Overview

overview

9

Static

static

3

c7465fd842...d1.exe

windows7-x64

9

c7465fd842...d1.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    156s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2023, 09:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c7465fd84271c7907ca30fa96d3d0e78b7ac9c46d02d9236ca32397490d888d1.exe

  • Size

    4.3MB

  • MD5

    8cdcfb6b72fdbbfaa0b344c45249dad6

  • SHA1

    b18f8d9ccf0d18dc69521687e05f4daebd998238

  • SHA256

    c7465fd84271c7907ca30fa96d3d0e78b7ac9c46d02d9236ca32397490d888d1

  • SHA512

    c99e72f81942c59c2863b5fe39170138b0e5075b03aff0504ec07a5b3b1853051df5a643f72991a749a4ec46c0245ccb0efe81985d0274caa5706f69e0ff6903

  • SSDEEP

    98304:zvho60OBVd3SblPhyafhffQ3DULEe9RDc35adl:L7L9ibDyafhflptt

Score
9/10
bootkitevasionpersistencetrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7465fd84271c7907ca30fa96d3d0e78b7ac9c46d02d9236ca32397490d888d1.exe
    "C:\Users\Admin\AppData\Local\Temp\c7465fd84271c7907ca30fa96d3d0e78b7ac9c46d02d9236ca32397490d888d1.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4252
    • C:\Users\Admin\Documents\UnityCrashHandler64.exe
      C:\Users\Admin\Documents\\UnityCrashHandler64.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4284
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
      2⤵
      • Deletes itself
      PID:2476

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\mntemp
          Filesize

          16B

          MD5

          71a86d09ed4093b63bfe04838c551fff

          SHA1

          4797c240d912471ae5e7e051e0d429abbd130817

          SHA256

          c74c63bb9cb1bdccf250f377f98c8ddfa117c4f2b8e4d8fed0d4382ddef3e3be

          SHA512

          a2e6c6a36e54228264b677d72dc71611c797e599b2219512599d15f9a29c6e97e4eed93c2fbbad2df5ddc7df5963d8286b24a8f99dfa229ac33111e2e881a97e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tem.vbs
          Filesize

          275B

          MD5

          7edd4a602067b2806ff69b80860010b8

          SHA1

          89597b2cc49fb471cdf848d2e697d2ef5df211a6

          SHA256

          ff1ba5479797ec2b1c6370425f00efa4e2eb4e805f2caa4736aa2954b7fb774c

          SHA512

          c9261e5e4735b81733e7b39662995650b8e3b3ccae6db00cf0604f7911157f7718825ca874df3d00adeab55816e812cb1068fa2d9d843b2705b0b871ec0ca509

          Download Submit

        • C:\Users\Admin\Documents\UnityCrashHandler64.exe
          Filesize

          4.3MB

          MD5

          836f6c726933cd9f619ae620e02840ee

          SHA1

          425dace3af5734b5d2a6a9776fe67c847894b3d6

          SHA256

          0fd6e4e531f7a8f252d1d7510994ec0bdff6fc19cc2a67e2427f5fa3e58ec0c3

          SHA512

          500e4ebfc0c8e249c8fc850fdb91b248c357b68c4fd2b25fdc2f4107f18b01cb50193a8ad06a3c72f888988a61ab4d3e722dea23a797dbcc2482c1cb671c5a6e

          Download Submit

        • C:\Users\Admin\Documents\UnityCrashHandler64.exe
          Filesize

          4.3MB

          MD5

          836f6c726933cd9f619ae620e02840ee

          SHA1

          425dace3af5734b5d2a6a9776fe67c847894b3d6

          SHA256

          0fd6e4e531f7a8f252d1d7510994ec0bdff6fc19cc2a67e2427f5fa3e58ec0c3

          SHA512

          500e4ebfc0c8e249c8fc850fdb91b248c357b68c4fd2b25fdc2f4107f18b01cb50193a8ad06a3c72f888988a61ab4d3e722dea23a797dbcc2482c1cb671c5a6e

          Download Submit

        • memory/4252-4-0x0000000000400000-0x0000000000EA0000-memory.dmp

          Filesize

          10.6MB

          Download

        • memory/4252-5-0x0000000000400000-0x0000000000EA0000-memory.dmp

          Filesize

          10.6MB

          Download

        • memory/4252-0-0x0000000000400000-0x0000000000EA0000-memory.dmp

          Filesize

          10.6MB

          Download

        • memory/4252-3-0x0000000000400000-0x0000000000EA0000-memory.dmp

          Filesize

          10.6MB

          Download

        • memory/4252-16-0x0000000000400000-0x0000000000EA0000-memory.dmp

          Filesize

          10.6MB

          Download

        • memory/4252-20-0x0000000000400000-0x0000000000EA0000-memory.dmp

          Filesize

          10.6MB

          Download

        • memory/4252-1-0x00000000774B4000-0x00000000774B6000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4284-13-0x0000000000400000-0x0000000000EA0000-memory.dmp

          Filesize

          10.6MB

          Download

        • memory/4284-14-0x0000000000400000-0x0000000000EA0000-memory.dmp

          Filesize

          10.6MB

          Download

        • memory/4284-15-0x0000000000400000-0x0000000000EA0000-memory.dmp

          Filesize

          10.6MB

          Download

        • memory/4284-22-0x0000000000400000-0x0000000000EA0000-memory.dmp

          Filesize

          10.6MB

          Download