Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2023, 19:56
Behavioral task
behavioral1
Sample
33aeb3636988834cb63c7bf4b.exe
Resource
win7-20230703-en
General
-
Target
33aeb3636988834cb63c7bf4b.exe
-
Size
5.5MB
-
MD5
33aeb3636988834cb63c7bf4b65581e1
-
SHA1
2aedb042f39bddd34dd5ce4acbf7b1b259973e3b
-
SHA256
3df462b3e78232032a984a4b9138fc00ce4aaf93a33a6e540f5ba8bce0cad369
-
SHA512
55d75587088553a61c2bb200740a7ad8167f44df7b9a24c04b350068def5daf13c3e135cf086287fe740274583fb2742bc56fb3476641898293b619a68137fbb
-
SSDEEP
98304:xxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fZm:bV8ld98BlON2jnbNswvBXvowJgzl7GSO
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ server.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 33aeb3636988834cb63c7bf4b.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 33aeb3636988834cb63c7bf4b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 33aeb3636988834cb63c7bf4b.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation 33aeb3636988834cb63c7bf4b.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3db336165e398a08b41714abba10e742.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3db336165e398a08b41714abba10e742.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2776 server.exe -
Loads dropped DLL 2 IoCs
pid Process 2964 33aeb3636988834cb63c7bf4b.exe 2776 server.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/2964-133-0x0000000000210000-0x0000000000796000-memory.dmp agile_net behavioral2/files/0x00090000000230d3-153.dat agile_net behavioral2/files/0x00090000000230d3-159.dat agile_net behavioral2/files/0x00090000000230d3-160.dat agile_net -
resource yara_rule behavioral2/files/0x00060000000231b0-138.dat themida behavioral2/files/0x00060000000231b0-140.dat themida behavioral2/memory/2964-142-0x0000000071120000-0x0000000071739000-memory.dmp themida behavioral2/memory/2964-143-0x0000000071120000-0x0000000071739000-memory.dmp themida behavioral2/memory/2964-144-0x0000000071120000-0x0000000071739000-memory.dmp themida behavioral2/memory/2964-149-0x0000000071120000-0x0000000071739000-memory.dmp themida behavioral2/memory/2964-162-0x0000000071120000-0x0000000071739000-memory.dmp themida behavioral2/memory/2964-163-0x0000000071120000-0x0000000071739000-memory.dmp themida behavioral2/files/0x00060000000231b0-164.dat themida behavioral2/files/0x00060000000231b0-165.dat themida behavioral2/memory/2776-166-0x0000000072160000-0x0000000072779000-memory.dmp themida behavioral2/memory/2776-167-0x0000000072160000-0x0000000072779000-memory.dmp themida behavioral2/memory/2776-170-0x0000000072160000-0x0000000072779000-memory.dmp themida behavioral2/memory/2776-173-0x0000000072160000-0x0000000072779000-memory.dmp themida behavioral2/memory/2776-177-0x0000000072160000-0x0000000072779000-memory.dmp themida behavioral2/memory/2776-179-0x0000000072160000-0x0000000072779000-memory.dmp themida behavioral2/memory/2776-181-0x0000000072160000-0x0000000072779000-memory.dmp themida behavioral2/memory/2776-184-0x0000000072160000-0x0000000072779000-memory.dmp themida behavioral2/memory/2776-185-0x0000000072160000-0x0000000072779000-memory.dmp themida behavioral2/memory/2776-188-0x0000000072160000-0x0000000072779000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA server.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 33aeb3636988834cb63c7bf4b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2964 33aeb3636988834cb63c7bf4b.exe 2776 server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2776 2964 33aeb3636988834cb63c7bf4b.exe 84 PID 2964 wrote to memory of 2776 2964 33aeb3636988834cb63c7bf4b.exe 84 PID 2964 wrote to memory of 2776 2964 33aeb3636988834cb63c7bf4b.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe"C:\Users\Admin\AppData\Local\Temp\33aeb3636988834cb63c7bf4b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5105e678e6ee84e0fa7fbe34df1f9639c
SHA117e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA2564ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA5123a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689
-
Filesize
2.3MB
MD5105e678e6ee84e0fa7fbe34df1f9639c
SHA117e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA2564ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA5123a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689
-
Filesize
2.3MB
MD5105e678e6ee84e0fa7fbe34df1f9639c
SHA117e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA2564ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA5123a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689
-
Filesize
2.3MB
MD5105e678e6ee84e0fa7fbe34df1f9639c
SHA117e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA2564ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA5123a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689
-
Filesize
5.5MB
MD533aeb3636988834cb63c7bf4b65581e1
SHA12aedb042f39bddd34dd5ce4acbf7b1b259973e3b
SHA2563df462b3e78232032a984a4b9138fc00ce4aaf93a33a6e540f5ba8bce0cad369
SHA51255d75587088553a61c2bb200740a7ad8167f44df7b9a24c04b350068def5daf13c3e135cf086287fe740274583fb2742bc56fb3476641898293b619a68137fbb
-
Filesize
5.5MB
MD533aeb3636988834cb63c7bf4b65581e1
SHA12aedb042f39bddd34dd5ce4acbf7b1b259973e3b
SHA2563df462b3e78232032a984a4b9138fc00ce4aaf93a33a6e540f5ba8bce0cad369
SHA51255d75587088553a61c2bb200740a7ad8167f44df7b9a24c04b350068def5daf13c3e135cf086287fe740274583fb2742bc56fb3476641898293b619a68137fbb
-
Filesize
5.5MB
MD533aeb3636988834cb63c7bf4b65581e1
SHA12aedb042f39bddd34dd5ce4acbf7b1b259973e3b
SHA2563df462b3e78232032a984a4b9138fc00ce4aaf93a33a6e540f5ba8bce0cad369
SHA51255d75587088553a61c2bb200740a7ad8167f44df7b9a24c04b350068def5daf13c3e135cf086287fe740274583fb2742bc56fb3476641898293b619a68137fbb