ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

General

Target

tmp.exe
Size

5.5MB
MD5

a92a908cae30b9b020244bedf61a1dd4
SHA1

a45bf660ae267b2c8027327b2b97c61faa88d9ae
SHA256

ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308
SHA512

beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba
SSDEEP

98304:pHrMX3ZbN6mocwdMpXYI6A2XwY0o7r5QBa2lAo3WTsKVnd/9lSD/WFIxUBzqHy:1MnZZPocwGpoRRXwY9rb2moBKVd/9lEJ

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

tmp.exeO.exeO.exeO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	O.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	O.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	O.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

O.exetmp.exeO.exeO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	O.exe

Executes dropped EXE 3 IoCs

Processes:

O.exeO.exeO.exe

pid process

2528 O.exe
748 O.exe
1992 O.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2988 cmd.exe

pid	process
2528	O.exe
748	O.exe
1992	O.exe

pid	process
2988	cmd.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

O.exeO.exetmp.exeO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	O.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	O.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	O.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

tmp.exeO.exeO.exeO.exe

pid process

1768 tmp.exe
2528 O.exe
748 O.exe
1992 O.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1956 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2596 timeout.exe

pid	process
1768	tmp.exe
2528	O.exe
748	O.exe
1992	O.exe

pid	process
1956	schtasks.exe

pid	process
2596	timeout.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

tmp.execmd.exeO.exetaskeng.exe

description	pid	process	target process
PID 1768 wrote to memory of 2988	1768	tmp.exe	cmd.exe
PID 1768 wrote to memory of 2988	1768	tmp.exe	cmd.exe
PID 1768 wrote to memory of 2988	1768	tmp.exe	cmd.exe
PID 1768 wrote to memory of 2988	1768	tmp.exe	cmd.exe
PID 2988 wrote to memory of 2596	2988	cmd.exe	timeout.exe
PID 2988 wrote to memory of 2596	2988	cmd.exe	timeout.exe
PID 2988 wrote to memory of 2596	2988	cmd.exe	timeout.exe
PID 2988 wrote to memory of 2596	2988	cmd.exe	timeout.exe
PID 2988 wrote to memory of 2528	2988	cmd.exe	O.exe
PID 2988 wrote to memory of 2528	2988	cmd.exe	O.exe
PID 2988 wrote to memory of 2528	2988	cmd.exe	O.exe
PID 2988 wrote to memory of 2528	2988	cmd.exe	O.exe
PID 2988 wrote to memory of 2528	2988	cmd.exe	O.exe
PID 2988 wrote to memory of 2528	2988	cmd.exe	O.exe
PID 2988 wrote to memory of 2528	2988	cmd.exe	O.exe
PID 2528 wrote to memory of 1956	2528	O.exe	schtasks.exe
PID 2528 wrote to memory of 1956	2528	O.exe	schtasks.exe
PID 2528 wrote to memory of 1956	2528	O.exe	schtasks.exe
PID 2528 wrote to memory of 1956	2528	O.exe	schtasks.exe
PID 2936 wrote to memory of 748	2936	taskeng.exe	O.exe
PID 2936 wrote to memory of 748	2936	taskeng.exe	O.exe
PID 2936 wrote to memory of 748	2936	taskeng.exe	O.exe
PID 2936 wrote to memory of 748	2936	taskeng.exe	O.exe
PID 2936 wrote to memory of 748	2936	taskeng.exe	O.exe
PID 2936 wrote to memory of 748	2936	taskeng.exe	O.exe
PID 2936 wrote to memory of 748	2936	taskeng.exe	O.exe
PID 2936 wrote to memory of 1992	2936	taskeng.exe	O.exe
PID 2936 wrote to memory of 1992	2936	taskeng.exe	O.exe
PID 2936 wrote to memory of 1992	2936	taskeng.exe	O.exe
PID 2936 wrote to memory of 1992	2936	taskeng.exe	O.exe
PID 2936 wrote to memory of 1992	2936	taskeng.exe	O.exe
PID 2936 wrote to memory of 1992	2936	taskeng.exe	O.exe
PID 2936 wrote to memory of 1992	2936	taskeng.exe	O.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\s1d4.0.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2596
- - C:\ProgramData\Roaming\O.exe
    "C:\ProgramData\Roaming\O.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "O" /tr C:\ProgramData\Roaming\O.exe /f
      4⤵
      Creates scheduled task(s)
      PID:1956

C:\Windows\system32\taskeng.exe
taskeng.exe {62DEFC71-2418-4647-8E5D-CE02CB9E77BA} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\ProgramData\Roaming\O.exe
  C:\ProgramData\Roaming\O.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:748
- C:\ProgramData\Roaming\O.exe
  C:\ProgramData\Roaming\O.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
C:\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
C:\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
C:\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1d4.0.bat

Filesize
168B

MD5
44f5a937b6226d54763a11e0be13c03d

SHA1
4d4cc6bccf8ebccda41e8f5c877093e9029bc643

SHA256
0025cc3cbd9d51ff0a84c81d034e1dea79a38f16c60b72532581c4da6e152c21

SHA512
5459438d65a48e810004c0340a3f463cd3b797b7dbaf14a84cd2e6b9bc09d61e3ae90ee141b08545b4a9545eb5810f980f6772f26d1303b243ec8ef7a16ce04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1d4.0.bat

Filesize
168B

MD5
44f5a937b6226d54763a11e0be13c03d

SHA1
4d4cc6bccf8ebccda41e8f5c877093e9029bc643

SHA256
0025cc3cbd9d51ff0a84c81d034e1dea79a38f16c60b72532581c4da6e152c21

SHA512
5459438d65a48e810004c0340a3f463cd3b797b7dbaf14a84cd2e6b9bc09d61e3ae90ee141b08545b4a9545eb5810f980f6772f26d1303b243ec8ef7a16ce04b

Download Submit
\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
memory/748-56-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/748-58-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/748-51-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/748-57-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/748-47-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1768-12-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1768-28-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1768-13-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1768-9-0x0000000077710000-0x0000000077712000-memory.dmp

Filesize
8KB

Download
memory/1768-1-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1768-10-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1768-24-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1768-0-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1768-11-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1768-4-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1992-77-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1992-66-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1992-70-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1992-75-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/1992-76-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2528-30-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2528-60-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2528-45-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2528-41-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2528-40-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2528-39-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2528-34-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads