Analysis
-
max time kernel
109s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 02:26
Behavioral task
behavioral1
Sample
f5b49bd5b215416c31650c1bf1047e33.exe
Resource
win7-20230220-en
General
-
Target
f5b49bd5b215416c31650c1bf1047e33.exe
-
Size
8.8MB
-
MD5
f5b49bd5b215416c31650c1bf1047e33
-
SHA1
3e8468db67c3b41eeab8017018670ae57afe702d
-
SHA256
ea25a8909d0bd9438586d97aa8919fc90ad8cef0043ea13fec603c780e0427e1
-
SHA512
2a9c5682794eb761a7a7b8d78db8a2dc39b94b2a0779f3ed250101deecfca9ef27257bf1d9a7de2aff13abba995da2fc95a623481e23cb631449434fcce558a2
-
SSDEEP
196608:3lViYdgxP1MTFmMUwMqhmrOGSF2yCVbXyqsz5p5:3riYexPQUwMqhmrlS0pynz5p5
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
f5b49bd5b215416c31650c1bf1047e33.exelLOkfvoRvP.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f5b49bd5b215416c31650c1bf1047e33.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ lLOkfvoRvP.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f5b49bd5b215416c31650c1bf1047e33.exelLOkfvoRvP.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f5b49bd5b215416c31650c1bf1047e33.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f5b49bd5b215416c31650c1bf1047e33.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lLOkfvoRvP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lLOkfvoRvP.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f5b49bd5b215416c31650c1bf1047e33.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation f5b49bd5b215416c31650c1bf1047e33.exe -
Executes dropped EXE 2 IoCs
Processes:
lLOkfvoRvP.exepid process 1512 lLOkfvoRvP.exe 3144 -
Loads dropped DLL 5 IoCs
Processes:
f5b49bd5b215416c31650c1bf1047e33.exelLOkfvoRvP.exepid process 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 1512 lLOkfvoRvP.exe 1512 lLOkfvoRvP.exe 1512 lLOkfvoRvP.exe -
Processes:
resource yara_rule behavioral2/memory/4648-133-0x00007FF62A060000-0x00007FF62B870000-memory.dmp themida behavioral2/memory/4648-138-0x00007FF62A060000-0x00007FF62B870000-memory.dmp themida behavioral2/memory/4648-139-0x00007FF62A060000-0x00007FF62B870000-memory.dmp themida behavioral2/memory/4648-140-0x00007FF62A060000-0x00007FF62B870000-memory.dmp themida behavioral2/memory/4648-145-0x00007FF62A060000-0x00007FF62B870000-memory.dmp themida behavioral2/memory/4648-146-0x00007FF62A060000-0x00007FF62B870000-memory.dmp themida behavioral2/memory/4648-147-0x00007FF62A060000-0x00007FF62B870000-memory.dmp themida behavioral2/memory/4648-148-0x00007FF62A060000-0x00007FF62B870000-memory.dmp themida behavioral2/memory/4648-177-0x00007FF62A060000-0x00007FF62B870000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\lLOkfvoRvP.exe themida behavioral2/memory/4648-195-0x00007FF62A060000-0x00007FF62B870000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\lLOkfvoRvP.exe themida C:\Users\Admin\AppData\Local\Temp\lLOkfvoRvP.exe themida behavioral2/memory/4648-201-0x00007FF62A060000-0x00007FF62B870000-memory.dmp themida behavioral2/memory/1512-204-0x00007FF772990000-0x00007FF774250000-memory.dmp themida behavioral2/memory/1512-205-0x00007FF772990000-0x00007FF774250000-memory.dmp themida behavioral2/memory/1512-206-0x00007FF772990000-0x00007FF774250000-memory.dmp themida behavioral2/memory/1512-207-0x00007FF772990000-0x00007FF774250000-memory.dmp themida behavioral2/memory/1512-210-0x00007FF772990000-0x00007FF774250000-memory.dmp themida behavioral2/memory/1512-211-0x00007FF772990000-0x00007FF774250000-memory.dmp themida behavioral2/memory/1512-212-0x00007FF772990000-0x00007FF774250000-memory.dmp themida behavioral2/memory/1512-224-0x00007FF772990000-0x00007FF774250000-memory.dmp themida -
Processes:
f5b49bd5b215416c31650c1bf1047e33.exelLOkfvoRvP.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f5b49bd5b215416c31650c1bf1047e33.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lLOkfvoRvP.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
f5b49bd5b215416c31650c1bf1047e33.exelLOkfvoRvP.exepid process 4648 f5b49bd5b215416c31650c1bf1047e33.exe 1512 lLOkfvoRvP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1364 1512 WerFault.exe lLOkfvoRvP.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
powershell.exef5b49bd5b215416c31650c1bf1047e33.exepid process 3396 powershell.exe 3396 powershell.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe 4648 f5b49bd5b215416c31650c1bf1047e33.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3396 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
lLOkfvoRvP.exepid process 1512 lLOkfvoRvP.exe 1512 lLOkfvoRvP.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
f5b49bd5b215416c31650c1bf1047e33.exedescription pid process target process PID 4648 wrote to memory of 3396 4648 f5b49bd5b215416c31650c1bf1047e33.exe powershell.exe PID 4648 wrote to memory of 3396 4648 f5b49bd5b215416c31650c1bf1047e33.exe powershell.exe PID 4648 wrote to memory of 1512 4648 f5b49bd5b215416c31650c1bf1047e33.exe lLOkfvoRvP.exe PID 4648 wrote to memory of 1512 4648 f5b49bd5b215416c31650c1bf1047e33.exe lLOkfvoRvP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5b49bd5b215416c31650c1bf1047e33.exe"C:\Users\Admin\AppData\Local\Temp\f5b49bd5b215416c31650c1bf1047e33.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* | Restart-Service -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\lLOkfvoRvP.exe"C:\Users\Admin\AppData\Local\Temp\lLOkfvoRvP.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1512 -s 5163⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 184 -p 1512 -ip 15121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RAYpvafrcQ.dllFilesize
49KB
MD5ac3da38df3e1fbf4977da44c2f8aa9ae
SHA13c1d0cceede7849123ddbc742be6e0be1b48970e
SHA256dd6e17839dd51b459c05318304acb52f8751db8d5a67679a3c8b5139f8db98e5
SHA512dda5a05a0497ea12e0899716456d97b224f1c6dfe010ee7873bcdf764f49f6783b6189391ed3defbcc3da47e4e85e830981b15d2f0b3c51ae5bef15b3604e175
-
C:\Users\Admin\AppData\Local\Temp\RAYpvafrcQ.dllFilesize
49KB
MD5ac3da38df3e1fbf4977da44c2f8aa9ae
SHA13c1d0cceede7849123ddbc742be6e0be1b48970e
SHA256dd6e17839dd51b459c05318304acb52f8751db8d5a67679a3c8b5139f8db98e5
SHA512dda5a05a0497ea12e0899716456d97b224f1c6dfe010ee7873bcdf764f49f6783b6189391ed3defbcc3da47e4e85e830981b15d2f0b3c51ae5bef15b3604e175
-
C:\Users\Admin\AppData\Local\Temp\RAYpvafrcQ.dllFilesize
49KB
MD5ac3da38df3e1fbf4977da44c2f8aa9ae
SHA13c1d0cceede7849123ddbc742be6e0be1b48970e
SHA256dd6e17839dd51b459c05318304acb52f8751db8d5a67679a3c8b5139f8db98e5
SHA512dda5a05a0497ea12e0899716456d97b224f1c6dfe010ee7873bcdf764f49f6783b6189391ed3defbcc3da47e4e85e830981b15d2f0b3c51ae5bef15b3604e175
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3dpeogdc.i3o.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\d3d11.dllFilesize
2.4MB
MD5b284ae0d37cc7d47fc149bf93ef6a5bf
SHA13952b84377b0a1d267daae711ee47581749cb2a3
SHA2560d1fe975cc83acc64a5c2341fbed3700a10509fa3df64535bc50adddd95b7f8b
SHA512b3982d34808264907520602a5a7798c20b035e78152731856b2c3e0b83086a9b744377e2a2014a3ed91fcb9478468986360fcd62df98a544c9f8a856829ffc33
-
C:\Users\Admin\AppData\Local\Temp\d3d11.dllFilesize
2.4MB
MD5b284ae0d37cc7d47fc149bf93ef6a5bf
SHA13952b84377b0a1d267daae711ee47581749cb2a3
SHA2560d1fe975cc83acc64a5c2341fbed3700a10509fa3df64535bc50adddd95b7f8b
SHA512b3982d34808264907520602a5a7798c20b035e78152731856b2c3e0b83086a9b744377e2a2014a3ed91fcb9478468986360fcd62df98a544c9f8a856829ffc33
-
C:\Users\Admin\AppData\Local\Temp\d3d11.dllFilesize
2.4MB
MD5b284ae0d37cc7d47fc149bf93ef6a5bf
SHA13952b84377b0a1d267daae711ee47581749cb2a3
SHA2560d1fe975cc83acc64a5c2341fbed3700a10509fa3df64535bc50adddd95b7f8b
SHA512b3982d34808264907520602a5a7798c20b035e78152731856b2c3e0b83086a9b744377e2a2014a3ed91fcb9478468986360fcd62df98a544c9f8a856829ffc33
-
C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dllFilesize
4.1MB
MD5222d020bd33c90170a8296adc1b7036a
SHA1612e6f443d927330b9b8ac13cc4a2a6b959cee48
SHA2564432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3
SHA512ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6
-
C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dllFilesize
4.1MB
MD5222d020bd33c90170a8296adc1b7036a
SHA1612e6f443d927330b9b8ac13cc4a2a6b959cee48
SHA2564432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3
SHA512ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6
-
C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dllFilesize
4.1MB
MD5222d020bd33c90170a8296adc1b7036a
SHA1612e6f443d927330b9b8ac13cc4a2a6b959cee48
SHA2564432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3
SHA512ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6
-
C:\Users\Admin\AppData\Local\Temp\lLOkfvoRvP.exeFilesize
9.1MB
MD5bc64377f6e6baddd1ab77567d7e78e7a
SHA1ac1e44960dce84122d932bdbedbd78dec049ff8a
SHA2561a2683a179e606bfdd2b62c20bbc69cb1af33bba7827a13c5bfa2440a3d239a6
SHA51201219fa64ee72d484b89c414e6ff63a0e65fe431268fdf1f9fc28ee325710f3d72a65c743569552cd0a91bd0d6373aa71ee674f7443091b76d134341088f55ca
-
C:\Users\Admin\AppData\Local\Temp\lLOkfvoRvP.exeFilesize
9.1MB
MD5bc64377f6e6baddd1ab77567d7e78e7a
SHA1ac1e44960dce84122d932bdbedbd78dec049ff8a
SHA2561a2683a179e606bfdd2b62c20bbc69cb1af33bba7827a13c5bfa2440a3d239a6
SHA51201219fa64ee72d484b89c414e6ff63a0e65fe431268fdf1f9fc28ee325710f3d72a65c743569552cd0a91bd0d6373aa71ee674f7443091b76d134341088f55ca
-
C:\Users\Admin\AppData\Local\Temp\lLOkfvoRvP.exeFilesize
9.1MB
MD5bc64377f6e6baddd1ab77567d7e78e7a
SHA1ac1e44960dce84122d932bdbedbd78dec049ff8a
SHA2561a2683a179e606bfdd2b62c20bbc69cb1af33bba7827a13c5bfa2440a3d239a6
SHA51201219fa64ee72d484b89c414e6ff63a0e65fe431268fdf1f9fc28ee325710f3d72a65c743569552cd0a91bd0d6373aa71ee674f7443091b76d134341088f55ca
-
memory/1512-212-0x00007FF772990000-0x00007FF774250000-memory.dmpFilesize
24.8MB
-
memory/1512-204-0x00007FF772990000-0x00007FF774250000-memory.dmpFilesize
24.8MB
-
memory/1512-206-0x00007FF772990000-0x00007FF774250000-memory.dmpFilesize
24.8MB
-
memory/1512-221-0x00000262ED070000-0x00000262ED071000-memory.dmpFilesize
4KB
-
memory/1512-219-0x00007FFC8D6D0000-0x00007FFC8D6E0000-memory.dmpFilesize
64KB
-
memory/1512-218-0x00007FFC8D6D0000-0x00007FFC8D6E0000-memory.dmpFilesize
64KB
-
memory/1512-210-0x00007FF772990000-0x00007FF774250000-memory.dmpFilesize
24.8MB
-
memory/1512-224-0x00007FF772990000-0x00007FF774250000-memory.dmpFilesize
24.8MB
-
memory/1512-205-0x00007FF772990000-0x00007FF774250000-memory.dmpFilesize
24.8MB
-
memory/1512-211-0x00007FF772990000-0x00007FF774250000-memory.dmpFilesize
24.8MB
-
memory/1512-207-0x00007FF772990000-0x00007FF774250000-memory.dmpFilesize
24.8MB
-
memory/3396-160-0x000001D25CA70000-0x000001D25CA80000-memory.dmpFilesize
64KB
-
memory/3396-161-0x000001D25CA70000-0x000001D25CA80000-memory.dmpFilesize
64KB
-
memory/3396-149-0x000001D242F60000-0x000001D242F82000-memory.dmpFilesize
136KB
-
memory/3396-159-0x000001D25CA70000-0x000001D25CA80000-memory.dmpFilesize
64KB
-
memory/4648-201-0x00007FF62A060000-0x00007FF62B870000-memory.dmpFilesize
24.1MB
-
memory/4648-177-0x00007FF62A060000-0x00007FF62B870000-memory.dmpFilesize
24.1MB
-
memory/4648-147-0x00007FF62A060000-0x00007FF62B870000-memory.dmpFilesize
24.1MB
-
memory/4648-148-0x00007FF62A060000-0x00007FF62B870000-memory.dmpFilesize
24.1MB
-
memory/4648-133-0x00007FF62A060000-0x00007FF62B870000-memory.dmpFilesize
24.1MB
-
memory/4648-195-0x00007FF62A060000-0x00007FF62B870000-memory.dmpFilesize
24.1MB
-
memory/4648-145-0x00007FF62A060000-0x00007FF62B870000-memory.dmpFilesize
24.1MB
-
memory/4648-140-0x00007FF62A060000-0x00007FF62B870000-memory.dmpFilesize
24.1MB
-
memory/4648-139-0x00007FF62A060000-0x00007FF62B870000-memory.dmpFilesize
24.1MB
-
memory/4648-138-0x00007FF62A060000-0x00007FF62B870000-memory.dmpFilesize
24.1MB
-
memory/4648-146-0x00007FF62A060000-0x00007FF62B870000-memory.dmpFilesize
24.1MB