Overview

overview

9

Static

static

1

Altruistic.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    214s
  • max time network
    199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    06-02-2023 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Altruistic.exe

  • Size

    15.6MB

  • MD5

    d55c66739f6d75663a27c83c099324ba

  • SHA1

    6021c7f371b9a35fd7328cc1fb66bf63017f19a5

  • SHA256

    da7e1aa7f0dfcc5fe0ff6f5efe2736f4afdaa85ba7488f1c9790296a6001858a

  • SHA512

    e9f946642e8a86daedd954196b388f0af23c1443f1495d0cecbf18b61f421f43727051f52a0d79ba1089f872ab5b23e7a3e37803b97019ef5988c7c8f75b3cb4

  • SSDEEP

    393216:C5YHQKQPMQUEN/XAqFTAtnNCz4xfA2xXtnEHeN7A:9wZEzEN4qF4naCdXlE+NA

Score
9/10
evasiontrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Altruistic.exe
    "C:\Users\Admin\AppData\Local\Temp\Altruistic.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:3140
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 444 -p 4472 -ip 4472
    1⤵
      PID:1060
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4472 -s 2456
      1⤵
      • Program crash
      PID:4284
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5096
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:324
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:424
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4108
      • C:\Users\Admin\AppData\Local\Temp\Altruistic.exe
        "C:\Users\Admin\AppData\Local\Temp\Altruistic.exe"
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:1576

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      1
      T1497

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
        Filesize

        64KB

        MD5

        d2fb266b97caff2086bf0fa74eddb6b2

        SHA1

        2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

        SHA256

        b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

        SHA512

        c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

        Download Submit
      • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
        Filesize

        4B

        MD5

        f49655f856acb8884cc0ace29216f511

        SHA1

        cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

        SHA256

        7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

        SHA512

        599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

        Download Submit
      • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
        Filesize

        4B

        MD5

        f49655f856acb8884cc0ace29216f511

        SHA1

        cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

        SHA256

        7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

        SHA512

        599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

        Download Submit
      • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
        Filesize

        944B

        MD5

        6bd369f7c74a28194c991ed1404da30f

        SHA1

        0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

        SHA256

        878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

        SHA512

        8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

        Download Submit
      • memory/1576-150-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/1576-152-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/1576-157-0x00007FF903DF0000-0x00007FF903FE5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/1576-156-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/1576-155-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/1576-154-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/1576-153-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/1576-151-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/1576-149-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/1576-147-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/1576-148-0x00007FF903DF0000-0x00007FF903FE5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/3140-133-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/3140-134-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/3140-135-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/3140-132-0x00007FF903DF0000-0x00007FF903FE5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/3140-136-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/3140-137-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/3140-142-0x00007FF903DF0000-0x00007FF903FE5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/3140-141-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/3140-140-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/3140-139-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download
      • memory/3140-138-0x00007FF6496B0000-0x00007FF64B84B000-memory.dmp
        Filesize

        33.6MB

        Download