1468dfd25571398c40feacfa4ca3745e57002bce8fe31342b73ede6b7175c612

Analysis

max time kernel
237s
max time network
279s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00ff6c540843ca1d32cabe7a3bc63068.exe
Size

500KB
MD5

00ff6c540843ca1d32cabe7a3bc63068
SHA1

3d758c82f233954b8e43ed61fdce8b1b34c4d56d
SHA256

1468dfd25571398c40feacfa4ca3745e57002bce8fe31342b73ede6b7175c612
SHA512

6a58a3d018123433b349dad4676a94241c9988f14935aec521e0683c0726e36c5f29713cc5a185383effba3660e380b117ae50492a2c6c0b681e7cc8d16da3f3
SSDEEP

6144:ABvV8KdpmmIGXsDSRkV0z6IMc9SPoajdz51IR7qb20WFP/XauRWnCSeL1o5VY9v9:ABtZTwBDSF39zRm6KuKCSC1Xv9

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	00ff6c540843ca1d32cabe7a3bc63068.exe

Executes dropped EXE 1 IoCs

pid	Process
1640	s9826.exe

Loads dropped DLL 4 IoCs

pid	Process
524	00ff6c540843ca1d32cabe7a3bc63068.exe
524	00ff6c540843ca1d32cabe7a3bc63068.exe
524	00ff6c540843ca1d32cabe7a3bc63068.exe
524	00ff6c540843ca1d32cabe7a3bc63068.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	00ff6c540843ca1d32cabe7a3bc63068.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	00ff6c540843ca1d32cabe7a3bc63068.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
524	00ff6c540843ca1d32cabe7a3bc63068.exe
1640	s9826.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	s9826.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1640	s9826.exe
1640	s9826.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 1640	524	00ff6c540843ca1d32cabe7a3bc63068.exe	27
PID 524 wrote to memory of 1640	524	00ff6c540843ca1d32cabe7a3bc63068.exe	27
PID 524 wrote to memory of 1640	524	00ff6c540843ca1d32cabe7a3bc63068.exe	27
PID 524 wrote to memory of 1640	524	00ff6c540843ca1d32cabe7a3bc63068.exe	27

C:\Users\Admin\AppData\Local\Temp\00ff6c540843ca1d32cabe7a3bc63068.exe
"C:\Users\Admin\AppData\Local\Temp\00ff6c540843ca1d32cabe7a3bc63068.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Local\Temp\n9826\s9826.exe
  "C:\Users\Admin\AppData\Local\Temp\n9826\s9826.exe" ins.exe /e 11737807 /u 51938065-e47c-4b97-bfda-2a105bc06f2f /v "C:\Users\Admin\AppData\Local\Temp\00ff6c540843ca1d32cabe7a3bc63068.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\n9826\s9826.exe

Filesize
284KB

MD5
709f5012028d4342464f9244e468f655

SHA1
adea3d39c0b2356a5124c10bfeeaa7af7fa8593a

SHA256
0fe9a2e6600582cff74673810979d3d89273088c2b9a07378df44e3cab7b14b7

SHA512
12198b05cafb236934b11e655ebad407f45ac1b5a3502f7539ddc053a54e1c5cc933914899af6e48653a78236140ed4758b53ce1beab5bbc6823cee36cdf4b74

Download Submit
memory/1640-14-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/1640-15-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1640-16-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1640-17-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1640-18-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1640-19-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1640-20-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1640-21-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1640-22-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1640-23-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1640-24-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1640-25-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1640-26-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/1640-27-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download