Overview

overview

9

Static

static

3

b0011be8c7...d4.exe

windows7-x64

9

b0011be8c7...d4.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    110s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/06/2023, 07:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0011be8c7cd1c9865e1f1ed406197d4.exe

  • Size

    12KB

  • MD5

    b0011be8c7cd1c9865e1f1ed406197d4

  • SHA1

    ddf1f665023dcdddf23576d4db27e65323482d58

  • SHA256

    33e6b8a634ba08facba420eed6f61933570fb26e59fdba5a52603148c31e8792

  • SHA512

    6daddf405ee371d2e3e89972003d7c317cbc8b09e8231103eb5afcbc2b30dc47e8eff197be7553ce0c68727ae067f2f5d95a57b950725129808a5428fb7adb49

  • SSDEEP

    192:VqwFkb7H0rKTW2eOF93JceyCxk6XY5V87W1tf8UoupfJf6myRRW3ZDkmiPmiz10:BUTcOF7cDUk6XYSswunHhITG

Score
9/10
evasionpersistence

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0011be8c7cd1c9865e1f1ed406197d4.exe
    "C:\Users\Admin\AppData\Local\Temp\b0011be8c7cd1c9865e1f1ed406197d4.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3248
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:4456
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA6E3.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1716
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1356

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpA6E3.tmp.bat
    Filesize

    151B

    MD5

    ca7c9783d868e474752f254b14c8a4f6

    SHA1

    80f51761d3025b57e2213af6bcd3773cdbb261e3

    SHA256

    027d229ca43b48bd3d49240b2796fcede14f507ce0ef432495e584cd81612e29

    SHA512

    ef33f6db8ff35a96cea0caed2131e6afe80b941e6d9d40937c5d4dc4d56f99e0734da8d91dddb7e5d974698daa01df42720ace6903508e4b4ead2942931b4657

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    12KB

    MD5

    b0011be8c7cd1c9865e1f1ed406197d4

    SHA1

    ddf1f665023dcdddf23576d4db27e65323482d58

    SHA256

    33e6b8a634ba08facba420eed6f61933570fb26e59fdba5a52603148c31e8792

    SHA512

    6daddf405ee371d2e3e89972003d7c317cbc8b09e8231103eb5afcbc2b30dc47e8eff197be7553ce0c68727ae067f2f5d95a57b950725129808a5428fb7adb49

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    12KB

    MD5

    b0011be8c7cd1c9865e1f1ed406197d4

    SHA1

    ddf1f665023dcdddf23576d4db27e65323482d58

    SHA256

    33e6b8a634ba08facba420eed6f61933570fb26e59fdba5a52603148c31e8792

    SHA512

    6daddf405ee371d2e3e89972003d7c317cbc8b09e8231103eb5afcbc2b30dc47e8eff197be7553ce0c68727ae067f2f5d95a57b950725129808a5428fb7adb49

    Download Submit

  • memory/2120-133-0x0000028C77C80000-0x0000028C77C88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2120-134-0x0000028C7A5C0000-0x0000028C7AAE8000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2120-135-0x0000028C7A090000-0x0000028C7A106000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2120-136-0x0000028C78010000-0x0000028C7802E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2120-137-0x0000028C7A2F0000-0x0000028C7A300000-memory.dmp

    Filesize

    64KB

    Download