Overview
overview
10Static
static
71.exe
windows7-x64
11.exe
windows10-2004-x64
7Fallen.exe
windows7-x64
7Fallen.exe
windows10-2004-x64
7Inte.exe
windows7-x64
7Inte.exe
windows10-2004-x64
7LX64
ubuntu-18.04-amd64
1Server.exe
windows7-x64
7Server.exe
windows10-2004-x64
7hfs.exe
windows7-x64
10hfs.exe
windows10-2004-x64
10hfs_1.exe
windows7-x64
10hfs_1.exe
windows10-2004-x64
10hg
ubuntu-18.04-amd64
1java
ubuntu-18.04-amd64
1moren.exe
windows7-x64
10moren.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 09:25
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Fallen.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Fallen.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Inte.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Inte.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
LX64
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral8
Sample
Server.exe
Resource
win7-20230220-en
Behavioral task
behavioral9
Sample
Server.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral10
Sample
hfs.exe
Resource
win7-20230220-en
Behavioral task
behavioral11
Sample
hfs.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral12
Sample
hfs_1.exe
Resource
win7-20230220-en
Behavioral task
behavioral13
Sample
hfs_1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral14
Sample
hg
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral15
Sample
java
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral16
Sample
moren.exe
Resource
win7-20230220-en
Behavioral task
behavioral17
Sample
moren.exe
Resource
win10v2004-20230220-en
General
-
Target
Inte.exe
-
Size
56KB
-
MD5
1ea2c756a0f0528d2e80ab204aa9de0b
-
SHA1
44177c8b4959a3b84ae65a5ea724a8e409b3dec1
-
SHA256
6d77d544364cdfaebd7252d14091653c903d0a11c34bddad60f5951da257a651
-
SHA512
ecaa88ae3a0b51ba9320870a6b7172a3f02c466571d79f7536ee3b557da14f0b268be39cc3fbeadae79f3de33d816a59737efdc7ce11d322d4891c82421d1de5
-
SSDEEP
768:KaYYkgyowxPDvHzWpHPhh+RT26A6PhSDFPlkFUHHnOsv7uZYDl:KaYYkgyowxbeHPyRT2wZSZPbnO9Wl
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
vmware-vmx.exepid process 3796 vmware-vmx.exe -
Drops file in System32 directory 2 IoCs
Processes:
Inte.exedescription ioc process File created C:\Windows\SysWOW64\vmware-vmx.exe Inte.exe File opened for modification C:\Windows\SysWOW64\vmware-vmx.exe Inte.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
vmware-vmx.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vmware-vmx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz vmware-vmx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Inte.exedescription pid process Token: SeIncBasePriorityPrivilege 1176 Inte.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Inte.exedescription pid process target process PID 1176 wrote to memory of 4556 1176 Inte.exe cmd.exe PID 1176 wrote to memory of 4556 1176 Inte.exe cmd.exe PID 1176 wrote to memory of 4556 1176 Inte.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inte.exe"C:\Users\Admin\AppData\Local\Temp\Inte.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\Inte.exe > nul2⤵
-
C:\Windows\SysWOW64\vmware-vmx.exeC:\Windows\SysWOW64\vmware-vmx.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\vmware-vmx.exeFilesize
56KB
MD51ea2c756a0f0528d2e80ab204aa9de0b
SHA144177c8b4959a3b84ae65a5ea724a8e409b3dec1
SHA2566d77d544364cdfaebd7252d14091653c903d0a11c34bddad60f5951da257a651
SHA512ecaa88ae3a0b51ba9320870a6b7172a3f02c466571d79f7536ee3b557da14f0b268be39cc3fbeadae79f3de33d816a59737efdc7ce11d322d4891c82421d1de5
-
C:\Windows\SysWOW64\vmware-vmx.exeFilesize
56KB
MD51ea2c756a0f0528d2e80ab204aa9de0b
SHA144177c8b4959a3b84ae65a5ea724a8e409b3dec1
SHA2566d77d544364cdfaebd7252d14091653c903d0a11c34bddad60f5951da257a651
SHA512ecaa88ae3a0b51ba9320870a6b7172a3f02c466571d79f7536ee3b557da14f0b268be39cc3fbeadae79f3de33d816a59737efdc7ce11d322d4891c82421d1de5