Overview

overview

9

Static

static

7

2d99499bd3...8b.exe

windows7-x64

9

2d99499bd3...8b.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2023 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d99499bd32277d990ab68b04f930123c4fe6c9e6c5ee619abec04b9de172d8b.exe

  • Size

    390KB

  • MD5

    63a364620dcd70ada03eee7f591de81e

  • SHA1

    41ec7aeb7c7ac83a778a7b7b7163390a99599480

  • SHA256

    2d99499bd32277d990ab68b04f930123c4fe6c9e6c5ee619abec04b9de172d8b

  • SHA512

    a72739028cd68552bacbdca9c55c4f269206711becb875fba7beee6889123e4710ec4c44b81cf8df5378de587160f4d18de8b7a8dce910f718949ccdf76726ea

  • SSDEEP

    12288:Kc6fcoxQNKJvMf4s1S9KMqXYxzk1BjYnsWQJ208:DoxQUJG4s18qIu958

Score
9/10
evasionpersistenceupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d99499bd32277d990ab68b04f930123c4fe6c9e6c5ee619abec04b9de172d8b.exe
    "C:\Users\Admin\AppData\Local\Temp\2d99499bd32277d990ab68b04f930123c4fe6c9e6c5ee619abec04b9de172d8b.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:4896
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1860
    • C:\Users\Public\Documents\123\PTvrst.exe
      "C:\Users\Public\Documents\123\PTvrst.exe"
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4448

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Documents\123\PTvrst.exe
      Filesize

      1.2MB

      MD5

      d22cfb5bfaeb1503b12b07e53ef0a149

      SHA1

      8ea2c85e363f551a159fabd65377affed4e417a1

      SHA256

      260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

      SHA512

      151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

      Download Submit

    • C:\Users\Public\Documents\123\PTvrst.exe
      Filesize

      1.2MB

      MD5

      d22cfb5bfaeb1503b12b07e53ef0a149

      SHA1

      8ea2c85e363f551a159fabd65377affed4e417a1

      SHA256

      260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

      SHA512

      151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

      Download Submit

    • C:\WINDOWS\DNomb\Mpec.mbt
      Filesize

      802B

      MD5

      6a0c1e0f88237ceea3ce510b7f6d63f0

      SHA1

      d2c30fd58f9340ca04ed280c410678fb232b75b7

      SHA256

      08cb852a99d602f27d5bfcd7f758380290785835ae242a56149a1f94f4f628d0

      SHA512

      402fe35c47e4e75cb33b5192d27c5dc51460b19aa525fe0002c157524200ddc7e37608b792633f11861849d09d1ce2fc9a86acfd42fcef03620dd8af270b0f7e

      Download Submit

    • memory/4448-22-0x00000000047C0000-0x00000000047C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-12-0x0000000076F14000-0x0000000076F16000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4448-26-0x0000000004910000-0x0000000004911000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-9-0x0000000000400000-0x00000000006A2000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/4448-21-0x0000000004790000-0x0000000004791000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-15-0x0000000004750000-0x0000000004751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-14-0x00000000047E0000-0x00000000047E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-16-0x00000000047A0000-0x00000000047A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-17-0x0000000004770000-0x0000000004771000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-18-0x00000000047D0000-0x00000000047D2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4448-25-0x0000000004800000-0x0000000004801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-20-0x00000000047F0000-0x00000000047F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-23-0x0000000004740000-0x0000000004741000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-39-0x0000000000400000-0x00000000006A2000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/4448-40-0x0000000004810000-0x0000000004811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-38-0x0000000000400000-0x00000000006A2000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/4448-24-0x00000000047B0000-0x00000000047B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-27-0x0000000004780000-0x0000000004781000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-19-0x0000000004760000-0x0000000004761000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-28-0x0000000004840000-0x0000000004841000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-29-0x0000000004880000-0x0000000004881000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-30-0x0000000000400000-0x00000000006A2000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/4448-32-0x0000000004870000-0x0000000004871000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4448-31-0x00000000048E0000-0x00000000048E2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4896-3-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4896-37-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4896-4-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4896-7-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4896-0-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download