feef7c585a67e368ce1a514158d6abc280e502b0408ad8b589d83687360ff11f

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
29-06-2023 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

802a953fdb8efac8ec2a48bb8051713eb23edf962a10640d144206fea99b001f.dll
Size

48KB
MD5

2ad7ceb9109d01f7750396e815d8aac5
SHA1

9310175104942dcfd34b8cdcdc94b2f648f1de31
SHA256

802a953fdb8efac8ec2a48bb8051713eb23edf962a10640d144206fea99b001f
SHA512

1ff923f206d2271b8e8afa2fdc550c4608b83d1d82a738489be31fb31562eb703ffdccf7789431321cc0ef8920f33cfd2c04393e2c04f22bf6f8ed8cdc9d50c1
SSDEEP

768:/0iEEBGU4Ly9RWFaoF4Vcps8etdvAgV1N:8iLBWLAWFad8eT4u1N

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ regsvr32.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1196 PING.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	regsvr32.exe

pid	process
1196	PING.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

regsvr32.exeregsvr32.execmd.exe

description	pid	process	target process
PID 1428 wrote to memory of 1692	1428	regsvr32.exe	regsvr32.exe
PID 1428 wrote to memory of 1692	1428	regsvr32.exe	regsvr32.exe
PID 1428 wrote to memory of 1692	1428	regsvr32.exe	regsvr32.exe
PID 1428 wrote to memory of 1692	1428	regsvr32.exe	regsvr32.exe
PID 1428 wrote to memory of 1692	1428	regsvr32.exe	regsvr32.exe
PID 1428 wrote to memory of 1692	1428	regsvr32.exe	regsvr32.exe
PID 1428 wrote to memory of 1692	1428	regsvr32.exe	regsvr32.exe
PID 1692 wrote to memory of 1688	1692	regsvr32.exe	cmd.exe
PID 1692 wrote to memory of 1688	1692	regsvr32.exe	cmd.exe
PID 1692 wrote to memory of 1688	1692	regsvr32.exe	cmd.exe
PID 1692 wrote to memory of 1688	1692	regsvr32.exe	cmd.exe
PID 1688 wrote to memory of 1196	1688	cmd.exe	PING.EXE
PID 1688 wrote to memory of 1196	1688	cmd.exe	PING.EXE
PID 1688 wrote to memory of 1196	1688	cmd.exe	PING.EXE
PID 1688 wrote to memory of 1196	1688	cmd.exe	PING.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\802a953fdb8efac8ec2a48bb8051713eb23edf962a10640d144206fea99b001f.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\802a953fdb8efac8ec2a48bb8051713eb23edf962a10640d144206fea99b001f.dll
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C "ping localhost && copy /b /y %SystemRoot%\System32\ActivationManager.dll %appdata%\Microsoft\nonresistantOutlivesDictatorial\AphroniaHaimavati.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\PING.EXE
ping localhost
4⤵
- Runs ping.exe
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4712c60d7ccc9e2d27ee37762de2d1c2

SHA1
20c0f1410a93862545ae9060b4bf3949a73d1909

SHA256
feb69ba7acba0528fa150dd5ffb610697bed90cf4e9674189582896d128518a6

SHA512
883d621e67a8df7eefc2005043c0d8bff31b52e62bb3ebe0c7ef1ca49595e06c505c78e7eeafe1c82d8b683cef52a84f69fc72db171a092dcf1c197742b797fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab89B.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9D6.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit