16c51826c4a6070da0f0a6762723d82bdc66e2453d591c2cdb0ae59e1cd23213

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b8df6391b5a71ed0217ffc5367f0dec.exe
Size

518KB
MD5

8b8df6391b5a71ed0217ffc5367f0dec
SHA1

842c948438c132ae162024198fd6e616c170c259
SHA256

16c51826c4a6070da0f0a6762723d82bdc66e2453d591c2cdb0ae59e1cd23213
SHA512

75124d436c96ee6b2be1889d46e7da7b4aad771608bc5b0260f8727af6665d7525561a3ff1298427c6bf2fcfc576ada53b732d4a33274322b815f5adb90d94ce
SSDEEP

12288:dYvksw0qRRIKmn4YCs7LvMXtto1fJda+9EiBZSi:dYvksmRQt7UtuJLH9EiBZSi

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8b8df6391b5a71ed0217ffc5367f0dec.exe

Executes dropped EXE 1 IoCs

pid	Process
1628	s4069.exe

Loads dropped DLL 4 IoCs

pid	Process
2440	8b8df6391b5a71ed0217ffc5367f0dec.exe
2440	8b8df6391b5a71ed0217ffc5367f0dec.exe
2440	8b8df6391b5a71ed0217ffc5367f0dec.exe
2440	8b8df6391b5a71ed0217ffc5367f0dec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	8b8df6391b5a71ed0217ffc5367f0dec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	8b8df6391b5a71ed0217ffc5367f0dec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2440	8b8df6391b5a71ed0217ffc5367f0dec.exe
1628	s4069.exe
1628	s4069.exe
1628	s4069.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	s4069.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1628	s4069.exe
1628	s4069.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1628	2440	8b8df6391b5a71ed0217ffc5367f0dec.exe	28
PID 2440 wrote to memory of 1628	2440	8b8df6391b5a71ed0217ffc5367f0dec.exe	28
PID 2440 wrote to memory of 1628	2440	8b8df6391b5a71ed0217ffc5367f0dec.exe	28
PID 2440 wrote to memory of 1628	2440	8b8df6391b5a71ed0217ffc5367f0dec.exe	28

C:\Users\Admin\AppData\Local\Temp\8b8df6391b5a71ed0217ffc5367f0dec.exe
"C:\Users\Admin\AppData\Local\Temp\8b8df6391b5a71ed0217ffc5367f0dec.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\n4069\s4069.exe
  "C:\Users\Admin\AppData\Local\Temp\n4069\s4069.exe" 00bd1363c364c7accf5a993f5GV5FTCSKIYVcxi7XHSanDt7mNM8kAqOc9OtXJjGbL3XXpozjKBhwMomM6+0NleirbkyURCkOQXif4RWfdQgToVgVb3O/kKVF6VRM7J1dGlTsCvZkyxoi8scST6JpGJ5kq+s4PCmh75ROSwWnDSYwcti /v "C:\Users\Admin\AppData\Local\Temp\8b8df6391b5a71ed0217ffc5367f0dec.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\n4069\s4069.exe

Filesize
230KB

MD5
f6bf052647bbf9a0fc34da26907be904

SHA1
007955815a3f142fa279a04fdc360e7fb9b5a324

SHA256
bac01719e43d9019ec34d749dd76274c0e49843bd0c8789ac1df0a5850e4919d

SHA512
88b0d37f4615dbe6e277d3d32b9a82e76f8c7982367057d4c0697f73736b91fe2668adf13ce14867e256eb84a03846ed1566dd4ddf2745754b5ebcad2de24f9e

Download Submit
memory/1628-15-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/1628-16-0x0000000001EF0000-0x0000000001F70000-memory.dmp

Filesize
512KB

Download
memory/1628-32-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/1628-33-0x0000000001EF0000-0x0000000001F70000-memory.dmp

Filesize
512KB

Download
memory/1628-34-0x0000000001EF0000-0x0000000001F70000-memory.dmp

Filesize
512KB

Download
memory/1628-35-0x0000000001EF0000-0x0000000001F70000-memory.dmp

Filesize
512KB

Download
memory/1628-36-0x0000000001EF0000-0x0000000001F70000-memory.dmp

Filesize
512KB

Download
memory/1628-37-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/1628-38-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download