Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 02:11
Behavioral task
behavioral1
Sample
28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe
Resource
win7-20230220-en
General
-
Target
28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe
-
Size
12.8MB
-
MD5
a03e180f08f32f630aeafc3402ec373a
-
SHA1
658720b09683597920d843d5177a1cc37bbed9f9
-
SHA256
28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3
-
SHA512
eb3f41eb46a2ef94af4f17c0a282212d34042613acc1f29ceef4836d91c74ebd38102933ae325199179e67e767344fcb429fdb1991cc0b0535651de23a7b7db4
-
SSDEEP
196608:lq6DE4kBPWNWDoJ013AK+Iwn9l7W/8mNTaS63eTCR6VQj0tkxiXUjgnDitU4CSt:l5rueWDolKqn9l7zXRGGLrgnDRm
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe -
Processes:
resource yara_rule behavioral1/memory/1380-54-0x000000013F700000-0x0000000141965000-memory.dmp themida behavioral1/memory/1380-55-0x000000013F700000-0x0000000141965000-memory.dmp themida behavioral1/memory/1380-56-0x000000013F700000-0x0000000141965000-memory.dmp themida behavioral1/memory/1380-57-0x000000013F700000-0x0000000141965000-memory.dmp themida behavioral1/memory/1380-58-0x000000013F700000-0x0000000141965000-memory.dmp themida behavioral1/memory/1380-59-0x000000013F700000-0x0000000141965000-memory.dmp themida behavioral1/memory/1380-60-0x000000013F700000-0x0000000141965000-memory.dmp themida behavioral1/memory/1380-61-0x000000013F700000-0x0000000141965000-memory.dmp themida behavioral1/memory/1380-62-0x000000013F700000-0x0000000141965000-memory.dmp themida behavioral1/memory/1380-63-0x000000013F700000-0x0000000141965000-memory.dmp themida behavioral1/memory/1380-68-0x000000013F700000-0x0000000141965000-memory.dmp themida -
Processes:
28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exepid process 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe -
Runs ping.exe 1 TTPs 7 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1168 PING.EXE 432 PING.EXE 564 PING.EXE 268 PING.EXE 560 PING.EXE 1992 PING.EXE 1552 PING.EXE -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exepid process 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1380 wrote to memory of 2020 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 2020 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 2020 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 2020 wrote to memory of 564 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 564 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 564 2020 cmd.exe PING.EXE PID 1380 wrote to memory of 984 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 984 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 984 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 984 wrote to memory of 268 984 cmd.exe PING.EXE PID 984 wrote to memory of 268 984 cmd.exe PING.EXE PID 984 wrote to memory of 268 984 cmd.exe PING.EXE PID 1380 wrote to memory of 1508 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 1508 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 1508 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1508 wrote to memory of 560 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 560 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 560 1508 cmd.exe PING.EXE PID 1380 wrote to memory of 868 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 868 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 868 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 868 wrote to memory of 1992 868 cmd.exe PING.EXE PID 868 wrote to memory of 1992 868 cmd.exe PING.EXE PID 868 wrote to memory of 1992 868 cmd.exe PING.EXE PID 1380 wrote to memory of 2032 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 2032 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 2032 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 2032 wrote to memory of 1552 2032 cmd.exe PING.EXE PID 2032 wrote to memory of 1552 2032 cmd.exe PING.EXE PID 2032 wrote to memory of 1552 2032 cmd.exe PING.EXE PID 1380 wrote to memory of 612 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 612 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 612 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 612 wrote to memory of 1168 612 cmd.exe PING.EXE PID 612 wrote to memory of 1168 612 cmd.exe PING.EXE PID 612 wrote to memory of 1168 612 cmd.exe PING.EXE PID 1380 wrote to memory of 1712 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 1712 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1380 wrote to memory of 1712 1380 28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe cmd.exe PID 1712 wrote to memory of 432 1712 cmd.exe PING.EXE PID 1712 wrote to memory of 432 1712 cmd.exe PING.EXE PID 1712 wrote to memory of 432 1712 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe"C:\Users\Admin\AppData\Local\Temp\28b697be1636fd2f853522358bd24a7215792ff0556849e5623997a2162a37e3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe/c ping -w 120 -n 1 54.39.75.142⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -w 120 -n 1 54.39.75.143⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exe/c ping -w 120 -n 1 148.113.133.172⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -w 120 -n 1 148.113.133.173⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exe/c ping -w 120 -n 1 148.113.133.162⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -w 120 -n 1 148.113.133.163⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exe/c ping -w 120 -n 1 148.113.133.1832⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -w 120 -n 1 148.113.133.1833⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exe/c ping -w 120 -n 1 148.113.133.1842⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -w 120 -n 1 148.113.133.1843⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exe/c ping -w 120 -n 1 148.113.133.1852⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -w 120 -n 1 148.113.133.1853⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exe/c ping -w 120 -n 1 148.113.133.1862⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -w 120 -n 1 148.113.133.1863⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1380-54-0x000000013F700000-0x0000000141965000-memory.dmpFilesize
34.4MB
-
memory/1380-55-0x000000013F700000-0x0000000141965000-memory.dmpFilesize
34.4MB
-
memory/1380-56-0x000000013F700000-0x0000000141965000-memory.dmpFilesize
34.4MB
-
memory/1380-57-0x000000013F700000-0x0000000141965000-memory.dmpFilesize
34.4MB
-
memory/1380-58-0x000000013F700000-0x0000000141965000-memory.dmpFilesize
34.4MB
-
memory/1380-59-0x000000013F700000-0x0000000141965000-memory.dmpFilesize
34.4MB
-
memory/1380-60-0x000000013F700000-0x0000000141965000-memory.dmpFilesize
34.4MB
-
memory/1380-61-0x000000013F700000-0x0000000141965000-memory.dmpFilesize
34.4MB
-
memory/1380-62-0x000000013F700000-0x0000000141965000-memory.dmpFilesize
34.4MB
-
memory/1380-63-0x000000013F700000-0x0000000141965000-memory.dmpFilesize
34.4MB
-
memory/1380-68-0x000000013F700000-0x0000000141965000-memory.dmpFilesize
34.4MB