Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:19
Static task
static1
Behavioral task
behavioral1
Sample
74f42b1bc557572f11e9a450c0a0a232.exe
Resource
win7-20231215-en
General
-
Target
74f42b1bc557572f11e9a450c0a0a232.exe
-
Size
3.6MB
-
MD5
74f42b1bc557572f11e9a450c0a0a232
-
SHA1
33190f5cd1b03c6439b6bc8289b054c85ffdc0ef
-
SHA256
aa8764c82ac6963672dfd4f3c25bf248108f435eb5d464ad2902000546a765be
-
SHA512
99eea1b9bcb448131f8d17bb67a4967583adc4fbfc8c532fd688ad29d3798094472996e117f1aeba3090c11da41a3ddf43513c4da38c15b573c3cbe6a7f75f16
-
SSDEEP
98304:gt03hK/8jmL4pXPIPc1WY6I+e1nutwE/5Ql21T6:1K/0mMlHZ+e1b/U6
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
74f42b1bc557572f11e9a450c0a0a232.exeWinDef.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 74f42b1bc557572f11e9a450c0a0a232.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WinDef.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
74f42b1bc557572f11e9a450c0a0a232.exeWinDef.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 74f42b1bc557572f11e9a450c0a0a232.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WinDef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WinDef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 74f42b1bc557572f11e9a450c0a0a232.exe -
Drops startup file 1 IoCs
Processes:
74f42b1bc557572f11e9a450c0a0a232.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinDef.lnk 74f42b1bc557572f11e9a450c0a0a232.exe -
Executes dropped EXE 1 IoCs
Processes:
WinDef.exepid process 2812 WinDef.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
74f42b1bc557572f11e9a450c0a0a232.exeWinDef.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Wine 74f42b1bc557572f11e9a450c0a0a232.exe Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Wine WinDef.exe -
Loads dropped DLL 2 IoCs
Processes:
74f42b1bc557572f11e9a450c0a0a232.exepid process 2324 74f42b1bc557572f11e9a450c0a0a232.exe 2324 74f42b1bc557572f11e9a450c0a0a232.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
74f42b1bc557572f11e9a450c0a0a232.exeWinDef.exepid process 2324 74f42b1bc557572f11e9a450c0a0a232.exe 2812 WinDef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WinDef.exepid process 2812 WinDef.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
74f42b1bc557572f11e9a450c0a0a232.exeWinDef.exepid process 2324 74f42b1bc557572f11e9a450c0a0a232.exe 2812 WinDef.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
74f42b1bc557572f11e9a450c0a0a232.exedescription pid process target process PID 2324 wrote to memory of 2812 2324 74f42b1bc557572f11e9a450c0a0a232.exe WinDef.exe PID 2324 wrote to memory of 2812 2324 74f42b1bc557572f11e9a450c0a0a232.exe WinDef.exe PID 2324 wrote to memory of 2812 2324 74f42b1bc557572f11e9a450c0a0a232.exe WinDef.exe PID 2324 wrote to memory of 2812 2324 74f42b1bc557572f11e9a450c0a0a232.exe WinDef.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f42b1bc557572f11e9a450c0a0a232.exe"C:\Users\Admin\AppData\Local\Temp\74f42b1bc557572f11e9a450c0a0a232.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Roaming\Windows Def\WinDef.exe"C:\Users\Admin\AppData\Roaming\Windows Def\WinDef.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:2812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows Def\WinDef.exeFilesize
854KB
MD5bc841e21558793a31c7ab9cb72a9bdd6
SHA14dc73837115154a24a23c550ecefc2cdbc0859d0
SHA256058575125fc65957e04e3611b93fdace13e62dbbbfdfa6d24e66efffe7f696d0
SHA5125cad944aa75cf255f527676cca8d1389f987aab0114f7bee3b9d0ba05b7d8187115360234fa1c86e9775fd8f52dd58b129a22ff100ad6bd16f7666be61f20e7e
-
C:\Users\Admin\AppData\Roaming\Windows Def\WinDef.exeFilesize
683KB
MD5f5b9f04bbbcdfec646e26aef7720e42c
SHA1c03bce60d999aaaa72ecf75bb67c250722487562
SHA25622302f3aaa3e553cd1190f26271b1a2b921faa74269f54a537cba0ce68c4265c
SHA512f021c1de53684eb9611f53cb6b570182f9b91ea2d35dabe2a7642019853d99926032d3d488e42380fa1496b9aed6f012db65d79bfa7d93b9c08d554f63746748
-
\Users\Admin\AppData\Roaming\Windows Def\WinDef.exeFilesize
2.3MB
MD5c956e4cf3c100e0826c4c90801cb3e08
SHA12a3e50d46cb9e6ad7916de6593b11047e5daac10
SHA256f4ad144fe3debacf4a09d120697facd4e41b081b1923ad5c006740c9731a8529
SHA512e0adb331b61c43fb00fb7c92f05169afd1f5b39ae2a830ee11eb6d9aed2cae047dcefed644df6fb53b5b62ff12b37dc35adc5c379261c0c83b50c3c4b578fb1a
-
\Users\Admin\AppData\Roaming\Windows Def\WinDef.exeFilesize
489KB
MD5a5a09a7891e2a6b51453c3d5ae0938fe
SHA1f7c36f9a9a1a85f6fe3bd5f0325ff76c9389265b
SHA25659b57eb413abddccbedb27bbf11735d3e1c4767a110af4755a7c6ae78937c643
SHA5125a617129c54767bfecc8bc8300956dd55c21baf4703d88081f26447bba6ebff671c5d6b029b9c53bb7b75f2175c1cba7f5e615603724fc3606fd45721b2db0fa
-
memory/2324-7-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/2324-3-0x00000000002D0000-0x0000000000B1F000-memory.dmpFilesize
8.3MB
-
memory/2324-8-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/2324-0-0x00000000002D0000-0x0000000000B1F000-memory.dmpFilesize
8.3MB
-
memory/2324-6-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/2324-5-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/2324-4-0x0000000000B60000-0x0000000000B61000-memory.dmpFilesize
4KB
-
memory/2324-11-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/2324-16-0x00000000001C0000-0x00000000001D0000-memory.dmpFilesize
64KB
-
memory/2324-21-0x00000000002D0000-0x0000000000B1F000-memory.dmpFilesize
8.3MB
-
memory/2324-10-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/2324-22-0x0000000003840000-0x000000000408F000-memory.dmpFilesize
8.3MB
-
memory/2324-1-0x0000000077480000-0x0000000077482000-memory.dmpFilesize
8KB
-
memory/2324-9-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/2812-32-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/2812-24-0x0000000000FD0000-0x000000000181F000-memory.dmpFilesize
8.3MB
-
memory/2812-28-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/2812-35-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/2812-34-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/2812-33-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/2812-23-0x0000000000FD0000-0x000000000181F000-memory.dmpFilesize
8.3MB
-
memory/2812-31-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/2812-30-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/2812-29-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/2812-27-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/2812-26-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/2812-25-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB