ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-09-2023 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

5.5MB
MD5

a92a908cae30b9b020244bedf61a1dd4
SHA1

a45bf660ae267b2c8027327b2b97c61faa88d9ae
SHA256

ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308
SHA512

beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba
SSDEEP

98304:pHrMX3ZbN6mocwdMpXYI6A2XwY0o7r5QBa2lAo3WTsKVnd/9lSD/WFIxUBzqHy:1MnZZPocwGpoRRXwY9rb2moBKVd/9lEJ

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	O.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	O.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	O.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tmp.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	O.exe

Executes dropped EXE 3 IoCs

pid	Process
2740	O.exe
1680	O.exe
2448	O.exe

Loads dropped DLL 1 IoCs

pid	Process
2792	cmd.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	O.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	O.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	O.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tmp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1532	tmp.exe
2740	O.exe
1680	O.exe
2448	O.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2664	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2680	timeout.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2792	1532	tmp.exe	28
PID 1532 wrote to memory of 2792	1532	tmp.exe	28
PID 1532 wrote to memory of 2792	1532	tmp.exe	28
PID 1532 wrote to memory of 2792	1532	tmp.exe	28
PID 2792 wrote to memory of 2680	2792	cmd.exe	30
PID 2792 wrote to memory of 2680	2792	cmd.exe	30
PID 2792 wrote to memory of 2680	2792	cmd.exe	30
PID 2792 wrote to memory of 2680	2792	cmd.exe	30
PID 2792 wrote to memory of 2740	2792	cmd.exe	31
PID 2792 wrote to memory of 2740	2792	cmd.exe	31
PID 2792 wrote to memory of 2740	2792	cmd.exe	31
PID 2792 wrote to memory of 2740	2792	cmd.exe	31
PID 2792 wrote to memory of 2740	2792	cmd.exe	31
PID 2792 wrote to memory of 2740	2792	cmd.exe	31
PID 2792 wrote to memory of 2740	2792	cmd.exe	31
PID 2740 wrote to memory of 2664	2740	O.exe	32
PID 2740 wrote to memory of 2664	2740	O.exe	32
PID 2740 wrote to memory of 2664	2740	O.exe	32
PID 2740 wrote to memory of 2664	2740	O.exe	32
PID 3008 wrote to memory of 1680	3008	taskeng.exe	37
PID 3008 wrote to memory of 1680	3008	taskeng.exe	37
PID 3008 wrote to memory of 1680	3008	taskeng.exe	37
PID 3008 wrote to memory of 1680	3008	taskeng.exe	37
PID 3008 wrote to memory of 1680	3008	taskeng.exe	37
PID 3008 wrote to memory of 1680	3008	taskeng.exe	37
PID 3008 wrote to memory of 1680	3008	taskeng.exe	37
PID 3008 wrote to memory of 2448	3008	taskeng.exe	38
PID 3008 wrote to memory of 2448	3008	taskeng.exe	38
PID 3008 wrote to memory of 2448	3008	taskeng.exe	38
PID 3008 wrote to memory of 2448	3008	taskeng.exe	38
PID 3008 wrote to memory of 2448	3008	taskeng.exe	38
PID 3008 wrote to memory of 2448	3008	taskeng.exe	38
PID 3008 wrote to memory of 2448	3008	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\s16k.0.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2680
- - C:\ProgramData\Roaming\O.exe
    "C:\ProgramData\Roaming\O.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "O" /tr C:\ProgramData\Roaming\O.exe /f
      4⤵
      Creates scheduled task(s)
      PID:2664

C:\Windows\system32\taskeng.exe
taskeng.exe {5466D505-A4B3-4BF6-B190-D919BB46C3E0} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\ProgramData\Roaming\O.exe
  C:\ProgramData\Roaming\O.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1680
- C:\ProgramData\Roaming\O.exe
  C:\ProgramData\Roaming\O.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
C:\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
C:\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
C:\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\s16k.0.bat

Filesize
168B

MD5
0bab9001aa3d3d460e4325933a269849

SHA1
dac3b9da8c87e6e0381a466614dbc144e41e8745

SHA256
10b62b5fe790083c5af500d5011d29ef8728a46a8463b2351aaf1d9f0c30243e

SHA512
4f8e89c39652469e63676dc088223c0e599a90a197517836d5170375f89e985720af7ec5e0e6850709a4890e7739728d16f1810cd24147000d9f3beb6fc2db24

Download Submit
C:\Users\Admin\AppData\Local\Temp\s16k.0.bat

Filesize
168B

MD5
0bab9001aa3d3d460e4325933a269849

SHA1
dac3b9da8c87e6e0381a466614dbc144e41e8745

SHA256
10b62b5fe790083c5af500d5011d29ef8728a46a8463b2351aaf1d9f0c30243e

SHA512
4f8e89c39652469e63676dc088223c0e599a90a197517836d5170375f89e985720af7ec5e0e6850709a4890e7739728d16f1810cd24147000d9f3beb6fc2db24

Download Submit
\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
memory/1532-22-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1532-11-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1532-10-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1532-9-0x0000000077780000-0x0000000077782000-memory.dmp

Filesize
8KB

Download
memory/1532-4-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1532-1-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1532-0-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1680-56-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1680-45-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1680-55-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1680-54-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1680-49-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2448-67-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2448-72-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2448-73-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2448-74-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2740-32-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2740-40-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2740-39-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2740-38-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2740-28-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2740-60-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2740-37-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2740-76-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2792-27-0x00000000020F0000-0x0000000002EEA000-memory.dmp

Filesize
14.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads