Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 14:13
Static task
static1
Behavioral task
behavioral1
Sample
74c738ec680d1ff87c135833211a88dd.exe
Resource
win7-20231215-en
General
-
Target
74c738ec680d1ff87c135833211a88dd.exe
-
Size
5.9MB
-
MD5
74c738ec680d1ff87c135833211a88dd
-
SHA1
12040b15530b5b80de79faa122d095341c388b60
-
SHA256
bcb6d900f86664d0a97e69510c99b519f26f376316e761fadf2a8ef4f672b975
-
SHA512
a002eaf05daa6b8826fb73fe4beef075c647ceb0a59198ae223329497b92487fd2a029ad0a7c1bd13656e02d9d22506a148dbe46733b89ed675b77c8aae07ad1
-
SSDEEP
49152:VDIMT1Lr5k16MadwH/MiaK+zRHhHreL+lcTQxexi5rFN9rr1x0QDQcUhoecxyA+P:pm
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Onion_2.84 (1)-cleaned.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Onion_2.84 (1)-cleaned.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Onion_2.84 (1)-cleaned.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 74c738ec680d1ff87c135833211a88dd.exe -
Executes dropped EXE 2 IoCs
pid Process 1928 Onion_2.84 (1)-cleaned.exe 1856 BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Wine Onion_2.84 (1)-cleaned.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host = "C:\\Program Files (x86)\\SMTP Host\\smtphost.exe" Onion_2.84 (1)-cleaned.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Onion_2.84 (1)-cleaned.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1928 Onion_2.84 (1)-cleaned.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\SMTP Host\smtphost.exe Onion_2.84 (1)-cleaned.exe File opened for modification C:\Program Files (x86)\SMTP Host\smtphost.exe Onion_2.84 (1)-cleaned.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1928 Onion_2.84 (1)-cleaned.exe 1928 Onion_2.84 (1)-cleaned.exe 1928 Onion_2.84 (1)-cleaned.exe 1928 Onion_2.84 (1)-cleaned.exe 1928 Onion_2.84 (1)-cleaned.exe 1928 Onion_2.84 (1)-cleaned.exe 1928 Onion_2.84 (1)-cleaned.exe 1928 Onion_2.84 (1)-cleaned.exe 1928 Onion_2.84 (1)-cleaned.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1928 Onion_2.84 (1)-cleaned.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4924 74c738ec680d1ff87c135833211a88dd.exe Token: SeDebugPrivilege 1928 Onion_2.84 (1)-cleaned.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4924 wrote to memory of 1928 4924 74c738ec680d1ff87c135833211a88dd.exe 92 PID 4924 wrote to memory of 1928 4924 74c738ec680d1ff87c135833211a88dd.exe 92 PID 4924 wrote to memory of 1928 4924 74c738ec680d1ff87c135833211a88dd.exe 92 PID 4924 wrote to memory of 1856 4924 74c738ec680d1ff87c135833211a88dd.exe 93 PID 4924 wrote to memory of 1856 4924 74c738ec680d1ff87c135833211a88dd.exe 93 PID 4924 wrote to memory of 1856 4924 74c738ec680d1ff87c135833211a88dd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\74c738ec680d1ff87c135833211a88dd.exe"C:\Users\Admin\AppData\Local\Temp\74c738ec680d1ff87c135833211a88dd.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe"C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE"C:\Users\Admin\AppData\Local\Temp\BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE"2⤵
- Executes dropped EXE
PID:1856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164KB
MD5887cf56ee8422bbab6ef2d036ad280cb
SHA12cbe422c60b51253db6f4bb59dfe08c98ec6c047
SHA2562f6ce59e336aa60780cf3533f1db8c5755a2e106a6cfe19948876207b8f9e26b
SHA512d61720e9bad8779ee0efe3fc3ed4495c6cd3c5314c04d83e2fc5d800639a3bb4f215eacfaf8f57501c86b862a143dbff7a018f1123c10a4c88a99e10e3a2e422
-
Filesize
32KB
MD568f4261c11bf82e9910904760a839d21
SHA1baecc9b629846d124c15da232f0dd5e14dfa0890
SHA256057a609719f60e996c79cb83ccbf058f730b99e0d59958771197e356960c53d3
SHA5122b298edab634aeee8e1014f06ceed26e028ea42de8100e86c340e46e33dcec658aa0ce8ec14a467aa624c5aaf8939cd787621b351a8ddb182ceaf37246d49ae2
-
Filesize
3KB
MD5e9d9350db7bfb3c40ec0b2dc2d656e89
SHA18d1a9600e13d73a3ab25f4a8358a9dba0123c6b3
SHA2564a40d3c4146cb0e3235f277959a7057d8368190f6a1ae38b24a27586718ec41c
SHA51204f36156e4ded47d792d380cbd299fcf87f7d934271084ad784586d808d495bc5a4e827bef317630d5930cc948fcf1ce4455b1a67190d15dc8508c30762a347b
-
Filesize
104KB
MD557ba73427cde91ad57f4472d09b62921
SHA17eb6d00a4998f4f4789d779a769a14835d8a01e7
SHA25601458f77180e6e9fdafbac37e867d416afb07ac7b794ce6e2accb3ecc08083c1
SHA512405da5ed8f264249dbca303314733b77b0a18f525209c1288c203822151e873b8e4189eecda1cddea27bb1af66af9fe6542cebc320ad582e8ea5ca8a3c453f33
-
Filesize
138KB
MD5a203546462872fef13ad6021a3f39c36
SHA1215dbb6beb1c835f0941225dae81a7015e15f3e1
SHA256385410968b706ba7185ab472e2d3ef74024448919885cc9c4345e2a8762b4dbb
SHA512ee120b68ae920c3e04775f1bd1f5e27495c6f7e355f442d0c6c1ec61ab634cc2029a11141c31db2111c89b12ebbef8127aaadc49f16f14b92e2d6b1178d33882
-
Filesize
148KB
MD5e728e6770f979b4c8ebbce5f5505b032
SHA16f3849f50ad4d17e1c708803954eb7337511c2a2
SHA2566beb9678e0dbce9ec3b85de0442e95aebdc6eab2183cc0ef680c519efb2a0c43
SHA512e4023e84c8022f1e6f696ac3e3acd9239cc6377a0cb6d6fe47b581847b3bb928900911687c0e63cd43cc375f372156bbb89fdf6b7eec1a8150a9f043dc89d6aa