Overview

overview

9

Static

static

7

2d99499bd3...8b.exe

windows7-x64

9

2d99499bd3...8b.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    118s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2023 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d99499bd32277d990ab68b04f930123c4fe6c9e6c5ee619abec04b9de172d8b.exe

  • Size

    390KB

  • MD5

    63a364620dcd70ada03eee7f591de81e

  • SHA1

    41ec7aeb7c7ac83a778a7b7b7163390a99599480

  • SHA256

    2d99499bd32277d990ab68b04f930123c4fe6c9e6c5ee619abec04b9de172d8b

  • SHA512

    a72739028cd68552bacbdca9c55c4f269206711becb875fba7beee6889123e4710ec4c44b81cf8df5378de587160f4d18de8b7a8dce910f718949ccdf76726ea

  • SSDEEP

    12288:Kc6fcoxQNKJvMf4s1S9KMqXYxzk1BjYnsWQJ208:DoxQUJG4s18qIu958

Score
9/10
evasionpersistenceupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d99499bd32277d990ab68b04f930123c4fe6c9e6c5ee619abec04b9de172d8b.exe
    "C:\Users\Admin\AppData\Local\Temp\2d99499bd32277d990ab68b04f930123c4fe6c9e6c5ee619abec04b9de172d8b.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2224
  • C:\Users\Public\Documents\123\PTvrst.exe
    "C:\Users\Public\Documents\123\PTvrst.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\123\PTvrst.exe
    Filesize

    1.2MB

    MD5

    d22cfb5bfaeb1503b12b07e53ef0a149

    SHA1

    8ea2c85e363f551a159fabd65377affed4e417a1

    SHA256

    260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

    SHA512

    151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

    Download Submit

  • C:\Users\Public\Documents\123\PTvrst.exe
    Filesize

    1.2MB

    MD5

    d22cfb5bfaeb1503b12b07e53ef0a149

    SHA1

    8ea2c85e363f551a159fabd65377affed4e417a1

    SHA256

    260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

    SHA512

    151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

    Download Submit

  • C:\WINDOWS\DNomb\Mpec.mbt
    Filesize

    802B

    MD5

    555b2a6585542a8ebb6770fa3b8ffc5f

    SHA1

    f26bc79e6031928b16fbf1c8625558bb2fd343ad

    SHA256

    d5194a0267b5cdff1d13aaf5322d148a18ae4800052332fb8cbe2ce4804c7eb2

    SHA512

    b1489574abced67b37dc85480daaf679a001702d672e5d82261bce49461c59fe478dea9a7a2333d8be3386d0c857be069c2e5409a3368e201438e7c738a6ee53

    Download Submit

  • memory/2224-3-0x0000000000400000-0x0000000000535000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2224-39-0x0000000000400000-0x0000000000535000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2224-0-0x0000000000400000-0x0000000000535000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2224-11-0x0000000000400000-0x0000000000535000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2668-21-0x0000000004110000-0x0000000004111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-25-0x00000000040E0000-0x00000000040E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-14-0x0000000000400000-0x00000000006A2000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2668-15-0x00000000040F0000-0x00000000040F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-16-0x0000000004290000-0x0000000004291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-17-0x0000000004260000-0x0000000004261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-18-0x00000000042E0000-0x00000000042E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-19-0x0000000004230000-0x0000000004231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-20-0x00000000042D0000-0x00000000042D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2668-9-0x0000000077220000-0x0000000077222000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2668-22-0x0000000004300000-0x0000000004301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-24-0x00000000042C0000-0x00000000042C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-23-0x0000000004280000-0x0000000004281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-12-0x00000000042F0000-0x00000000042F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-26-0x00000000042A0000-0x00000000042A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-27-0x0000000004310000-0x0000000004311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-28-0x0000000004350000-0x0000000004351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-30-0x00000000040C0000-0x00000000040C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-29-0x0000000004340000-0x0000000004341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-32-0x00000000042B0000-0x00000000042B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-31-0x0000000004270000-0x0000000004271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-33-0x0000000004330000-0x0000000004331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-34-0x00000000040D0000-0x00000000040D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-7-0x0000000000400000-0x00000000006A2000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2668-41-0x0000000004320000-0x0000000004321000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-42-0x0000000004250000-0x0000000004251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-40-0x0000000000400000-0x00000000006A2000-memory.dmp

    Filesize

    2.6MB

    Download