Analysis

  • max time kernel
    120s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-03-2023 04:20

General

  • Target

    8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe

  • Size

    5.2MB

  • MD5

    070c397b7d77be8f730a01b64d3c03c3

  • SHA1

    dc32d188461e552bb72ed0fb16e0af45dd62bde5

  • SHA256

    8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851

  • SHA512

    1fc0725fc03530f5add5a9c161f52852f8c7878f7a617a7275fef463891787617b3dc3a3d16fc33494715e0d4f538cf08dace64d4c40b461443a9b334c7d6925

  • SSDEEP

    98304:4nhLTDcdqwb3KfoNpUSMxQ7pbw+abYNuJ+l7:Wc4qKiSD

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 13 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe
    "C:\Users\Admin\AppData\Local\Temp\8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Bootkit

1
T1067

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\k[1].js
    Filesize

    94B

    MD5

    514eb157c352678fe6e6ffb103579bfa

    SHA1

    5892249a4b53845b0761623aefa1c0d251ccf7da

    SHA256

    5e0f936c52cb1e65ccda6fe580472f66166fa4687aeb931c2f0b25bf8c858daf

    SHA512

    91832b7b508d3386e65bea57a42c5b8af73f5cee55efa0b05ffb8dc9a60473cec718f2d28a9d8c7420ae92ec6ba43a1df598541571ffed4726a61fa4b8703edc

  • C:\Users\Admin\AppData\Local\Temp\71E9.tmp
    Filesize

    338B

    MD5

    2fd3d62ff3abcbd958e582f34d16ef0f

    SHA1

    35afb3d08e84744d79419ed56b5f9ad0089ff499

    SHA256

    118cb7a487df23fadc028b1454c6430f8a815173d8b0087961577fc52c4a3e49

    SHA512

    749a6e325dac70ffddea7a283f63d7d241dd735cf498a92c27c9e5f560c782830411b20c271169bebe87e61ca742d5febe0cbfe9ce75b21a4bf967de11f86f71

  • C:\Users\Admin\AppData\Local\Temp\8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.ini
    Filesize

    137B

    MD5

    8ff880865f48e318a84fa66c283b8be9

    SHA1

    743670044d4c90abcf95a2f3436f64f3809e3546

    SHA256

    fc968675de79e462042d2b6685d7d08da9fa0ddcfbbc3cdc31e80e8a00947773

    SHA512

    5928617382f9bacbdf8ec437d1ed1de11a034e0cf309a1385e2849eb8bdb9d60410b4a9cf53aa4ae9336e86fd4c52350a15b8c67264f5fe64842c21a25c46151

  • C:\Users\Admin\AppData\Local\Temp\ad-mymacro9.xml.tmp
    Filesize

    3KB

    MD5

    6a004b4196400a627b5b6248a2a2dcba

    SHA1

    fa9a555e83a4c3a73e07a728ec92827f55fbcf02

    SHA256

    9cd3e3f97866082f8edfed25d56b40786c2809f264c4f8b10c022403e7f0f101

    SHA512

    1b5cea41dce0742e4ba7a7f3c4bef3eefc92c63d267a306e4098c68b768723abc0f0eace4a486ff3f4b1bb8a74279dd04e9c2a48df9a20125c21209e3d205624

  • C:\Users\Admin\AppData\Local\Temp\cfgdll.dll
    Filesize

    59KB

    MD5

    3f9711ab8cfa0cbbeaeceba7904c8700

    SHA1

    94085220d65eb8c572fb394ab0d19815dcf80680

    SHA256

    517df7f719bcc34ea934868e46c77932768ee77abccc3bccac62bf9bfeed0af5

    SHA512

    e595acdc6b857a6180f88ddb0bd8c50f66bd1768d129e996dcd8934e9462150d041dc79addd2251b933e1a63ccccf03070ecce8ed485ea35622af1c18c60fcc5

  • C:\Users\Admin\AppData\Local\Temp\cfgdll.dll
    Filesize

    59KB

    MD5

    3f9711ab8cfa0cbbeaeceba7904c8700

    SHA1

    94085220d65eb8c572fb394ab0d19815dcf80680

    SHA256

    517df7f719bcc34ea934868e46c77932768ee77abccc3bccac62bf9bfeed0af5

    SHA512

    e595acdc6b857a6180f88ddb0bd8c50f66bd1768d129e996dcd8934e9462150d041dc79addd2251b933e1a63ccccf03070ecce8ed485ea35622af1c18c60fcc5

  • C:\Users\Admin\AppData\Local\Temp\plugin\ENCRYPT.DLL
    Filesize

    36KB

    MD5

    bb4fc9c6d89e2bce4f0ba8145fb9cc2a

    SHA1

    dabf41d3bc08ac4d24fb6a675e7c659b853ee0b5

    SHA256

    8eb6877e20f7ede585e957f5301a0418ad022832ceb16cd158d516c9a11873b7

    SHA512

    dc94e10f473245f4d42838ab71aa3d0476259ee0b783cfd54182b2586411810401bed92a8c4726a5003008999cf7c5aaf1b85226e7104075750ce3045ad931c1

  • C:\Users\Admin\AppData\Local\Temp\plugin\ENCRYPT.DLL
    Filesize

    36KB

    MD5

    bb4fc9c6d89e2bce4f0ba8145fb9cc2a

    SHA1

    dabf41d3bc08ac4d24fb6a675e7c659b853ee0b5

    SHA256

    8eb6877e20f7ede585e957f5301a0418ad022832ceb16cd158d516c9a11873b7

    SHA512

    dc94e10f473245f4d42838ab71aa3d0476259ee0b783cfd54182b2586411810401bed92a8c4726a5003008999cf7c5aaf1b85226e7104075750ce3045ad931c1

  • C:\Users\Admin\AppData\Local\Temp\plugin\ENCRYPT.DLL
    Filesize

    36KB

    MD5

    bb4fc9c6d89e2bce4f0ba8145fb9cc2a

    SHA1

    dabf41d3bc08ac4d24fb6a675e7c659b853ee0b5

    SHA256

    8eb6877e20f7ede585e957f5301a0418ad022832ceb16cd158d516c9a11873b7

    SHA512

    dc94e10f473245f4d42838ab71aa3d0476259ee0b783cfd54182b2586411810401bed92a8c4726a5003008999cf7c5aaf1b85226e7104075750ce3045ad931c1

  • C:\Users\Admin\AppData\Local\Temp\plugin\ENCRYPT.ini
    Filesize

    291B

    MD5

    2863ef76e4d248dc1d569f1eac73cf59

    SHA1

    23173afaeac9571427ff5b4e4344607f36d3ce9b

    SHA256

    344f9a77096b53c96f1c119839b03b1291983e30322e8886dc5a2928da76c776

    SHA512

    fafb6ec0cef62fcd2ba5388fc9d1134655eeaa61cf372d7e988b71fb752ab25c62444efc4f881586357323427b7edf6c8f0d860ad2af5ad7a8044f78d220ccfe

  • C:\Users\Admin\AppData\Local\Temp\plugin\FILE.DLL
    Filesize

    40KB

    MD5

    1b12290100f56cf13ac7bd631adebe7d

    SHA1

    d996c99e4ccb91876e9da397ec547aebb83c0c94

    SHA256

    c9515d3d0e549e978fdd8ae762bd7b73f1ec1dd49c058ad9cd4537902db87670

    SHA512

    cd0e417f7ef5d1749f78bded6ac77bcc15aa72268bbb2ec8322f964a11d70f0ecfaaa4ecc10d13a2df743329982bd88fdb8f7f785a50dad33d112e27e372b815

  • C:\Users\Admin\AppData\Local\Temp\plugin\FILE.DLL
    Filesize

    40KB

    MD5

    1b12290100f56cf13ac7bd631adebe7d

    SHA1

    d996c99e4ccb91876e9da397ec547aebb83c0c94

    SHA256

    c9515d3d0e549e978fdd8ae762bd7b73f1ec1dd49c058ad9cd4537902db87670

    SHA512

    cd0e417f7ef5d1749f78bded6ac77bcc15aa72268bbb2ec8322f964a11d70f0ecfaaa4ecc10d13a2df743329982bd88fdb8f7f785a50dad33d112e27e372b815

  • C:\Users\Admin\AppData\Local\Temp\plugin\FILE.DLL
    Filesize

    40KB

    MD5

    1b12290100f56cf13ac7bd631adebe7d

    SHA1

    d996c99e4ccb91876e9da397ec547aebb83c0c94

    SHA256

    c9515d3d0e549e978fdd8ae762bd7b73f1ec1dd49c058ad9cd4537902db87670

    SHA512

    cd0e417f7ef5d1749f78bded6ac77bcc15aa72268bbb2ec8322f964a11d70f0ecfaaa4ecc10d13a2df743329982bd88fdb8f7f785a50dad33d112e27e372b815

  • C:\Users\Admin\AppData\Local\Temp\plugin\FILE.ini
    Filesize

    2KB

    MD5

    e04472109d3e00286933cc1675760427

    SHA1

    c0c2ed2fda1884b5d00c6d292589a3920907eaa3

    SHA256

    06e641716fe6ffb936655579a63aca7d16dfc8f24f9ba8498a53c0359dc158a5

    SHA512

    bf42775f9de3653e583838d8dec718bc8c993a350593e0146159da6869d2edc67d0266d6f7dea8eb3cfa3c8fa8e8ebdf5454144f0a347646df3fa6cf3802fc87

  • C:\Users\Admin\AppData\Local\Temp\plugin\MOMOPLUGIN.DLL
    Filesize

    29KB

    MD5

    e9d029ad7a51e4ae2dca64f85d5a9e62

    SHA1

    cc35d47110810f6334f225e77dacc14403042929

    SHA256

    e6aebe34f3f7949f6ac147c151859a73db67c76688bb95f566e77ab5e446b2b8

    SHA512

    ad6c845dbb1b2e6ba5eb3e4017e0b1a66d9ef328bc9d3447c9c0af0d8fe06a2024a785355f8c675923d9b7f1a968e5abd484ee4a5f60dc2f6bf90e93b3227efc

  • C:\Users\Admin\AppData\Local\Temp\plugin\MOMOPLUGIN.DLL
    Filesize

    29KB

    MD5

    e9d029ad7a51e4ae2dca64f85d5a9e62

    SHA1

    cc35d47110810f6334f225e77dacc14403042929

    SHA256

    e6aebe34f3f7949f6ac147c151859a73db67c76688bb95f566e77ab5e446b2b8

    SHA512

    ad6c845dbb1b2e6ba5eb3e4017e0b1a66d9ef328bc9d3447c9c0af0d8fe06a2024a785355f8c675923d9b7f1a968e5abd484ee4a5f60dc2f6bf90e93b3227efc

  • C:\Users\Admin\AppData\Local\Temp\plugin\MOMOPLUGIN.ini
    Filesize

    1KB

    MD5

    3da1d7d7ceca89caf01bc15e59e6fa18

    SHA1

    d90910132ff65e5f04704379cced9330ced96a3c

    SHA256

    123d1335c04d71ea5495eb118c686eb6581542baca4f5dc8e11e182bb11ef1d0

    SHA512

    77da8a9ba735bb1ef3c3af3c03894bc29a051ff4f821a6c089b79d76dd9352d5fb1066c57600a6b1b76019473fab5b8f3070af137c4ec2880d13fb7f72bf8de4

  • C:\Users\Admin\AppData\Local\Temp\plugin\SYS.DLL
    Filesize

    32KB

    MD5

    18c393dfa1c0f3d2da0f4acdec5d7639

    SHA1

    84f666216085f177bccb8fa94900ba625f7552bc

    SHA256

    3c3599cf74407476a92ce4ee66ed3ce00d0b3ea5326f796c191e6ed0a9a87b3a

    SHA512

    ba61370b69b239754ff8f4e07f456755422667340c9a27bf2ace272b0e90a0818da595b973e90cd9ca4fc502028caef078e16bc7c87b2a6a8fa465141f54b3b4

  • C:\Users\Admin\AppData\Local\Temp\plugin\SYS.DLL
    Filesize

    32KB

    MD5

    18c393dfa1c0f3d2da0f4acdec5d7639

    SHA1

    84f666216085f177bccb8fa94900ba625f7552bc

    SHA256

    3c3599cf74407476a92ce4ee66ed3ce00d0b3ea5326f796c191e6ed0a9a87b3a

    SHA512

    ba61370b69b239754ff8f4e07f456755422667340c9a27bf2ace272b0e90a0818da595b973e90cd9ca4fc502028caef078e16bc7c87b2a6a8fa465141f54b3b4

  • C:\Users\Admin\AppData\Local\Temp\plugin\SYS.DLL
    Filesize

    32KB

    MD5

    18c393dfa1c0f3d2da0f4acdec5d7639

    SHA1

    84f666216085f177bccb8fa94900ba625f7552bc

    SHA256

    3c3599cf74407476a92ce4ee66ed3ce00d0b3ea5326f796c191e6ed0a9a87b3a

    SHA512

    ba61370b69b239754ff8f4e07f456755422667340c9a27bf2ace272b0e90a0818da595b973e90cd9ca4fc502028caef078e16bc7c87b2a6a8fa465141f54b3b4

  • C:\Users\Admin\AppData\Local\Temp\plugin\SYS.ini
    Filesize

    1KB

    MD5

    09c6b26d1e0ff380321f586473d81098

    SHA1

    261ba0c9c3ddf3c9e8715ead3628212d2859bcba

    SHA256

    bc8eaa229e13a93be3bef498443182eb5d97551fbc5fcb1208d014b56161588f

    SHA512

    7700e2ab0c38f7b1a3190843f603b572f7952e4a3567855fbaf2f1085f7e5b4fcdaa97e9195a43299594a5c3b31d15232cb66d9c59a4231cc83487663ded832c

  • C:\Users\Admin\AppData\Local\Temp\plugin\WINDOW.DLL
    Filesize

    44KB

    MD5

    4c462a5ff18e333b767ea44c318c05c2

    SHA1

    eb0f1bcd62382d4320532b330abf5cbdddd4a409

    SHA256

    efda60b95d43a51e54cf9f44278f36d1717e21c78686fa2157395b5635951b41

    SHA512

    11a8b2ee9e2b8431ddb81bbc3fa3bb596f9e2e11360f99b649017332c3b93eaa2efe105a2045285822e6d62663dec68b1c0d2a8a863f03fcec40cf04172d7139

  • C:\Users\Admin\AppData\Local\Temp\plugin\WINDOW.DLL
    Filesize

    44KB

    MD5

    4c462a5ff18e333b767ea44c318c05c2

    SHA1

    eb0f1bcd62382d4320532b330abf5cbdddd4a409

    SHA256

    efda60b95d43a51e54cf9f44278f36d1717e21c78686fa2157395b5635951b41

    SHA512

    11a8b2ee9e2b8431ddb81bbc3fa3bb596f9e2e11360f99b649017332c3b93eaa2efe105a2045285822e6d62663dec68b1c0d2a8a863f03fcec40cf04172d7139

  • C:\Users\Admin\AppData\Local\Temp\plugin\WINDOW.DLL
    Filesize

    44KB

    MD5

    4c462a5ff18e333b767ea44c318c05c2

    SHA1

    eb0f1bcd62382d4320532b330abf5cbdddd4a409

    SHA256

    efda60b95d43a51e54cf9f44278f36d1717e21c78686fa2157395b5635951b41

    SHA512

    11a8b2ee9e2b8431ddb81bbc3fa3bb596f9e2e11360f99b649017332c3b93eaa2efe105a2045285822e6d62663dec68b1c0d2a8a863f03fcec40cf04172d7139

  • C:\Users\Admin\AppData\Local\Temp\plugin\WINDOW.ini
    Filesize

    3KB

    MD5

    24e047e8ec1ad7ac870b3a87db780d4d

    SHA1

    33002567dfe47e48a2f2389cd4c568993f4f2e82

    SHA256

    7f3dab45c54a0d1b0383de9dec0a90cfb648d8327aa39c5ce50997d830ffb147

    SHA512

    4a0152572fbfc54b237822abb2fe80545f76501a6319f7e984a2f53184c8cc070679826aafbdd9835b0b5a6bf012e0443ac29639f07db769fc5d0373e927d1a7

  • C:\Users\Admin\AppData\Local\Temp\plugin\WINDOW.ini
    Filesize

    3KB

    MD5

    24e047e8ec1ad7ac870b3a87db780d4d

    SHA1

    33002567dfe47e48a2f2389cd4c568993f4f2e82

    SHA256

    7f3dab45c54a0d1b0383de9dec0a90cfb648d8327aa39c5ce50997d830ffb147

    SHA512

    4a0152572fbfc54b237822abb2fe80545f76501a6319f7e984a2f53184c8cc070679826aafbdd9835b0b5a6bf012e0443ac29639f07db769fc5d0373e927d1a7

  • C:\Users\Admin\AppData\Roaming\mymacro\qdisp.dll
    Filesize

    43KB

    MD5

    7171bc500507f070355c8903e0ea6d3d

    SHA1

    073d479fdbd1f2af5d494e90b950098be63dee75

    SHA256

    3e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c

    SHA512

    a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622

  • C:\Users\Admin\AppData\Roaming\mymacro\qdisp.dll
    Filesize

    43KB

    MD5

    7171bc500507f070355c8903e0ea6d3d

    SHA1

    073d479fdbd1f2af5d494e90b950098be63dee75

    SHA256

    3e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c

    SHA512

    a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622

  • C:\Users\Admin\AppData\Roaming\mymacro\qdisp.dll
    Filesize

    43KB

    MD5

    7171bc500507f070355c8903e0ea6d3d

    SHA1

    073d479fdbd1f2af5d494e90b950098be63dee75

    SHA256

    3e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c

    SHA512

    a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622

  • memory/1328-571-0x0000000000400000-0x0000000000936000-memory.dmp
    Filesize

    5.2MB

  • memory/1328-574-0x0000000000400000-0x0000000000936000-memory.dmp
    Filesize

    5.2MB

  • memory/1328-430-0x0000000011000000-0x000000001101D000-memory.dmp
    Filesize

    116KB

  • memory/1328-177-0x00000000065B0000-0x00000000065BF000-memory.dmp
    Filesize

    60KB

  • memory/1328-133-0x0000000000400000-0x0000000000936000-memory.dmp
    Filesize

    5.2MB

  • memory/1328-651-0x0000000000400000-0x0000000000936000-memory.dmp
    Filesize

    5.2MB