7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0

Analysis

max time kernel
142s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2023 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
Size

532KB
MD5

19f228f2b03012748f224bb8bb7b4982
SHA1

410bb016e57d520928c90ebea855569ea3f2bd9d
SHA256

7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0
SHA512

8319cae9045714e508928391f331597a8e7531dd11874478fd5c1d7da68849f94695f84e9322f350b9d3ce936e4432f59e4abc195fddc16b12014a24dc6cc9b0
SSDEEP

12288:9ZrM7Q5qzwjlEMbT7RwwWKpPu7uLXZBmA1:z4k5ucEM/2wWYaepV

Score

9^/10

evasion persistence upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	PTvrst.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2608	PTvrst.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Wine	PTvrst.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4084-0-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral2/memory/4084-12-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral2/memory/4084-13-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral2/memory/4084-16-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral2/memory/4084-32-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral2/memory/4084-35-0x0000000000400000-0x000000000057E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe"	PTvrst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2608	PTvrst.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\DNomb\spolsvt.exe	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
File created	C:\Windows\DNomb\Mpec.mbt	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
File opened for modification	C:\Windows\DNomb\Mpec.mbt	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
File created	C:\Windows\DNomb\PTvrst.exe	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
2608	PTvrst.exe
2608	PTvrst.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
4084	7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
2608	PTvrst.exe
2608	PTvrst.exe

C:\Users\Admin\AppData\Local\Temp\7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe
"C:\Users\Admin\AppData\Local\Temp\7f39379d5a00823230db97e51a97994ba7eb7e653f70d5db7fdea809640bfbc0.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1732

C:\Users\Public\Documents\123\PTvrst.exe
"C:\Users\Public\Documents\123\PTvrst.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\WINDOWS\DNomb\Mpec.mbt

Filesize
374B

MD5
9adb27d50cf1d49438bf52ef79c9a9f8

SHA1
3c63a7415d9b7f9db403711d0c30e4f087c4fe10

SHA256
ae80f21835c1a21fff3a518239dbea34d9a87f35c9d5be80789dde5c6ea3605a

SHA512
8c14161a2a152bb104185e8642fe3885d8771c5622bb8ce2bbc7445b4c28794d0fedf07bda496d1ac6b40ca6d5d842ac62c4e8b5300a08bcc6794735890fbc6d

Download Submit
memory/2608-49-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/2608-52-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2608-45-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/2608-27-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2608-44-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/2608-58-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/2608-36-0x0000000077E04000-0x0000000077E06000-memory.dmp

Filesize
8KB

Download
memory/2608-37-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2608-38-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/2608-39-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/2608-40-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/2608-41-0x00000000047D0000-0x00000000047D2000-memory.dmp

Filesize
8KB

Download
memory/2608-42-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/2608-43-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2608-59-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2608-57-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2608-46-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/2608-48-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/2608-47-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/2608-50-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/2608-51-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/2608-53-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2608-54-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/2608-55-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/4084-16-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4084-0-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4084-12-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4084-13-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4084-35-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4084-32-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download