Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
04/02/2024, 02:50
General
-
Target
8e081d3901f30f5321c79369bbb997e0.exe
-
Size
12.7MB
-
MD5
8e081d3901f30f5321c79369bbb997e0
-
SHA1
7a0a80766d68c7ab38cce48159fe48a16231a2ee
-
SHA256
554729ae75205b4a24a3c0e22912fc09499dc4425cbb92ca0a6e55141007d3a8
-
SHA512
a37692f82b2a825a0291dac39aca8795f5e015655d1f4856c5fa0797add1ed788c4f83521a00e09209f0bc432af2a672bee85856af3f96c71c8cb2651e3c9582
-
SSDEEP
196608:9bh15jaVD7jQILCAR3wdQ4UwhwpQPoj7+f7ywxRnU1wqJ1Nk:715jsD7l3wK4UwaVGf7ywxRnUOqJ1Nk
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e081d3901f30f5321c79369bbb997e0.exe"C:\Users\Admin\AppData\Local\Temp\8e081d3901f30f5321c79369bbb997e0.exe"1⤵
- UAC bypass
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\dmxhbvxt\bkezjzwjmi.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\dmxhbvxt\bkezjzwjmi.exeC:\Windows\dmxhbvxt\bkezjzwjmi.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 4164⤵
- Loads dropped DLL
- Program crash
-
-
-
-
C:\Windows\system32\msiexec.exemsiexec /x {6444D213-9395-442A-A7D8-EAFEA7948BA7} /qn2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mokill.bat" "2⤵
- Deletes itself
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b7ed10942179d0fa1031d2f129cb23a3
SHA1aa2d78243f7471cdee0383adb7dde3de0dd5a2d7
SHA2561e7c54944203087bda435c1cea199e1896b0b950933980f5227cc5025cee2ee8
SHA5124f105853cf577b3c1436b1d95df0eaacd4de04ef519608e7a5b9b19bc4d972ebfa7037ea0eec32b1e68dd72e6c4d1c1de1fb229972ca7244b6f8f62ffde2f8ef
-
Filesize
253B
MD535b63538e82264b02b22e7d77af6874f
SHA1ffe1f4655285e7b42460c1237c011e62fc91a088
SHA256e21d199219d5d5bfa54ea6f34c97b6fc9bbb3c9b607b8442289e179a3811b278
SHA51215eb6d22d5ca77b517c5e8aa3a946aeb8def352ab9bdcb0689ef469840906293ed3337e1a349358f9ffbcefc7f72b935a3f25b71c2a5c66cf89fa5f8fe6d4d39
-
Filesize
50B
MD545218adff3ea5bde8a8f61987f0f458b
SHA1cf7fffa410795cc2f7703755f0acd17b51a44ad7
SHA256f95361b82464704675f559b13c007c9567e5914984042f537122383e747194d4
SHA5128442cac48931075ec5bd31ea82faffc4f64d7b6845d5c477d06fc3d7eefeac1fa366b6880a85709a520a343b5dd3771e69bc4b7482cde50e69e04215927a2018
-
Filesize
918KB
MD53d1c1bc12e25be579cf4641972873989
SHA1605e641253c48db4ec07cbf716811247a9d2dca9
SHA2563029a39c563299b88cdef41f33a48c3f952cc33b8f819baec4a16c118b6bfd9b
SHA512d8c4f14bdd7d4635b5ad23d2e3776df16a0ce639f07b58785af276abfac603ebbf0ace640aa10a798ce7b3f13363a9a23a06c930b646fe9d882e029f6e6854a0
-
Filesize
1.1MB
MD5f88492af772a9fba20b2052714dfd164
SHA1c1cb4cee3ed1851c417f109e28738d63aa8e8777
SHA2567fd3d2039c43b0f72dc7500dfb9925bb1fa8d41338d28a39c0b667a39b62545e
SHA512d273b1960e23be6832ed36746a87b0b37c292a4875f6f14d55a8a3b7e33f42cefc62b93d1ab6f9802e45cfd92d32667a74a6976a3ec27c8571cd42d7df6b9a0c
-
Filesize
5KB
MD503b4dd6e3d7e81219042c2e0646d2a1c
SHA1fa014cc04374d86805967d9efeea73ae3f8bc91e
SHA256e0790fb30eeec59cfabb9fdcb61995c956084c367b77beaba2e93bd0a46fcfed
SHA51229239e7e91b3a94f4cc4d6f8649260b1fd1b7c47e72997076b43ec7e9ab037f332462b46825f8b0a621715ed0864763d8017b2c476a3deef1b41c4910ad9fd17
-
Filesize
528KB
MD5f2facc69291fc0255f70ed47d1e5594f
SHA1a5f8e9e2dce36190a1cb1375714b02c284cca67e
SHA256d3af65983d2aa48478815fc06d985b96ada752a20ad422fd75948f5c202d930d
SHA5122390f985124266615be86e0ba58ace4fdb6cc215c67f5d84f18e8abfdb53a4e5cc13ffee6543752e6e907d8e3f4205e3ca6465b8057ff25d6c896674ade4d5df
-
Filesize
642KB
MD588f93220c114ac82e9807ff9c66a8537
SHA1226c2f9dead9254ad0b535c909251ae9c8100a59
SHA256b905e5f7905670be8a570cc3e95ff2f35c178dfe8a7632a7f3b0529e14b62c29
SHA51297748cd71faa4d389a412e6c5dfd89aa54654e9a39764978288060eafcbb17c798736236e46a3eb4ca317ed1563bf2a1df56ff86d2f574a2c74f48b08a94de08
-
Filesize
572KB
MD5bf64ec6548055f2044a48bcf563ddd3b
SHA192a497debc878b3d318b1c66918394d71c8b443d
SHA2563016accb98190db0633635ce7bb63051eb64eb80cf0e8e6f3e9e2e455c0f76f4
SHA51293244fcc585a61c529cbb9b2eb62fa8d0c0284d05cb39807a5c18aa52b64ba8b856b35318808ba20164f4548651a75550027080209573801dce008b1d3b5bf0a
-
Filesize
355KB
MD5507ff854c20e5bbd74522658301d9963
SHA1fc4ce727781071fa40f850222ae5626b0fc6d254
SHA256a2cca1ec9ad05548f1479c4c02a6457c819e35642c3a6fe8e2a4b770bd2355ff
SHA5128a5d9619b5710ee2d51203f766484c8e8d95ce865fee89bb5375773f36aa661f7a401c9d3cdbcc98d497db9f3109138b621ea98301acf535bd839d7eb97c1f6f
-
Filesize
507KB
MD5442d89409b1075d995245451b0267c9e
SHA1ab39a0d96737d23a64474b13558a7624db56c557
SHA2567620647bc82d51c4674fd922e8d2ee15b2c830295b6b2db6c2e33c7a73e7e716
SHA512b17fccf0817c8d5f00b949dc45abc43c1bc1ce15b4e1b5732b9ded090526f8c82600007b5b6b5248dae39f38e369a859e12137c3fc0e689bf348631b3552d19e
-
Filesize
272KB
MD5e692a2f3f7e1a01e22e8aa6076132437
SHA139ada15e42b04aa996611002415452b0919bcd47
SHA256c302911dcb2e700acae20f7734e10dd6e7fed99699820c2c2c5332d77652a3a6
SHA5122fe2c5f9011189dd16002c1daccefcaafdd47cc00014caa3243e0501aa838fa3e1b5bfdd68e74dec706979c211fc0224de7d0c727f7c19c2c8aaf537852775fe
-
Filesize
477KB
MD5ca5a6952b6c116b75328615b11997a42
SHA18284411ceda0e55eb4125ec43d8a807781861988
SHA256fb3ddc31c7c6b9b36fd8e588ce82c98d2de274df735dc9590363ccb1655b382d
SHA512ade74cf4eb598b39da52733fb45506045ee6e17d189c108a3efd4cba278ad4d7be3b7104d65507c1af8c8a7b226161e5845e1f4da1d1b2a828288edb9df19572
-
Filesize
13.0MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
13.0MB
-
Filesize
13.0MB
-
Filesize
13.0MB
-
Filesize
1.7MB
-
Filesize
13.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.8MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.8MB