Analysis
-
max time kernel
25s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
24/12/2023, 20:15
General
-
Target
1040558c7dc87a46be07caf72321cd8e.exe
-
Size
5.6MB
-
MD5
1040558c7dc87a46be07caf72321cd8e
-
SHA1
f41f8d6e736aa0c24e77ee87c54d50a40ff3a406
-
SHA256
0408bf901d6a03e633db081462569983338e70a6302642ceed9eb856fe19eac0
-
SHA512
411684a05abee60ac061447116e306bc6b29fd3b9e6979a906d23f3ba1e1e684acf02d756f584995446c3e28211c1ee9237b24277dcfbf8b909cbae38ea48222
-
SSDEEP
98304:MZWPhbf9FQOnuW5I4rpzjEmy/uvzGz29MQDag:1reW53hWi
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1040558c7dc87a46be07caf72321cd8e.exe"C:\Users\Admin\AppData\Local\Temp\1040558c7dc87a46be07caf72321cd8e.exe"1⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer Phishing Filter
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe"2⤵
-
-
C:\Windows\SysWOW64\net.exenet stop windefend2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop windefend1⤵
-
C:\Windows\PLA\userfsp.exeC:\Windows\PLA\userfsp.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
2Modify Registry
5Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
305KB
MD53fd304b618315229d03f0776bfcc677b
SHA1c2734049858c7a2bbc3673abfe0e88281e773764
SHA256bc436b325baaabc043ccdc22fd7803e81c6d0c732579144ade4d9286b8b05523
SHA5124ad95197d3fd51bd6570de36670f2a9a1dddb710143ff9cbbc46043668c9318a27284a46836f3674b78e4b72cf99f0181cde60cfde6bccf9d3450a6a3b0ba93b
-
Filesize
5KB
MD538e8c714f9b1f4447d38cad5c95ef457
SHA1dfba62e37f1575dc2adab8cba7d53d9d39b0269d
SHA256b997aea190db973e7b5a04c3bb7c95f409e71e839165207e3615171c177d02d2
SHA51277ed2ea8c0f5a808dc7ee8ed3b66b9b301886b3f9f766b0882f04bec58e0f60e2526d9b0044b983bfc049ffe58938b128b4ebb973251170a9ca7b6968a856f35
-
Filesize
5KB
MD55d8d43d5c5113d1d614752c04d5fc223
SHA165e5cbcad3a0de4a52e6cc2019214f8e1bcc5921
SHA2564d4e7dee73ada611c12307113685fa3afd32d25c0babc9cc3d3631fa0384988d
SHA512fb670c7b0e8618e2df247704d53b1d05bb89cad481ffaa20fe02f4e6dbf09ff90455278dd74c248435f81a573c353c9f11f14b6533c48cce31e1a5ddd9308e87
-
Filesize
222KB
MD5373913481ffcb9f1e9bee1c5688651a7
SHA1e8628625fc158c86d6b276900b14eaaab1adfdf8
SHA2563ae18edf46e064c5e4f8b524c82ad45c0feab77342bd4b6b14b7fbf156e85a0b
SHA512837e7aed96875b2f1d135a5598a54ca8e80b5c08b12ab53e3138cc29c1a1d57e5003313651b3d564f0b3343fc7b87852671e03be56ceb648833614184081d6e5
-
Filesize
101KB
MD5a1041dcd2d6083cf521a59a643942ba8
SHA1d6f2fb54393126c83056d9574e23fe35d089f10d
SHA25612a0862eda4a3c1728eb2da6b670a6dba2a92764358df627a379444bc7ecc174
SHA5125f94c6cad7ab1dfd38fd3f1baa4c49a50aace5edab279ac91d5e50bf967c62b1cb2a014aa21de5d4c8bec3e424efbc6f278a020ba432044707608d94981acc6a
-
Filesize
546KB
MD55af07ca51679560d1adb90c21da07e78
SHA1cea23c935c2bad078106c1d6a33b91c8eec09143
SHA25603443df04318bd7b3e30e829655d5e8477ac946973258c049ab9bce5a1b2b239
SHA5125da132ff5334250adcdc64f369f8f5d81805945f89a74df6141481aab0ac4f9d12b256b30fb48b772d35874576d6f5296680eff31aaba20642c3f37ca85d6b53
-
Filesize
1.2MB
MD5ad93fe201f783d5edde66a4ac0a2532a
SHA1934e4ea8c15a0e9179abd1abef983ac0fccdb65d
SHA25632603b1002fcf059038d954a9bdea6dd306c1fda2679e2245f3c6178b3400638
SHA512f1ec11fb4738878ef53808f3f51a245ae42ffb7e25b67d9493d0e2e14b43d260c0fec3816752924f8e9d0e17da05ffba57ad8c0ed4400c5bd4a01feb1b2150f6
-
Filesize
1.3MB
MD5d8f58c75e0380c2c4adfe26037ea1443
SHA1ee8bcc3e31f31141f022ba60ec833ff26dbcc8df
SHA2561c545589e5e296c31eda172a3686071f680afade2424aa0cbc5d1f9bbb56d402
SHA5126652a2f0d4d2e82b8f33487e28de36be515b3378cc59bb0be89dde3268583cd69d61c8710406aa80e645678542840d479d27ab9ea58646861e8db8ccce4b8e11
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
2.0MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
2.0MB
-
Filesize
5.7MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.8MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.8MB
-
Filesize
4KB
-
Filesize
5.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.8MB
-
Filesize
4KB
-
Filesize
5.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.8MB
-
Filesize
4KB
-
Filesize
5.8MB
-
Filesize
4KB
-
Filesize
5.8MB
-
Filesize
4KB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
4KB
-
Filesize
5.8MB
-
Filesize
8KB