Analysis
-
max time kernel
151s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 10:11
Behavioral task
behavioral1
Sample
83fd23ee476175c0b0f0a46200598ee4.exe
Resource
win7-20231215-en
General
-
Target
83fd23ee476175c0b0f0a46200598ee4.exe
-
Size
4.8MB
-
MD5
83fd23ee476175c0b0f0a46200598ee4
-
SHA1
988b0ca1261a7810b64df96540766f7f7c56022f
-
SHA256
3279ee666821ef28cf1776a074111119c97a07ad57a8816437eeac5ff937605e
-
SHA512
68c911f53b89973bff5b83b6cdc398370e549fb6c823bd7fedee2ae3156f5795270c1ae3a91990ba48bef74f872b8f103ae15a7bbb89f59e16f8b96d2fbe54b5
-
SSDEEP
98304:QOl58P5ctjoDng8WlyYtWgZDJQ5hE21F/5K2ZM+mUcr4pg+J1RLQ4vfa:QSMokk8qjWy9YhE2zommUcI7hLQ+
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ExtrimHack[11.04.2018].exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ExtrimHack[11.04.2018].exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ExtrimHack[11.04.2018].exe -
Executes dropped EXE 2 IoCs
pid Process 2776 235.exe 2988 ExtrimHack[11.04.2018].exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Wine ExtrimHack[11.04.2018].exe -
Loads dropped DLL 2 IoCs
pid Process 2428 83fd23ee476175c0b0f0a46200598ee4.exe 2428 83fd23ee476175c0b0f0a46200598ee4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2428-0-0x0000000000400000-0x0000000000D43000-memory.dmp vmprotect behavioral1/memory/2428-4-0x0000000000400000-0x0000000000D43000-memory.dmp vmprotect behavioral1/memory/2428-26-0x0000000000400000-0x0000000000D43000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2988 ExtrimHack[11.04.2018].exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2428 83fd23ee476175c0b0f0a46200598ee4.exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe 2988 ExtrimHack[11.04.2018].exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2776 2428 83fd23ee476175c0b0f0a46200598ee4.exe 28 PID 2428 wrote to memory of 2776 2428 83fd23ee476175c0b0f0a46200598ee4.exe 28 PID 2428 wrote to memory of 2776 2428 83fd23ee476175c0b0f0a46200598ee4.exe 28 PID 2428 wrote to memory of 2776 2428 83fd23ee476175c0b0f0a46200598ee4.exe 28 PID 2428 wrote to memory of 2988 2428 83fd23ee476175c0b0f0a46200598ee4.exe 30 PID 2428 wrote to memory of 2988 2428 83fd23ee476175c0b0f0a46200598ee4.exe 30 PID 2428 wrote to memory of 2988 2428 83fd23ee476175c0b0f0a46200598ee4.exe 30 PID 2428 wrote to memory of 2988 2428 83fd23ee476175c0b0f0a46200598ee4.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe"C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\235.exe"C:\Users\Admin\AppData\Local\Temp\235.exe"2⤵
- Executes dropped EXE
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe"C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
987KB
MD5aca3f223e86e15567b7a866e941e70fa
SHA1c7eac467191e3bab76f1f5d36a004b214ce2b3ce
SHA25656ed9a24187b984e21dc07aab53d563c3473b205b2ec7e9a961531f8d11877af
SHA512dfc6127d56702d0f3171194c0ebc5e11d98360837bf217dc0d47d17aff1c85729b86b2cbebda7dfdd1e153cbcb1a82d06c3aff368dde4246f38af0926a32161a
-
Filesize
1.1MB
MD5c39fa7da50869fbc10b5853782b568a0
SHA151d271a8d5ee9b63cb9daa01684d9439ed2717d8
SHA256b7ccf2ca00efb52ea6eca4fb67f5aea829da67e5526ab2192aa78652d9075541
SHA512253b485ce74eeaeb00eb6bcf236d7666c46ddb81c0f4cc9439f22c66d7e425aa1319e378dc511858c630391463806ee584728f84d5314a59be7091feded08dd5
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
455KB
MD5a73ddbba903795042140f10a6dba68b7
SHA191ef79f8ecf27826064548effb4f37f935130623
SHA25699cb31e7bc0268d8b698945cb1d31554c1aed2eff1e2b398c8a5997617933d60
SHA5123901b898f9ba3ab9821506913f3d0ea3de7995e6f0e03f2c467c8964c13d8138ce5b4531e8954b5275e07497f1ce7a248f29a758bfd9d09f94278462297597b1
-
Filesize
1.0MB
MD583129d2fd38c810b2812d3bc7e1f47f3
SHA17788c1e95dd9da2988a62b1eef3400bd74b41870
SHA256cfbd544d0c231330e27f80766d48790b494ab48d5dc9822c1a8dfd618a2127e3
SHA512c98975c947f864687d9a9655b6de02e86bed42e05787794cdac1f8fb4a2eeb71369b6a0c362fd585c487aaeaf81ee0ffa14fcbbcca815e6fe237d5814d7ece19