11b885a1003a521f4e30aca452c0c4870aaf2397917a4178d31284a0e3e9d948

Analysis

max time kernel
121s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c5523cf52da21ab640bfbac535b5981.exe
Size

538KB
MD5

3c5523cf52da21ab640bfbac535b5981
SHA1

9f65f7146b6dcc64461b18883b9a702261e23178
SHA256

11b885a1003a521f4e30aca452c0c4870aaf2397917a4178d31284a0e3e9d948
SHA512

30b032e42072c117fdc3442db19a5acf2c65462bc2393a5e77ae7e01546459a816543726b4e51f62f05a6fb26ee43c4527f30995b1c8a74f3b73763721e6172c
SSDEEP

12288:pJSZtERUJ48z9TY4PDZKAAkvvSpG43wbyEvv/Hjagq92:pJ8wi9T3PFKATl43WH/2/2

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3c5523cf52da21ab640bfbac535b5981.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	s6208.exe

Loads dropped DLL 4 IoCs

pid	Process
2116	3c5523cf52da21ab640bfbac535b5981.exe
2116	3c5523cf52da21ab640bfbac535b5981.exe
2116	3c5523cf52da21ab640bfbac535b5981.exe
2116	3c5523cf52da21ab640bfbac535b5981.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	3c5523cf52da21ab640bfbac535b5981.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	3c5523cf52da21ab640bfbac535b5981.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2116	3c5523cf52da21ab640bfbac535b5981.exe
2768	s6208.exe
2768	s6208.exe
2768	s6208.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	s6208.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2768	s6208.exe
2768	s6208.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2768	2116	3c5523cf52da21ab640bfbac535b5981.exe	27
PID 2116 wrote to memory of 2768	2116	3c5523cf52da21ab640bfbac535b5981.exe	27
PID 2116 wrote to memory of 2768	2116	3c5523cf52da21ab640bfbac535b5981.exe	27
PID 2116 wrote to memory of 2768	2116	3c5523cf52da21ab640bfbac535b5981.exe	27

C:\Users\Admin\AppData\Local\Temp\3c5523cf52da21ab640bfbac535b5981.exe
"C:\Users\Admin\AppData\Local\Temp\3c5523cf52da21ab640bfbac535b5981.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\n6208\s6208.exe
  "C:\Users\Admin\AppData\Local\Temp\n6208\s6208.exe" ins.exe /h 85e3fe.api.socdn.com /u 50b892e5-d96c-476b-834e-555c5bc06f2f /e 12854946 /v "C:\Users\Admin\AppData\Local\Temp\3c5523cf52da21ab640bfbac535b5981.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\n6208\s6208.exe

Filesize
345KB

MD5
5f5a1f0603ba809db5ea1ff7570ed99a

SHA1
726ecbae66163c9806fb40bc1f1af5ef22365787

SHA256
a9c36c80ae7273725f00b2717074049edc4682ce7ca7cc6b4071f4538d41bbc4

SHA512
f3e08386de98863eb3b683863aeed211aa888d39765156c8ce5ff0563e887317c5a405bcde92cd41a61dca0046d2e6db2b0acb70639321f8f3d57938731b0c45

Download Submit
memory/2768-17-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-18-0x0000000002060000-0x00000000020E0000-memory.dmp

Filesize
512KB

Download
memory/2768-34-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2768-35-0x0000000002060000-0x00000000020E0000-memory.dmp

Filesize
512KB

Download
memory/2768-36-0x0000000002060000-0x00000000020E0000-memory.dmp

Filesize
512KB

Download
memory/2768-37-0x0000000002060000-0x00000000020E0000-memory.dmp

Filesize
512KB

Download
memory/2768-38-0x0000000002060000-0x00000000020E0000-memory.dmp

Filesize
512KB

Download
memory/2768-39-0x0000000002060000-0x00000000020E0000-memory.dmp

Filesize
512KB

Download
memory/2768-40-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-41-0x0000000002060000-0x00000000020E0000-memory.dmp

Filesize
512KB

Download
memory/2768-42-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-43-0x0000000002060000-0x00000000020E0000-memory.dmp

Filesize
512KB

Download
memory/2768-44-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-45-0x0000000002060000-0x00000000020E0000-memory.dmp

Filesize
512KB

Download