Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 14:13
Static task
static1
Behavioral task
behavioral1
Sample
74c738ec680d1ff87c135833211a88dd.exe
Resource
win7-20231215-en
General
-
Target
74c738ec680d1ff87c135833211a88dd.exe
-
Size
5.9MB
-
MD5
74c738ec680d1ff87c135833211a88dd
-
SHA1
12040b15530b5b80de79faa122d095341c388b60
-
SHA256
bcb6d900f86664d0a97e69510c99b519f26f376316e761fadf2a8ef4f672b975
-
SHA512
a002eaf05daa6b8826fb73fe4beef075c647ceb0a59198ae223329497b92487fd2a029ad0a7c1bd13656e02d9d22506a148dbe46733b89ed675b77c8aae07ad1
-
SSDEEP
49152:VDIMT1Lr5k16MadwH/MiaK+zRHhHreL+lcTQxexi5rFN9rr1x0QDQcUhoecxyA+P:pm
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Onion_2.84 (1)-cleaned.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Onion_2.84 (1)-cleaned.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Onion_2.84 (1)-cleaned.exe -
Executes dropped EXE 2 IoCs
pid Process 2744 Onion_2.84 (1)-cleaned.exe 2872 BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine Onion_2.84 (1)-cleaned.exe -
Loads dropped DLL 3 IoCs
pid Process 2916 74c738ec680d1ff87c135833211a88dd.exe 2916 74c738ec680d1ff87c135833211a88dd.exe 2916 74c738ec680d1ff87c135833211a88dd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe" Onion_2.84 (1)-cleaned.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Onion_2.84 (1)-cleaned.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2744 Onion_2.84 (1)-cleaned.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\TCP Service\tcpsvc.exe Onion_2.84 (1)-cleaned.exe File opened for modification C:\Program Files (x86)\TCP Service\tcpsvc.exe Onion_2.84 (1)-cleaned.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2744 Onion_2.84 (1)-cleaned.exe 2744 Onion_2.84 (1)-cleaned.exe 2744 Onion_2.84 (1)-cleaned.exe 2744 Onion_2.84 (1)-cleaned.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2744 Onion_2.84 (1)-cleaned.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2916 74c738ec680d1ff87c135833211a88dd.exe Token: SeDebugPrivilege 2744 Onion_2.84 (1)-cleaned.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2744 2916 74c738ec680d1ff87c135833211a88dd.exe 29 PID 2916 wrote to memory of 2744 2916 74c738ec680d1ff87c135833211a88dd.exe 29 PID 2916 wrote to memory of 2744 2916 74c738ec680d1ff87c135833211a88dd.exe 29 PID 2916 wrote to memory of 2744 2916 74c738ec680d1ff87c135833211a88dd.exe 29 PID 2916 wrote to memory of 2872 2916 74c738ec680d1ff87c135833211a88dd.exe 28 PID 2916 wrote to memory of 2872 2916 74c738ec680d1ff87c135833211a88dd.exe 28 PID 2916 wrote to memory of 2872 2916 74c738ec680d1ff87c135833211a88dd.exe 28 PID 2916 wrote to memory of 2872 2916 74c738ec680d1ff87c135833211a88dd.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\74c738ec680d1ff87c135833211a88dd.exe"C:\Users\Admin\AppData\Local\Temp\74c738ec680d1ff87c135833211a88dd.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE"C:\Users\Admin\AppData\Local\Temp\BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE"2⤵
- Executes dropped EXE
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe"C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
574KB
MD51608a4780695ff52fe056d10fb96b431
SHA182faa86536b679c98fa97dbcdd8e480f0bb56e7f
SHA256784fdab31f9cc7ef4965da3e53195ab8d0c0949b3527642b3f50c8246f06f216
SHA512d30337caa3f2dacc454e78d6f1489c699f1b024c2d6a393e760279909cb236e8f259335ced6dc83c69865b14fb8b33b10ed85df1b60b71c6987c914a23fd4895
-
Filesize
872KB
MD54814523ce1c91543cc329463e6633976
SHA198a86e42bcb10104cfb9c8a8def49847da0f74dc
SHA256a9796452153847fbe1d83737a24d50e32dd2c709749af33d76f5fc197967a2d2
SHA512faee912319e48265c1d4ad1aa0eee4dc7c45921335aef266967ec04972c6a3077737ac2427afc7c016de8ec1074e742f0623f9cdbc095b229cfbaddce54d73a7
-
Filesize
966KB
MD56ea8e4328dc6e65b3d1d5e171dde65a3
SHA18d22cdd24ee740089e0149c49bdc1331b23ea483
SHA2563d0e8284f0973ce40b3ae3229daba374bc049387a64278c69cb594ec4e1ef5c4
SHA51207974754f0d5e0affff5e8287855300bc1aafdaf6ea96bd6d628fcf485778fa7515713c3b7305241664d5417c3ba7d19feb1425dce4c82ab92065febc5735dce
-
Filesize
1.9MB
MD5c817e0e262270baf4dc5bbbe766cb414
SHA18a5c1909d826d135f8fe9172d105f998bb415cbe
SHA25662e1803db0e0dc9712dc8042297afc43c712714bc65b2e0b26b653d32baf892e
SHA5129b32b4f780182d31db52928ffc3d9aba4f61203317fdcb216d2cce7350027671dde8587128a6b53aff3e547cf4bc1e8682efc5f5d628069a2b06cc1811a1b643
-
Filesize
985KB
MD5b64607d93442cf1bb2cd58974a573111
SHA12b9e6fc67573809ff8b9da697b052f761d1ae634
SHA256c638eda49dbcaaeb7458403832daf82a0b6e2ba2ab630d9c52341b6d1c433b6a
SHA51251886961ae98343bc0233dc14a3315a1789a26c44bd9d1f9721c55128ff252c2e5ce2fe64aa70e2e4bff2f717fa6fb0f9029b7449366c837631ed9aa9cbda389