Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 13:38

General

  • Target

    a8665d0ba00b860befbf28d3e5e670d5.exe

  • Size

    3.6MB

  • MD5

    a8665d0ba00b860befbf28d3e5e670d5

  • SHA1

    8f5f4ef8ee3408f6216d7abf731911ac7f363f40

  • SHA256

    5b163534033ed61d09c3eba2b2743d8869729a5a566640c1d10f18809f09e643

  • SHA512

    3006f4badede6be27b37d857ed33a281b75d159553d50b44e4a1c82fb8bf7c86a1f0e5e406b5750354c48b1facefc02fb8c2701dbcc0daefc373b5806b1c44f6

  • SSDEEP

    49152:BslvbszilY8dy0WFltM4fR44Mz5zJJqBivmfM+h2Xd/ACygCZk6QAM:2FxgrBKfz5WZh2HRak1

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8665d0ba00b860befbf28d3e5e670d5.exe
    "C:\Users\Admin\AppData\Local\Temp\a8665d0ba00b860befbf28d3e5e670d5.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops startup file
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2012 -s 1560
      2⤵
        PID:2252

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      a9c787409c4aa35884957ac79f988459

      SHA1

      ab3621b3e852039bac0324defa09b1c82ebc2d4f

      SHA256

      8bb4e9b68ce75a04d1728fc2ad2b4b95b8058ebecd413d09ab7b8e5c928192de

      SHA512

      d2641d8a73e25ce41c1097c90d0e52a4ac7361b5ef889ed170f817bfe41568c3ff9888e26dacb31b1d33c56bdf1143bbbba20054906c091147dfdee37ff61bac

    • C:\Users\Admin\AppData\Local\Temp\Cab2906.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\Tar2D8B.tmp

      Filesize

      70KB

      MD5

      ca5dfff59e5d9daf0b54a5afde73c0c8

      SHA1

      fa51ec2c57c584a119fd3805325d9d296ab87ea9

      SHA256

      b8e615b290bf3af6b2bbe2eea56cd0eb8d47892db4a7c6a981387dbb8cb834c4

      SHA512

      3768e3247957cea5561d4802a2657bd43bc6959938a7a5ab5e186c9619b2f62ff45e64ce95941cc86970513a134df429460e6d41f9c34c33d83e1fd8722f01bf

    • \ProgramData\Microsoft Network\System.exe

      Filesize

      1.2MB

      MD5

      ac1c101c3683c5abd497e7c8b1a5014e

      SHA1

      09b3ee0a8416c454acfea21fdb4730d707a53d46

      SHA256

      be00e2872a5cd8678e38ec8bf5afe54b3bc6cf45a341dd57cf9a372b5276e621

      SHA512

      c5bbda08691487264a86b8c6cb4894c0519f78270ba5ebc6e23291be0f72e8c2276d569591f96d53a137c0780a4f067b328ecc53db8b9afcfed53bb7e34c884a

    • memory/2012-3-0x000000013F930000-0x000000013FD01000-memory.dmp

      Filesize

      3.8MB

    • memory/2012-6-0x000000013F930000-0x000000013FD01000-memory.dmp

      Filesize

      3.8MB

    • memory/2012-5-0x000000013F930000-0x000000013FD01000-memory.dmp

      Filesize

      3.8MB

    • memory/2012-4-0x000000013F930000-0x000000013FD01000-memory.dmp

      Filesize

      3.8MB

    • memory/2012-0-0x000000013F930000-0x000000013FD01000-memory.dmp

      Filesize

      3.8MB

    • memory/2012-2-0x000000013F930000-0x000000013FD01000-memory.dmp

      Filesize

      3.8MB

    • memory/2012-72-0x000000013F930000-0x000000013FD01000-memory.dmp

      Filesize

      3.8MB

    • memory/2012-89-0x00000000020D0000-0x00000000020E0000-memory.dmp

      Filesize

      64KB

    • memory/2012-1-0x0000000076CC0000-0x0000000076E69000-memory.dmp

      Filesize

      1.7MB

    • memory/2012-131-0x000000013F930000-0x000000013FD01000-memory.dmp

      Filesize

      3.8MB

    • memory/2012-132-0x0000000076CC0000-0x0000000076E69000-memory.dmp

      Filesize

      1.7MB