Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
-
submitted
11-09-2023 17:10
General
-
Target
tmp.exe
-
Size
5.5MB
-
MD5
a92a908cae30b9b020244bedf61a1dd4
-
SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae
-
SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308
-
SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba
-
SSDEEP
98304:pHrMX3ZbN6mocwdMpXYI6A2XwY0o7r5QBa2lAo3WTsKVnd/9lSD/WFIxUBzqHy:1MnZZPocwGpoRRXwY9rb2moBKVd/9lEJ
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s3kw.0.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\ProgramData\Roaming\O.exe"C:\ProgramData\Roaming\O.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "O" /tr C:\ProgramData\Roaming\O.exe /f4⤵
- Creates scheduled task(s)
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD5a92a908cae30b9b020244bedf61a1dd4
SHA1a45bf660ae267b2c8027327b2b97c61faa88d9ae
SHA256ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308
SHA512beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba
-
Filesize
5.5MB
MD5a92a908cae30b9b020244bedf61a1dd4
SHA1a45bf660ae267b2c8027327b2b97c61faa88d9ae
SHA256ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308
SHA512beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba
-
Filesize
168B
MD5ffdc1b2fbc67ee60d6948fd75e1e41f0
SHA12a890a614f02087307faadb74ede60ec1be3b62d
SHA256f16c440cd79a39ae3c1a8ccfc374592e18d6c2c7362adf0cc86679b164a49297
SHA512eb1ea5488a551a47efbff8ed46ba85a021946f5f3e0fcb41ac94eadbb7679279084b36d534aafc8338233040d952b58ccef3dcbf5df57c11bee6b5b6ee6124a5
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
8KB
-
Filesize
14.0MB