157c24347067ce05ef4edd0b383e6504a76687941e77f60839ee2f03fabd7e06

Analysis

max time kernel
147s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 20:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

157c24347067ce05ef4edd0b383e6504a76687941e77f60839ee2f03fabd7e06.exe
Size

5.5MB
MD5

0a030bb22a2ee00b83c19e43873d18c3
SHA1

15316a2dafab73174014eb713664911cd5c72170
SHA256

157c24347067ce05ef4edd0b383e6504a76687941e77f60839ee2f03fabd7e06
SHA512

675e8ba4d9984d931f09fdd263f2d6a51dc762ed64b05f55dd703dc3c0da8926c879839a07fd1a46745b999c2013fa8969d5aeafcfc3c61d7b74cd0582833e7a
SSDEEP

98304:kedtHf9Tll5G68L7+eMSq64Ao0TsK6xmluBCFjGW2x3M/82q/JUsauX3Ys/J:THf+6e+eQ64AoFVgluBCFj1q3k7QPauJ

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	demo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	UnityCrashHandler32.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UnityCrashHandler32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UnityCrashHandler32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	demo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	demo.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	UnityCrashHandler32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	157c24347067ce05ef4edd0b383e6504a76687941e77f60839ee2f03fabd7e06.exe

Executes dropped EXE 3 IoCs

pid	Process
4628	lol2.exe
4516	UnityCrashHandler32.exe
3976	demo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\systeamst = "C:\\Users\\Admin\\Documents\\demo.exe"	demo.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UnityCrashHandler32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	demo.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	UnityCrashHandler32.exe
File opened for modification	\??\PhysicalDrive0	demo.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4516	UnityCrashHandler32.exe
3976	demo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings	UnityCrashHandler32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4516	UnityCrashHandler32.exe
4516	UnityCrashHandler32.exe
4516	UnityCrashHandler32.exe
4516	UnityCrashHandler32.exe
4516	UnityCrashHandler32.exe
4516	UnityCrashHandler32.exe
3976	demo.exe
3976	demo.exe
3976	demo.exe
3976	demo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	demo.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4516	UnityCrashHandler32.exe
4516	UnityCrashHandler32.exe
3976	demo.exe
3976	demo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 4628	4568	157c24347067ce05ef4edd0b383e6504a76687941e77f60839ee2f03fabd7e06.exe	86
PID 4568 wrote to memory of 4628	4568	157c24347067ce05ef4edd0b383e6504a76687941e77f60839ee2f03fabd7e06.exe	86
PID 4568 wrote to memory of 4628	4568	157c24347067ce05ef4edd0b383e6504a76687941e77f60839ee2f03fabd7e06.exe	86
PID 4568 wrote to memory of 4516	4568	157c24347067ce05ef4edd0b383e6504a76687941e77f60839ee2f03fabd7e06.exe	88
PID 4568 wrote to memory of 4516	4568	157c24347067ce05ef4edd0b383e6504a76687941e77f60839ee2f03fabd7e06.exe	88
PID 4568 wrote to memory of 4516	4568	157c24347067ce05ef4edd0b383e6504a76687941e77f60839ee2f03fabd7e06.exe	88
PID 4516 wrote to memory of 3976	4516	UnityCrashHandler32.exe	90
PID 4516 wrote to memory of 3976	4516	UnityCrashHandler32.exe	90
PID 4516 wrote to memory of 3976	4516	UnityCrashHandler32.exe	90
PID 4516 wrote to memory of 3108	4516	UnityCrashHandler32.exe	92
PID 4516 wrote to memory of 3108	4516	UnityCrashHandler32.exe	92
PID 4516 wrote to memory of 3108	4516	UnityCrashHandler32.exe	92

C:\Users\Admin\AppData\Local\Temp\157c24347067ce05ef4edd0b383e6504a76687941e77f60839ee2f03fabd7e06.exe
"C:\Users\Admin\AppData\Local\Temp\157c24347067ce05ef4edd0b383e6504a76687941e77f60839ee2f03fabd7e06.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\lol2.exe
  "C:\Users\Admin\AppData\Local\Temp\lol2.exe"
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler32.exe
  "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler32.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\Documents\demo.exe
    C:\Users\Admin\Documents\\demo.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3976
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
    3⤵
    PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mntemp

Filesize
16B

MD5
7eca5449806f9fc3a7b4d74b441519da

SHA1
b73b9632b1867088def32c35feee2b3c9394db58

SHA256
192a13659855d8dade914115f527ebb301390b97cfc54046404fb1d7e7bd518c

SHA512
ff9c1c9c4d8b7ffa643b3ca6519aea8a9fb9dd54f00ffc5a2dd4a5828460a835dadb8e863b84851ab38383381e441c0227dc9e9f50d57e86aae9177aaa7c2de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler32.exe

Filesize
4.2MB

MD5
b5c9ad5ca8df59f15177171027ce391b

SHA1
c97a4eebc941c88f47efa0861ba87e6b0dd321d1

SHA256
611b008343205504811523449ad3cc5f199b95748ae15ba0ffb04bc5309723a3

SHA512
ecefbccc39cf01dd9ee597c7b29da131656e0d3c755ab5fa645fe5f44a12fab4b8bcf7ee6534d726fafc1586ecea6e3de782966300c5f43840ac39117fa02564

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler32.exe

Filesize
4.2MB

MD5
b5c9ad5ca8df59f15177171027ce391b

SHA1
c97a4eebc941c88f47efa0861ba87e6b0dd321d1

SHA256
611b008343205504811523449ad3cc5f199b95748ae15ba0ffb04bc5309723a3

SHA512
ecefbccc39cf01dd9ee597c7b29da131656e0d3c755ab5fa645fe5f44a12fab4b8bcf7ee6534d726fafc1586ecea6e3de782966300c5f43840ac39117fa02564

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler32.exe

Filesize
4.2MB

MD5
b5c9ad5ca8df59f15177171027ce391b

SHA1
c97a4eebc941c88f47efa0861ba87e6b0dd321d1

SHA256
611b008343205504811523449ad3cc5f199b95748ae15ba0ffb04bc5309723a3

SHA512
ecefbccc39cf01dd9ee597c7b29da131656e0d3c755ab5fa645fe5f44a12fab4b8bcf7ee6534d726fafc1586ecea6e3de782966300c5f43840ac39117fa02564

Download Submit
C:\Users\Admin\AppData\Local\Temp\lol2.exe

Filesize
3.3MB

MD5
99d1f02a9560e2d05a4856b3c2c10254

SHA1
73360ca4d283d03a1e5a55c3228bee358069bb91

SHA256
8f08954ed8852fb63b32ec1fd47a4564ae7b52e225a8d9f03bd3ced8159a27b6

SHA512
ec167980f71b42cb6d6cccd71f8d8ca40a4f438c142940a6efae8d48a79fae8aabf953826235148e561506fb3f1aa8977b6c121f3028d369f941b121923562cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lol2.exe

Filesize
3.3MB

MD5
99d1f02a9560e2d05a4856b3c2c10254

SHA1
73360ca4d283d03a1e5a55c3228bee358069bb91

SHA256
8f08954ed8852fb63b32ec1fd47a4564ae7b52e225a8d9f03bd3ced8159a27b6

SHA512
ec167980f71b42cb6d6cccd71f8d8ca40a4f438c142940a6efae8d48a79fae8aabf953826235148e561506fb3f1aa8977b6c121f3028d369f941b121923562cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lol2.exe

Filesize
3.3MB

MD5
99d1f02a9560e2d05a4856b3c2c10254

SHA1
73360ca4d283d03a1e5a55c3228bee358069bb91

SHA256
8f08954ed8852fb63b32ec1fd47a4564ae7b52e225a8d9f03bd3ced8159a27b6

SHA512
ec167980f71b42cb6d6cccd71f8d8ca40a4f438c142940a6efae8d48a79fae8aabf953826235148e561506fb3f1aa8977b6c121f3028d369f941b121923562cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
230B

MD5
0e7b25c8a64ae042fd94ba296330d347

SHA1
18e63104d84d4405cbeed1fee4f145196c34f9c4

SHA256
48fe6ba982f24d9093290925741a5ac68025882583f2c91953f583dab932aa62

SHA512
e07265552443687aaa3edbad42a1daa290c3f3fa81b93378b818defe933acbd0bf110a4ab93f08d37c1d053e64a51b55df4de055fe3dd3917771ade8958da368

Download Submit
C:\Users\Admin\Documents\demo.exe

Filesize
4.2MB

MD5
534e8c0df9ec2c7b5eaf6fb9b26cd3cc

SHA1
01a725d10af5b7bd3f27e409cbf48e5524417a87

SHA256
bc1dae6d8807534b35e8b8135a2fa4602e2e17191d16fdafe5891b97d698d961

SHA512
c21efeac593022f074f9ec1c36ba55ae6f6bb5023c170209b00c654964c596eeefe561957a5755b5bee2974107cdf6c077a9f09e5ee553f5ea821ac2da961ff4

Download Submit
C:\Users\Admin\Documents\demo.exe

Filesize
4.2MB

MD5
534e8c0df9ec2c7b5eaf6fb9b26cd3cc

SHA1
01a725d10af5b7bd3f27e409cbf48e5524417a87

SHA256
bc1dae6d8807534b35e8b8135a2fa4602e2e17191d16fdafe5891b97d698d961

SHA512
c21efeac593022f074f9ec1c36ba55ae6f6bb5023c170209b00c654964c596eeefe561957a5755b5bee2974107cdf6c077a9f09e5ee553f5ea821ac2da961ff4

Download Submit
memory/3976-41-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/3976-40-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/3976-50-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/3976-47-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/3976-37-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/3976-42-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/4516-26-0x0000000077914000-0x0000000077916000-memory.dmp

Filesize
8KB

Download
memory/4516-30-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/4516-45-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/4516-24-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/4516-28-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/4516-29-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/4628-25-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/4628-38-0x0000000000400000-0x0000000000801000-memory.dmp

Filesize
4.0MB

Download