Analysis

  • max time kernel
    195s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    19/10/2023, 05:09

General

  • Target

    ef8be4e2eee1ce9af5488ac962c4823e11f737e01e2a3c8ed96f32cc0db18fc4.exe

  • Size

    3.4MB

  • MD5

    20fb5e586475341f636b916b026208ff

  • SHA1

    adc20cda17f7d27e37d211b28a24dd06ca7a580c

  • SHA256

    24f92c883d5db4db4c8d39d41e31e6d2715fc345a5ec6433585ce38e2c2392f4

  • SHA512

    41c19075c05a66df4517a0dacce8e90eee1f1dca95f71f9d598e5e88f9928459f1157fa967089e7510cb2a81a23a3e8e7728799d183ef17c39b35edb42b70e0d

  • SSDEEP

    98304:mUoz95vq28HVaKCJj1z2ge+u/3qXuD5OxBBkyWBh:jQZyahJ4g3uPIuFKayu

Score
10/10

Malware Config

Signatures

  • Detects DLL dropped by Raspberry Robin. 1 IoCs

    Raspberry Robin.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef8be4e2eee1ce9af5488ac962c4823e11f737e01e2a3c8ed96f32cc0db18fc4.exe
    "C:\Users\Admin\AppData\Local\Temp\ef8be4e2eee1ce9af5488ac962c4823e11f737e01e2a3c8ed96f32cc0db18fc4.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ef8be4e2eee1ce9af5488ac962c4823e11f737e01e2a3c8ed96f32cc0db18fc4.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2764

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          80ed48f062bf1e1dd0c776383838c158

          SHA1

          10fffc93e3834c73281785a103499f67b8d5b359

          SHA256

          bfdfb5fb1d6ad258523b1698a04e122372a8a053cd8653a4268f9759c486c218

          SHA512

          2044952536df55aab90409f44c12741906ac53cd580e5429433aad44d37ee605c2f13fcb94d7c8b7f835e4557cab22ef8cd0b5105799c9ec8b038ccbd1561a35

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          de326b25ca263a1441f54e54969bc462

          SHA1

          11c08313d6655f9c2430231d0a4b1e3808e752e9

          SHA256

          fe4675242bc4673f9dcb9e8faa49fa095d99477aef477ac5bf9974c5984f1219

          SHA512

          aaefba47e1770c5feadf2956d9fe2db6585c91f75d2c6206518e936eb64eb9a5fa9132c9f5462d1a15a79f573110686e13b8e4c8dccf45f2c2c52c64471fd03e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          24808366ca3ab4879f0b9fcae285e8a7

          SHA1

          066760ac196f58f76f1fed8ce0f37ba486b909eb

          SHA256

          3d40e347bc97141a808812d0ded4463eb33f08496a4ee3aab3f86c1f4417f832

          SHA512

          8e39369d0ede2b4b7155d49f5e770949e201449d3799ed4d1ffacaf84eb8cae2cab1be5df760f290e866a1d89241936037fe6020620d7ccc89be8dbd6071317f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          557da83ac6b45b63c8b951108d2ba246

          SHA1

          4ac9dd0ec42e6e88c21ef3674f79ea08cb68c0fe

          SHA256

          aa98f3c67ddda34c2d3b022b072c806cbc61733a4353d4bd1aad506c4e309f86

          SHA512

          870f30481a86c2481e4965bfd1a9cab9d6fe1e1c71fb86f3b030ed59276e941e8b531b23f530037bbf28e90ea0d05ab00341a4f7274e36c05ecb9040e46e6f34

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          b5cf33af7cc162c5c8a49e3e486e7981

          SHA1

          0e013b66325aa3df86e0fab02c73efbcf60ce17d

          SHA256

          1f19fc18f113f6c98039586817df8824f62ab50100c2a21c567e488d40dbe2c3

          SHA512

          b69a9bd6cdf8720f2566ef701c554fe53e7c42d7d1225ae74463f659c9ea70972118aa286294e09cab8358ccfe746a053ef0ac4fba1ea531d44714628d930a7a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          37bd6080ff785be64e7983d7bbb23e00

          SHA1

          c3f2b283afeec1aaee1e2d59b4c71f371f161d4d

          SHA256

          4db219c5be327b870a62d28074e22f943b07ee1b50617100c7bb2ede1565bd0c

          SHA512

          1bc321d4af2d878cff2a528b7b01edf175a514ebdac046c8eae6b353ea4f6d030985772751e994d900e29f9585689ea1732dc29c5a783e17969682551c347b27

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          394b2cab4bf054af2ee8b77f73d94432

          SHA1

          ec32d936edf9670c27535842393c9b7c5cea1b35

          SHA256

          5f9b293a615f099fe92a797e0ff502465f05c24875e123d0615cd560d578fe6b

          SHA512

          fe7f773f86c564be5e6d7d11c9a7ddf009ac432bc5b69d8cd118a9954b85cc93a972e4958db71803757c3db217101b4a21795d99507039ce02e900efffdb429f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          833bb9ccf01bd282a9bd5d84a242b3de

          SHA1

          c528b116bd196ce3da0ed0929e4b1be9751fd1ce

          SHA256

          5de9ae80feb8b06248ed1e4bef637493505f4add33acf393dfe27b0168ef9290

          SHA512

          55ede132fd4e05d45ee358e33770639b9280c3dc2ed45c5da92ecfacbefe0c4cb4a61fe5111bf8af7b35f254e8164fd80b9368893226e5cda3f95b45ef24701f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          4ed79a43e4aeaaaaea4d8890a9761898

          SHA1

          0c3c84db8cb8eff0e1e7a82a3cf7fe013cd39b0d

          SHA256

          d658c1b8ecddece27bd4d26e115f54c00b233a364345a1eeb9ae16e2bd5f9574

          SHA512

          bbdab8bcb756827d78fcfe61f5e238fa82deb769f2174927c1d31f1670f46d3cdda04357213ae0d1eabd620bd342ceef2f388222d7c25fb6dcf888d65b08b04e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          b44698d69b106d166e2140cb5eebf7c8

          SHA1

          f5bae53822afac7c234e5c372f61955f072a7885

          SHA256

          4d514cc47d3e8a3f0ab884ef3f9ce4ff2cee51f8f670eff2fd9c24b7177929bd

          SHA512

          0a3679f06c530fbf3876b7d2be4916f9f279f7d98160ca696f93c67c005ee6aef7e94f4d3faef770c031202cf3e37b4941ceafc3281d8050d212f7e8135fc7ba

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          675cf747df9ca38ed479c7bb0142c741

          SHA1

          19cb4924d4202ce1ea531909eeeaeedc5434f3ee

          SHA256

          a9059a39c5de98c9b6398aaf13838e56cc7a03cd2ea277dbeea61b36bffebc13

          SHA512

          4877a140d59551a0da0bcc306ac6b5d4887a6c0338089e558adc57ed95c0f7439882c7a5cf38092199bde6029a720befa56f66367459872b62c52cc605f83fda

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          acabbe07d7a5aaeb5135fde5621c31d6

          SHA1

          a948eec7ea406be3bbb16c181a1532d3fe91c7c6

          SHA256

          298afe748de8c4963c4826f16b1c924d171f4fad0bf08f6014de2eaf81ff842d

          SHA512

          e0571c1f31cc2b898cb55da71e96b1d1f5cc11a8d1d6ac47fb6dc6449cece36e5e93b2b4b182cf44a401503f6d661dd55e61813ce1f1d4c1698bc35371d3c756

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          42911b2350ac6a21dda01184e21c9947

          SHA1

          0e8172200a2a7a494c19a72d218e0a7cfef997d4

          SHA256

          0f35c782fc2e48a4ae3c28a6c292822a31b41fa62a3c4af25ba5b64cc5dcac5a

          SHA512

          22408de3d8e30ada42b9d8199fc8df49a6c335792d62034a41e69cd82b6f855b47fbc8bdf634539452e0ec54e7ccb60165c7b29b49c0ae7e153dd83314980a8b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          fe7e20a008b9a41ed631927771f86858

          SHA1

          3ba49502c33fd24a5c1d4544ba3996692ba59e9c

          SHA256

          fa6c7ae8eaa7ccc32515f3645e7dd2f4651f763f83fd47e5ace082adccee922e

          SHA512

          a52349d96b3a6227f80416bbc7ee12f6cb9b009dae3e085ed84a2bc76ebdbad03aa565b084831608d4f80fae77438dbe3864e808683a5bd02fbbbb0140adf96a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          37f11ff8f46d34d1f1e311214eb23945

          SHA1

          ebab73588cc7be211d226bffa94bf5ee3b0924a0

          SHA256

          c89656e3c7cbb27cb6c314841a469e8ad576505ba9830be4d105a6eaa0be9eee

          SHA512

          850b22c0b915fd7cacbac907db99af7dba3fa0c9d1b72542a9c320e095aaa69d87fcc2fd418703f12be962015f274c53413a2f916a2ee6b6f5368fc7aa4e06b1

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          a4b7e65d13a5b34a36e31fecc8e6a847

          SHA1

          fed1c5b09af784918405127f2dc68ebba61c898d

          SHA256

          88fd0f4b622dcbe7249a2568157519efa0612edd0861c6efcd723e7c9d623df5

          SHA512

          33a237b5c703b9a888cc72be592e1efda11ef2c792daf60ad647ad5bd39a676e97196735861eaf2641ff86c09b4d5b3f405fcf4603c2cedc406ab9db970e22e6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          15a6a29f07224e5ab0947ea75113b60e

          SHA1

          71ebde4118864ab60f3ba6e7042d4419d737c773

          SHA256

          1be53d62da451b75a86947b1886276738297656c07a895b14c3570fd7889af6e

          SHA512

          7dca19e04baabc332251cc061f361e041a4a1e7eb96195de90af8af1732965767e5483ba241e018d25ae276b59c56a4ade7233dcc600b1111fe0d8388d92ba92

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          44b4417387fa38e3dd9117abba765527

          SHA1

          e6d1d4992948ce5a182b416120e1e8fa80163237

          SHA256

          b23bdb41e229f168f38b4f47717d3690205efd1c9ab319d0b47a110fd3569618

          SHA512

          ff84b1db5556e66fa13a39c1f45f5044a42dd2880a369e29d6dd90e82158f68dfcf7e5a70f90f05733ed89eac2d767d53f71314e7ce475973c07b2c19524614e

        • C:\Users\Admin\AppData\Local\Temp\CabDB25.tmp

          Filesize

          61KB

          MD5

          f3441b8572aae8801c04f3060b550443

          SHA1

          4ef0a35436125d6821831ef36c28ffaf196cda15

          SHA256

          6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

          SHA512

          5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

        • C:\Users\Admin\AppData\Local\Temp\TarDB67.tmp

          Filesize

          163KB

          MD5

          9441737383d21192400eca82fda910ec

          SHA1

          725e0d606a4fc9ba44aa8ffde65bed15e65367e4

          SHA256

          bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

          SHA512

          7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

        • memory/2776-10-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-0-0x0000000001100000-0x0000000001B34000-memory.dmp

          Filesize

          10.2MB

        • memory/2776-24-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-20-0x0000000076730000-0x0000000076777000-memory.dmp

          Filesize

          284KB

        • memory/2776-22-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-21-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-19-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-17-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-18-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-14-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-15-0x0000000077CD0000-0x0000000077CD2000-memory.dmp

          Filesize

          8KB

        • memory/2776-23-0x0000000001100000-0x0000000001B34000-memory.dmp

          Filesize

          10.2MB

        • memory/2776-12-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-13-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-11-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-6-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-5-0x0000000076730000-0x0000000076777000-memory.dmp

          Filesize

          284KB

        • memory/2776-4-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-1-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-2-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB

        • memory/2776-3-0x00000000777B0000-0x00000000778C0000-memory.dmp

          Filesize

          1.1MB