Analysis
-
max time kernel
202s -
max time network
221s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
29/12/2023, 18:39
General
-
Target
00b971d443106183dbe2308cff654e3c.exe
-
Size
3.9MB
-
MD5
00b971d443106183dbe2308cff654e3c
-
SHA1
0948366ce35772c9597b103ef1f7e00cef10c9f1
-
SHA256
cc799dd39fb2eb445a2a18f0b391128c80a4cea750c431285c51e01f9c3a63ca
-
SHA512
c25307c259a9ae58005474e03faaa27c341ba22912457320208f6637546f413a2d4a623125e656d3ee8d5d8e54c809fc45920bf69a3ac58d9deac437ebc3516f
-
SSDEEP
98304:ocF1n/O0N9bT4NW5xbrdsG2h03FkBA8xtvLsESNL5Hvx1:oc3OU+YH1sWmBA8PL2L5H5
Malware Config
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Drops file in Drivers directory 10 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Modifies registry class 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: LoadsDriver 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\00b971d443106183dbe2308cff654e3c.exe"C:\Users\Admin\AppData\Local\Temp\00b971d443106183dbe2308cff654e3c.exe"1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks system information in the registry
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ADBlock\AppData\ADBlockSvc.exe"C:\Users\Admin\AppData\Roaming\ADBlock\AppData\ADBlockSvc.exe" -Service2⤵
- Executes dropped EXE
- Modifies registry class
-
-
C:\Users\Admin\AppData\Roaming\ADBlock\AppData\ADBlockSvc.exe"C:\Users\Admin\AppData\Roaming\ADBlock\AppData\ADBlockSvc.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD583b89f9eeefd19d65d8d9f9cd24514df
SHA1701e49832e8057a53e0e371761e5e65b67ecadc3
SHA256a3975b18bd0e85db2e39f9252c1f83d04ed37869932326cf41a02158a051ba2e
SHA51241a6c201d1ed93aadcfdc8cb8aa1e920dc98a592a233ad6730f185f4274b021ef0afe3853ba18889dfa3e38ae36b648b2e5631147266ff4da9312ee5edc7413d
-
Filesize
112B
MD5279d819f0bb248ceda8bb55b91153b4f
SHA139d7ce6d55fed8e41ce760ce7268b35d5f863534
SHA256c0942cb5ba14d1112a69771a9b1c50c2c93f259dcc6cf7e3fb6856d49770d173
SHA5124995dd660d77ffec5ddf4272f63b147244f86b5d5d9b829c69a6668969f5eb1b0f71776b98a762372690fcff44022b22868a0f28355a56cf1d41a826f1681204
-
Filesize
50KB
MD54e744187308af0d000038beb1d8586ea
SHA11f5904fe4a12850b0a93d2b46b39303424180252
SHA2563393e2a296bcbb2c25f129bbaabc4db4a7d71bfe0995f2ee515d3443247a2aff
SHA51270531db5acfb4a58dd6e212065bed165e001da7364a835db2d4ceeb7bbd8aa89ef0c8867e9c1c0802f53da47f2084a988deff15ae1b846a1ecdc8834ecbde6b5
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB