15f46616c3436a2d2f09f71c4be62d0726a579d4dcae837935e1e871eba676d5

General

Target

4f2979559793665fa1c694d159dd1757.exe
Size

532KB
MD5

4f2979559793665fa1c694d159dd1757
SHA1

ebf66389ffff971935bdec9e866504bb8262c01b
SHA256

15f46616c3436a2d2f09f71c4be62d0726a579d4dcae837935e1e871eba676d5
SHA512

362404dc425703b756507bca7020a360e02990e9294e44e17284df0d960ededd4f0ddea65705213e2513cc6b7ff8499d8e3dba3bec7c1055aa059e4b7f24f0e8
SSDEEP

12288:tXf2DMo6GCfdog22HXrFy+344+E9OsDYMbWMKyH/rexOww97v:tv2DBCVx5y+3RxDYv9UCxOwwR

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4f2979559793665fa1c694d159dd1757.exe

Executes dropped EXE 1 IoCs

pid	Process
2664	s1634.exe

Loads dropped DLL 4 IoCs

pid	Process
1360	4f2979559793665fa1c694d159dd1757.exe
1360	4f2979559793665fa1c694d159dd1757.exe
1360	4f2979559793665fa1c694d159dd1757.exe
1360	4f2979559793665fa1c694d159dd1757.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	4f2979559793665fa1c694d159dd1757.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	4f2979559793665fa1c694d159dd1757.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	s1634.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s1634.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s1634.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s1634.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1360	4f2979559793665fa1c694d159dd1757.exe
2664	s1634.exe
2664	s1634.exe
2664	s1634.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	s1634.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2664	s1634.exe
2664	s1634.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 2664	1360	4f2979559793665fa1c694d159dd1757.exe	23
PID 1360 wrote to memory of 2664	1360	4f2979559793665fa1c694d159dd1757.exe	23
PID 1360 wrote to memory of 2664	1360	4f2979559793665fa1c694d159dd1757.exe	23
PID 1360 wrote to memory of 2664	1360	4f2979559793665fa1c694d159dd1757.exe	23

C:\Users\Admin\AppData\Local\Temp\4f2979559793665fa1c694d159dd1757.exe
"C:\Users\Admin\AppData\Local\Temp\4f2979559793665fa1c694d159dd1757.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\n1634\s1634.exe
  "C:\Users\Admin\AppData\Local\Temp\n1634\s1634.exe" a558d1df9a7bc50f1893b088bmR79cFR5dToYz4X3wU28wvMsDVQZpr2kQ7P0GL0dJnq83Y+vLdASDDkRi2tsTiV2m2OLT5MaLsVgEOyFUz2zyaHBtQ6CMONwSeQuXScIoBWoVuOsRZXCZxFw+jMySWfBWpBbhdbOyLexW/SdZOeSe0= /v "C:\Users\Admin\AppData\Local\Temp\4f2979559793665fa1c694d159dd1757.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab5F51.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar600F.tmp

Filesize
43KB

MD5
9003bf779d0244a849e0294c65b805d8

SHA1
fe7a4ebc4c5436948cea7467de7788aff9b1e74e

SHA256
bff01c310531e6a67bb15788ace498ea3fd841f79054864231a311ab4b106109

SHA512
0783b7fd4f0fee48797c3aa0406668620a6b3ca8b656b767ddd41bf971f4bff9d5a02ef45cd464abc8c2d35c292697e8417de06f071bbbd772888deb9dc85006

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1634\s1634.exe

Filesize
43KB

MD5
93935c134acf14f840de77bc80c956af

SHA1
769730780454e981f43a45a319edea94c86be19f

SHA256
74daedf301f5b07c0cd42dd73761c280518385030577586fec1a076a724d1e51

SHA512
06e1852e4bd9b845b8c175968781b257fcfe733c22255311e1f281c7e7730b4274f0ee4ed10f67db7ceb1c8bc3b525589554484a4eda5362b8f21af5008eab20

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1634\s1634.exe

Filesize
66KB

MD5
5281c3892042970400e55ef8f7666cf8

SHA1
c81ef8407f370af6c1c54e40b1082f75215ba3ad

SHA256
985c224b37b2a0b94f19872651d2a8c2f29aa2863aa70c5ecc6d2963ff84008c

SHA512
d72691f6ae11cc665ae775795fa81715b85223aa640c794ff702ce0cafa63e04dc29f666234b0fba36d61b224c57f9a0cda96290b3bd0b9039b1cc9a03d2cf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1634\s1634.exe

Filesize
174KB

MD5
e14a5d1a3079d2cc41402e9970592efd

SHA1
e9e2110193b3b7503e604b22e6d6110fb4b1090e

SHA256
46a9ae21b164e4146b78893b8f39c8f6d68c87a0e4f6bfc5f3c9e03cacc3c23a

SHA512
086c4bfdd8a220152321b2753214318cee9e407cf4a1a54ed6c3ea3a41ff217f0ecb959e37d2c44902b6f0136ab0bddb356110b198eea0337435ae19e117070f

Download Submit
\Users\Admin\AppData\Local\Temp\n1634\s1634.exe

Filesize
12KB

MD5
60beeda3f0b3da25d2b3fc8a37b69398

SHA1
0f3940600ea47b4d02d793417699de32504932a8

SHA256
862f0445511d11267e724ed24c47381bf729001bc86c27297a25f9a76559ba06

SHA512
00f946c420d623e5e5f6a852f15ebc6e98077826f71db8586f2e1870fea1814a7c99f6db3d4fda07b35ae0fb3d8a1d93a422550c65118f1d1936e72a8254b006

Download Submit
\Users\Admin\AppData\Local\Temp\n1634\s1634.exe

Filesize
92KB

MD5
1e0bfb496fda17795712bbb8f02e21ff

SHA1
00d9d3ee10fa8f28258100b79ad6bb4ab31a36a0

SHA256
e9c013870add4ad85a542d07ae209eca743e3991055f8e951f3487dd09948124

SHA512
e37a9993ec0b7fdc1e4c050b85990888f6da23bf29d64e42529670af81733a8e6c913934f8364c02eb89b6820c2449887a81114ab475c00e5a550530ebfc9752

Download Submit
\Users\Admin\AppData\Local\Temp\n1634\s1634.exe

Filesize
80KB

MD5
ca90455bae49969cf8d31cb252fecc61

SHA1
e64c8fa970090605690b5f8d537d94530a0b3df7

SHA256
55a91cf5c51ee5fad2237961a43f54dc003ed4e45fd1f467fba57f7225db65cf

SHA512
417ba2186b2e74f5a97155507469e9cb6c6699c4035f40a22077c212d9f9cccce3db8eb83f264c428488c4cf3e71b509e42400fdabd5f659ce95d979b0fe460f

Download Submit
memory/2664-148-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2664-23-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2664-22-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-151-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2664-150-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2664-149-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-153-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2664-152-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2664-156-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2664-155-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2664-154-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-157-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads