Analysis
-
max time kernel
131s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27-01-2023 14:01
Static task
static1
Behavioral task
behavioral1
Sample
3aad6e79569fcc68f0b8530225e08743.exe
Resource
win7-20221111-en
General
-
Target
3aad6e79569fcc68f0b8530225e08743.exe
-
Size
2.2MB
-
MD5
3aad6e79569fcc68f0b8530225e08743
-
SHA1
e1247952bedea6d68c471b779d673167d5e1d774
-
SHA256
efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
-
SHA512
b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d
-
SSDEEP
49152:Il8pLho6EEJZHFqdBiNz0ywwO++wddZHyo:8ULxEaHr0ywwO+RZHyo
Malware Config
Extracted
systembc
cryptotab.me:4001
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
pluwd.exepluwd.exe3aad6e79569fcc68f0b8530225e08743.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ pluwd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ pluwd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3aad6e79569fcc68f0b8530225e08743.exe -
Executes dropped EXE 2 IoCs
Processes:
pluwd.exepluwd.exepid process 568 pluwd.exe 1840 pluwd.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pluwd.exepluwd.exe3aad6e79569fcc68f0b8530225e08743.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pluwd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion pluwd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pluwd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion pluwd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3aad6e79569fcc68f0b8530225e08743.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3aad6e79569fcc68f0b8530225e08743.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
3aad6e79569fcc68f0b8530225e08743.exepluwd.exepluwd.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine 3aad6e79569fcc68f0b8530225e08743.exe Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine pluwd.exe Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine pluwd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
3aad6e79569fcc68f0b8530225e08743.exepluwd.exepluwd.exepid process 1124 3aad6e79569fcc68f0b8530225e08743.exe 568 pluwd.exe 1840 pluwd.exe -
Drops file in Windows directory 2 IoCs
Processes:
3aad6e79569fcc68f0b8530225e08743.exedescription ioc process File created C:\Windows\Tasks\pluwd.job 3aad6e79569fcc68f0b8530225e08743.exe File opened for modification C:\Windows\Tasks\pluwd.job 3aad6e79569fcc68f0b8530225e08743.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
3aad6e79569fcc68f0b8530225e08743.exepluwd.exepluwd.exepid process 1124 3aad6e79569fcc68f0b8530225e08743.exe 1124 3aad6e79569fcc68f0b8530225e08743.exe 568 pluwd.exe 1840 pluwd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
taskeng.exedescription pid process target process PID 888 wrote to memory of 568 888 taskeng.exe pluwd.exe PID 888 wrote to memory of 568 888 taskeng.exe pluwd.exe PID 888 wrote to memory of 568 888 taskeng.exe pluwd.exe PID 888 wrote to memory of 568 888 taskeng.exe pluwd.exe PID 888 wrote to memory of 1840 888 taskeng.exe pluwd.exe PID 888 wrote to memory of 1840 888 taskeng.exe pluwd.exe PID 888 wrote to memory of 1840 888 taskeng.exe pluwd.exe PID 888 wrote to memory of 1840 888 taskeng.exe pluwd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aad6e79569fcc68f0b8530225e08743.exe"C:\Users\Admin\AppData\Local\Temp\3aad6e79569fcc68f0b8530225e08743.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {17D27E6D-D5EC-4810-9AD8-D4888393DA0C} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\jdxb\pluwd.exeC:\ProgramData\jdxb\pluwd.exe start22⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\jdxb\pluwd.exeC:\ProgramData\jdxb\pluwd.exe start22⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\jdxb\pluwd.exeFilesize
2.2MB
MD53aad6e79569fcc68f0b8530225e08743
SHA1e1247952bedea6d68c471b779d673167d5e1d774
SHA256efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
SHA512b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d
-
C:\ProgramData\jdxb\pluwd.exeFilesize
2.2MB
MD53aad6e79569fcc68f0b8530225e08743
SHA1e1247952bedea6d68c471b779d673167d5e1d774
SHA256efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
SHA512b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d
-
C:\ProgramData\jdxb\pluwd.exeFilesize
2.2MB
MD53aad6e79569fcc68f0b8530225e08743
SHA1e1247952bedea6d68c471b779d673167d5e1d774
SHA256efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
SHA512b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d
-
memory/568-61-0x0000000000400000-0x00000000009C3000-memory.dmpFilesize
5.8MB
-
memory/568-66-0x0000000076FB0000-0x0000000077130000-memory.dmpFilesize
1.5MB
-
memory/568-64-0x0000000000400000-0x00000000009C3000-memory.dmpFilesize
5.8MB
-
memory/568-59-0x0000000000000000-mapping.dmp
-
memory/1124-62-0x0000000076FB0000-0x0000000077130000-memory.dmpFilesize
1.5MB
-
memory/1124-54-0x0000000000400000-0x00000000009C3000-memory.dmpFilesize
5.8MB
-
memory/1124-57-0x0000000000400000-0x00000000009C3000-memory.dmpFilesize
5.8MB
-
memory/1124-65-0x0000000076FB0000-0x0000000077130000-memory.dmpFilesize
1.5MB
-
memory/1124-56-0x0000000076FB0000-0x0000000077130000-memory.dmpFilesize
1.5MB
-
memory/1124-55-0x00000000753F1000-0x00000000753F3000-memory.dmpFilesize
8KB
-
memory/1840-67-0x0000000000000000-mapping.dmp
-
memory/1840-69-0x0000000000400000-0x00000000009C3000-memory.dmpFilesize
5.8MB
-
memory/1840-71-0x0000000076FB0000-0x0000000077130000-memory.dmpFilesize
1.5MB
-
memory/1840-72-0x0000000000400000-0x00000000009C3000-memory.dmpFilesize
5.8MB
-
memory/1840-73-0x0000000076FB0000-0x0000000077130000-memory.dmpFilesize
1.5MB