Overview

overview

9

Static

static

9489e44812...b5.exe

windows7-x64

9

9489e44812...b5.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    187s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 19:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9489e448122f182195360276e12a417f6a47ff20d05f16c79a48479f95f74bb5.exe

  • Size

    5.4MB

  • MD5

    aee5b2646087771ab1c0338f7a5893d4

  • SHA1

    064f1e0526236019d9c5268e1e2c515b7bf4cac2

  • SHA256

    9489e448122f182195360276e12a417f6a47ff20d05f16c79a48479f95f74bb5

  • SHA512

    1855ebaaececf9a35c09d9debb27820d0cf477512ee7395d6df062b4c7c8c60c1ef4f917edc1b60a5811a83224c1cfc0981cdc4d67ae7f71f8525637b812c865

  • SSDEEP

    98304:9SFP3VxLHjvu4jTEZVlf7L2TiY8gjbt1WzlzPQ:9SVVBHj5Hgf7LrjVI

Score
9/10
bootkitevasionpersistence

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9489e448122f182195360276e12a417f6a47ff20d05f16c79a48479f95f74bb5.exe
    "C:\Users\Admin\AppData\Local\Temp\9489e448122f182195360276e12a417f6a47ff20d05f16c79a48479f95f74bb5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Users\Admin\AppData\Local\SBot_1.95a.exe
      "C:\Users\Admin\AppData\Local\SBot_1.95a.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4812
    • C:\Users\Admin\AppData\Local\isass.exe
      "C:\Users\Admin\AppData\Local\isass.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3804
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sys32.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V syscheck /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V syscheck /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
            5⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:4628

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\SBot_1.95a.exe
    Filesize

    4.1MB

    MD5

    9f9d8e9a60daeb875b9775f87883262d

    SHA1

    cee5a6c689a62cd6c2095b27a1318bae983bf139

    SHA256

    85ab14112ae6387dfe26a32396a666fb2bd4228930ab80e7a039ed129dcc5cc4

    SHA512

    60660f18cec0f5e8830bad57494495799b88f97d115f43b28f460de687f23b1e47febb220eb0e6029f9859532bab119895452237d1348bbbd0028be3322469fb

    Download Submit

  • C:\Users\Admin\AppData\Local\SBot_1.95a.exe
    Filesize

    4.1MB

    MD5

    9f9d8e9a60daeb875b9775f87883262d

    SHA1

    cee5a6c689a62cd6c2095b27a1318bae983bf139

    SHA256

    85ab14112ae6387dfe26a32396a666fb2bd4228930ab80e7a039ed129dcc5cc4

    SHA512

    60660f18cec0f5e8830bad57494495799b88f97d115f43b28f460de687f23b1e47febb220eb0e6029f9859532bab119895452237d1348bbbd0028be3322469fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sys32.bat
    Filesize

    145B

    MD5

    eb07334b91b42bb678fc994069581ad3

    SHA1

    190e786b69473f62a78b88f12aab1c6b33ee9dae

    SHA256

    ac196683a5110f966460a0af2cd798940878cd31c35aaf53ecaeec44bb7e476d

    SHA512

    d8b42b16f5f31c95a99ecfd0012983ab6513218e1567b49097f3f5096ba1416d40aa5b9dc42af4e19355c4114d6e174f9deb9543b9319bbf2b814ecaa8f40f03

    Download Submit

  • C:\Users\Admin\AppData\Local\appdata.dll
    Filesize

    86KB

    MD5

    63563fac63de3013f9ccd8e27139d1ef

    SHA1

    48dda1de5cf795876eb8ba4853a45928cacbda8d

    SHA256

    26596b7f8a274a81cba6616fe33747a3ab6b5f816d24120987d330c662322a9a

    SHA512

    407187a19875d46cadcbf35b584a322923fb3e0082387ccb6432c33a2d67024cf15a45460bd3345c4c575e57e9f9dca3d75f825bf3c1e80521c491d161a35f66

    Download Submit

  • C:\Users\Admin\AppData\Local\appdata.dll
    Filesize

    86KB

    MD5

    63563fac63de3013f9ccd8e27139d1ef

    SHA1

    48dda1de5cf795876eb8ba4853a45928cacbda8d

    SHA256

    26596b7f8a274a81cba6616fe33747a3ab6b5f816d24120987d330c662322a9a

    SHA512

    407187a19875d46cadcbf35b584a322923fb3e0082387ccb6432c33a2d67024cf15a45460bd3345c4c575e57e9f9dca3d75f825bf3c1e80521c491d161a35f66

    Download Submit

  • C:\Users\Admin\AppData\Local\appdata.dll
    Filesize

    86KB

    MD5

    63563fac63de3013f9ccd8e27139d1ef

    SHA1

    48dda1de5cf795876eb8ba4853a45928cacbda8d

    SHA256

    26596b7f8a274a81cba6616fe33747a3ab6b5f816d24120987d330c662322a9a

    SHA512

    407187a19875d46cadcbf35b584a322923fb3e0082387ccb6432c33a2d67024cf15a45460bd3345c4c575e57e9f9dca3d75f825bf3c1e80521c491d161a35f66

    Download Submit

  • C:\Users\Admin\AppData\Local\isass.exe
    Filesize

    608KB

    MD5

    1accb16c9a64f0ad55a4d6cbb6585c41

    SHA1

    bc2fd6cc0f9d951a2b7d33065463bcb79415c066

    SHA256

    68dc3fd9b206a44ed59e1c21a71584ea062d248ff274c09eef75058e6d709f1e

    SHA512

    6fe55c8e50a5e41101ec4aaf39f08c5a4f81501eb37ed147bfbbf98e4070ff78da55e2a81939b86658b25a43ade01d88518f3277c7c8f9abd16ed038f703c673

    Download Submit

  • C:\Users\Admin\AppData\Local\isass.exe
    Filesize

    608KB

    MD5

    1accb16c9a64f0ad55a4d6cbb6585c41

    SHA1

    bc2fd6cc0f9d951a2b7d33065463bcb79415c066

    SHA256

    68dc3fd9b206a44ed59e1c21a71584ea062d248ff274c09eef75058e6d709f1e

    SHA512

    6fe55c8e50a5e41101ec4aaf39f08c5a4f81501eb37ed147bfbbf98e4070ff78da55e2a81939b86658b25a43ade01d88518f3277c7c8f9abd16ed038f703c673

    Download Submit

  • memory/2844-144-0x0000000000000000-mapping.dmp

    Download

  • memory/2876-146-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-136-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-142-0x0000000000A40000-0x0000000000A5B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4628-147-0x0000000000000000-mapping.dmp

    Download

  • memory/4812-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4812-143-0x0000000077330000-0x00000000774D3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4812-135-0x0000000000400000-0x0000000001B31000-memory.dmp

    Filesize

    23.2MB

    Download

  • memory/4812-148-0x0000000000400000-0x0000000001B31000-memory.dmp

    Filesize

    23.2MB

    Download

  • memory/4812-149-0x0000000000400000-0x0000000001B31000-memory.dmp

    Filesize

    23.2MB

    Download

  • memory/4812-150-0x0000000077330000-0x00000000774D3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4812-151-0x0000000000400000-0x0000000001B31000-memory.dmp

    Filesize

    23.2MB

    Download