25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627

Analysis

max time kernel
140s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 14:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
Size

4.1MB
MD5

7451e9724242d69506c47f1b0dd08e57
SHA1

e5a684676a440607a722b986b7e04f58432b1085
SHA256

25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627
SHA512

f28c297038b96f3bc8b621fea124a167a26ceb413b6bd30d0141a8d065afb535474832926826154c7d02dd1f3762a5877d7ddeb0285fa0fc35eb26234e1a26b0
SSDEEP

98304:xQl9D5LQGLOYIGpAQd11/zKFnHJ/OdxgTtx8EbqvhgpdpG20iffw88Koh16L0Hk:xQlt5LXaYHpbd1pGFnHJ/Tpx8EbRpvGS

Score

9^/10

evasion persistence

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	PTvrst.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4360	PTvrst.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Wine	PTvrst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe"	PTvrst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
4360	PTvrst.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\DNomb\Mpec.mbt	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
File opened for modification	C:\Windows\DNomb\Mpec.mbt	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
File created	C:\Windows\DNomb\PTvrst.exe	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
File created	C:\Windows\DNomb\spolsvt.exe	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
4360	PTvrst.exe
4360	PTvrst.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
2116	25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
4360	PTvrst.exe
4360	PTvrst.exe

C:\Users\Admin\AppData\Local\Temp\25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe
"C:\Users\Admin\AppData\Local\Temp\25fd0be69d4d45e5566ecbf78f41655e08d1b0f055bea37d93ea916937a80627.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1836

C:\Users\Public\Documents\123\PTvrst.exe
"C:\Users\Public\Documents\123\PTvrst.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\WINDOWS\DNomb\Mpec.mbt

Filesize
375B

MD5
fe5bb59f1036a3b91521524eb2f80233

SHA1
9dd8b67cadf2e62e28e966f4f745e8bf8e41f0db

SHA256
a1bb192190a933d1f6ef9fd69b32eb476655da9fe2e76873c5cdb35d4288debf

SHA512
3a2fe98fe11eeb18da1d692b968b868ca4e52a03e451ab86517211881b683369ec7678f3c19da775a209336e102af1c87df7ca6bcadb388e05521ffcf87a980b

Download Submit
memory/2116-10-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2116-13-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/2116-5-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2116-6-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2116-7-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2116-8-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2116-9-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2116-3-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2116-11-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/2116-4-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2116-12-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/2116-14-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/2116-15-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2116-25-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2116-29-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2116-32-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2116-2-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2116-1-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2116-70-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2116-0-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/4360-41-0x0000000077154000-0x0000000077156000-memory.dmp

Filesize
8KB

Download
memory/4360-55-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/4360-45-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/4360-47-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/4360-48-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/4360-49-0x00000000047E0000-0x00000000047E2000-memory.dmp

Filesize
8KB

Download
memory/4360-50-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/4360-51-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/4360-53-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/4360-54-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/4360-52-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/4360-46-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/4360-56-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/4360-57-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/4360-58-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/4360-59-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/4360-60-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/4360-43-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/4360-62-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/4360-64-0x0000000004A90000-0x0000000004A92000-memory.dmp

Filesize
8KB

Download
memory/4360-63-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/4360-68-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/4360-69-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/4360-35-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download