.exe
          Filesize

          4.1MB

          MD5

          6b7fc45ec32c45984e9842f8a7e8c976

          SHA1

          b99341eb2b8e8dd4a5268e5e61c8b9fa4b289d20

          SHA256

          31c3b60f7a318d275ca8c15bd5a1330d0da1b561d3e109984187c19fc5fc4da9

          SHA512

          5b567667f111eeaf49a77177fa492a7f7394aa92bfcfc5ff4e6042bbef1661ebd9ac726d3cae8fe31dd14b9fe53c3c1ed7037a4826a5b7781e5f3c0d1f6f544e

          Download Submit

        • C:\Program Files (x86)\Common Files\Shared\Record.dat
          Filesize

          260B

          MD5

          33418954cba5cdba78b6c7535faccaca

          SHA1

          b941f030693597aa8c513f8eb79faee3e380e4e9

          SHA256

          ab3716fafd0a19d07901e6a26f4e5ff922dab3f7d830127200a70ffe1df261e3

          SHA512

          93c4aa71f739c6928e7abfc1c1ecb6696bbc16ace8652d9baaead5c75d731ed47bcb42fbfe58d63a6b99ba9be43604eff43e6c3055e47dd810bcd61365025eed

          Download Submit

        • C:\Program Files (x86)\Common Files\Shared\svchost.exe
          Filesize

          4.1MB

          MD5

          6b7fc45ec32c45984e9842f8a7e8c976

          SHA1

          b99341eb2b8e8dd4a5268e5e61c8b9fa4b289d20

          SHA256

          31c3b60f7a318d275ca8c15bd5a1330d0da1b561d3e109984187c19fc5fc4da9

          SHA512

          5b567667f111eeaf49a77177fa492a7f7394aa92bfcfc5ff4e6042bbef1661ebd9ac726d3cae8fe31dd14b9fe53c3c1ed7037a4826a5b7781e5f3c0d1f6f544e

          Download Submit

        • C:\Program Files (x86)\Common Files\Shared\svchost.exe
          Filesize

          4.1MB

          MD5

          6b7fc45ec32c45984e9842f8a7e8c976

          SHA1

          b99341eb2b8e8dd4a5268e5e61c8b9fa4b289d20

          SHA256

          31c3b60f7a318d275ca8c15bd5a1330d0da1b561d3e109984187c19fc5fc4da9

          SHA512

          5b567667f111eeaf49a77177fa492a7f7394aa92bfcfc5ff4e6042bbef1661ebd9ac726d3cae8fe31dd14b9fe53c3c1ed7037a4826a5b7781e5f3c0d1f6f544e

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          4132c54f59c529167c112e7f519120fa

          SHA1

          94cc9036fa031258aa744c7ee88e3c0b6c7a73da

          SHA256

          e9f456cf8bb8cc4a683d1c2f792feeb4c83fff24a86e6bcb260eff8fbff126fb

          SHA512

          e8efb8e81a90ffbe177301fbba4470ded104fc6d12cfa0123938b981d612eb2c4a66bb47b585cd43ed6ed4940e0ad5a1e3a5d9d18f8cb643e741aae694c4baee

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          4132c54f59c529167c112e7f519120fa

          SHA1

          94cc9036fa031258aa744c7ee88e3c0b6c7a73da

          SHA256

          e9f456cf8bb8cc4a683d1c2f792feeb4c83fff24a86e6bcb260eff8fbff126fb

          SHA512

          e8efb8e81a90ffbe177301fbba4470ded104fc6d12cfa0123938b981d612eb2c4a66bb47b585cd43ed6ed4940e0ad5a1e3a5d9d18f8cb643e741aae694c4baee

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          27bd1edd56ca98a0f658971fa9e46321

          SHA1

          9bc5de2830960ba8e6ee2726d1192b7068817d57

          SHA256

          5cf5eda054ab1d98b51f5ab5877b90ea039d1123b2685b769317b9182970a761

          SHA512

          9ce36663ad5133e84f64e66cb818163a62eeda6a25a9197a91d72dd0e9c4785240e4a6b03af121b597f33d47b1db0d2026671cf2cdb49e4cdf612205a452e767

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          434B

          MD5

          f23745acfa7a8d10073a0fa00664ac0b

          SHA1

          2c7c4da86bab839e780236f33b89ee023f7ed0ea

          SHA256

          3b2b468b786dc9eced311ebcf9bdc6bfb21e3d53d1cb4ab4a8824373c82e4316

          SHA512

          8923afde1c51912107b429a16d2e4165baaa4d334f802ac1dc2cc8cd6f00adb428d66ce30ecaf90367b4a5c2d8b40d090241284b5433d9908e27af8aa7db5211

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BB6E43F9-72CD-11ED-A0EE-CE8FEF2919E2}.dat
          Filesize

          3KB

          MD5

          868075149b0b72ef052688f8439c9330

          SHA1

          a885991050b7a476b5862e9bab0bfeff1cd619f9

          SHA256

          e004be014d6a6cfa353e92d0ccd7519fe89611735f0ed16f475451f5e679eb4f

          SHA512

          eeb74ab2c470cdb51cf600599bb56b4fe8f82bfbaefa638849c702ea53574cde808396f0368a2ec2a3e6ad3bd8d3fef180fe03976fa4a8e29963abdcddd762ab

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BB70A6EE-72CD-11ED-A0EE-CE8FEF2919E2}.dat
          Filesize

          5KB

          MD5

          092476e0e95ce31eb5528668710e55b5

          SHA1

          99caf2672f404ae90a65145083435627b030192b

          SHA256

          729c62e6a729ffc70eda704be3b6d602c8194f8477dd7ea12695b3f5cd0a5c23

          SHA512

          64245e01df2224f2091ea550673032666c7905e553875ed325a93bc8fbd76dcbac8dcee1714edf6aaf4c3fd16027c994feb3eecdb1eeb8eaf13408bbd8941e5a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\DNF3 2012-09-05 22.41.exe
          Filesize

          97KB

          MD5

          11735bdb2ca8632f72da3e37052f40d2

          SHA1

          abdd3678d3f9ad3751ef82c8912828802e3e565f

          SHA256

          4b11aff6f8821fe3160c071f78db37c33226d163a4503678e2ffa1e96f37c86a

          SHA512

          69f8b4ec629c0951c84bb7f118690c6bbdeaa0b24b2a9bccad6417e1eef983fb159a2872c9f2b020923074ea005cf03c2588a3533daf855b34217f2991c25ea7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\DNF3 2012-09-05 22.41.exe
          Filesize

          97KB

          MD5

          11735bdb2ca8632f72da3e37052f40d2

          SHA1

          abdd3678d3f9ad3751ef82c8912828802e3e565f

          SHA256

          4b11aff6f8821fe3160c071f78db37c33226d163a4503678e2ffa1e96f37c86a

          SHA512

          69f8b4ec629c0951c84bb7f118690c6bbdeaa0b24b2a9bccad6417e1eef983fb159a2872c9f2b020923074ea005cf03c2588a3533daf855b34217f2991c25ea7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dnf小岚0907A全屏秒杀全屏爆炸.exe
          Filesize

          19.7MB

          MD5

          6430600d3f47519135cd132e219164ff

          SHA1

          466580f053f216afbed956b46096fd2edb985e17

          SHA256

          786d74121b9c74494a619e53ad283b94b5dfa0fd97d7854854e12f397c4c9ec1

          SHA512

          236f4a40319d320f4e5e405bae99936fc29861ae98e4000c5a116b709c5ebe3b79c2a09bd9d7cd8ed981441825cd1cfe00d0fcb16753c657550a6f90384fa154

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dnf小岚0907A全屏秒杀全屏爆炸.exe
          Filesize

          19.7MB

          MD5

          6430600d3f47519135cd132e219164ff

          SHA1

          466580f053f216afbed956b46096fd2edb985e17

          SHA256

          786d74121b9c74494a619e53ad283b94b5dfa0fd97d7854854e12f397c4c9ec1

          SHA512

          236f4a40319d320f4e5e405bae99936fc29861ae98e4000c5a116b709c5ebe3b79c2a09bd9d7cd8ed981441825cd1cfe00d0fcb16753c657550a6f90384fa154

          Download Submit

        • C:\Windows\SysWOW64\Сá°×¢Èë.ime
          Filesize

          52KB

          MD5

          c19a9f52996c85527e500747a7d69749

          SHA1

          ad867382e1f3696f1a46a577c62e49cbd3b03a14

          SHA256

          1c335c6d63bdf8fc0382bca35a0da10b2b0d4f338f85e18189beab13c45a942b

          SHA512

          e54323b141d813499b9e763de8df06870fa6a225d1403bd1bec49dc4a0996d11f53706bb6fe58a11f5dc639999a51a8f99d4241b54a1edaf75ba43a30dd78f12

          Download Submit

        • C:\Windows\SysWOW64\Сá°×¢Èë.ime
          Filesize

          52KB

          MD5

          c19a9f52996c85527e500747a7d69749

          SHA1

          ad867382e1f3696f1a46a577c62e49cbd3b03a14

          SHA256

          1c335c6d63bdf8fc0382bca35a0da10b2b0d4f338f85e18189beab13c45a942b

          SHA512

          e54323b141d813499b9e763de8df06870fa6a225d1403bd1bec49dc4a0996d11f53706bb6fe58a11f5dc639999a51a8f99d4241b54a1edaf75ba43a30dd78f12

          Download Submit

        • memory/4980-146-0x0000000000400000-0x0000000000698000-memory.dmp

          Filesize

          2.6MB

          Download

        • memory/4980-132-0x0000000000400000-0x0000000000698000-memory.dmp

          Filesize

          2.6MB

          Download

        • memory/4980-147-0x0000000077000000-0x00000000771A3000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4980-134-0x0000000000400000-0x0000000000698000-memory.dmp

          Filesize

          2.6MB

          Download

        • memory/4980-133-0x0000000077000000-0x00000000771A3000-memory.dmp

          Filesize

          1.6MB

          Download