Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
12-02-2024 12:28
General
-
Target
97273d65603839cf542745359470e8ba.exe
-
Size
4.4MB
-
MD5
97273d65603839cf542745359470e8ba
-
SHA1
d96f1ec8be081e2226f4ca4384f5fcb9f4613f86
-
SHA256
51a9f6c8be826bf9b121848ee255138e73032e3a89f49c3a4d0ae35576e8f645
-
SHA512
1d2bc504969ebeaf9ff4c3dbc562d102976f11caf1f2abcceee23c3078178d241adea0e097c0521abf3872a486b8c0ad5aeeae273703a30f80387918093326b0
-
SSDEEP
98304:JeIt5UwFAoIQ5unMssx3MwCGN/g9Z+KRvubPBdK9+:JeECwF9qMF8Y/g9AjbPrM+
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Registers new Print Monitor 2 TTPs 5 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 14 IoCs
-
Modifies registry class 13 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\97273d65603839cf542745359470e8ba.exe"C:\Users\Admin\AppData\Local\Temp\97273d65603839cf542745359470e8ba.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ñà×Ó¿ìµÝ´òÓ¡.exeC:\Users\Admin\AppData\Local\Temp\Ñà×Ó¿ìµÝ´òÓ¡.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net stop Spooler3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop Spooler4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Spooler5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start Spooler3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start Spooler4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Spooler5⤵
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
- Registers new Print Monitor
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104B
MD5eaec66468df2311967fe93bc594a4bc6
SHA101fc12c5a1311d6e27f7313723d6b5bb9458de68
SHA2567d42893ca9d4ea66f5a1a0207d3babf9553902706d62aca492fea43641153b61
SHA51241f55aaf719f22d1d31b246fea27928bac994234b9195fead14abadb959d47f26d7b0b6f8ee3d771ca5d36465287792585d1672771d815d71ba223a272887a31
-
Filesize
15KB
MD57955e2593b426a4ca9b44d10a8d9378e
SHA14651a0d6e2d826074327bd189e3edbec600d9395
SHA2561b3e4b567680e065dcc1fedb2a80503332263a0df8cd723aba460ee3246a9bb3
SHA512470f2da2cb1e342d521f74cc77c55d21843b78a4b099a38c8bd7fc3a6cf6eaaaf0dd4b6a279262080bc02dbbcae381e06e601c70a1a61ea9e23c7e3612ddc75b
-
Filesize
2.8MB
MD55225cc48720980008cd791a4bb08fa75
SHA188cc793b5fc36d313063bb96bd291634820938f7
SHA256db07216e51ef49704c9d57fd18db2cdb16d9e5a0ce21f3a5fa2260499e4d101b
SHA512fd537a973c9d100b56d4d85a2130906738ec86dda1236777ab48165ddf8e019ea65598fa6963090cd6ddfbf79adade73fdb18b07963ecaf425a2c76375487377
-
Filesize
4.4MB
MD597273d65603839cf542745359470e8ba
SHA1d96f1ec8be081e2226f4ca4384f5fcb9f4613f86
SHA25651a9f6c8be826bf9b121848ee255138e73032e3a89f49c3a4d0ae35576e8f645
SHA5121d2bc504969ebeaf9ff4c3dbc562d102976f11caf1f2abcceee23c3078178d241adea0e097c0521abf3872a486b8c0ad5aeeae273703a30f80387918093326b0
-
Filesize
29B
MD5e5dd6eda8fb744cb786490b10fe19551
SHA1011eb525d86573255c0b6853172f4999f99bfe8a
SHA2562759ea8baa1346689681af8d8857e86a73cbca38513a884043b6f7110cbc553f
SHA51250ea43330b9ba3c28d2948230d029bd2ea35b0185fc5ec2a84873a932fa25f80817e428ef289abf9f4423bbbd4d6fda933699f2694968079f7d84a163676e280
-
Filesize
1.5MB
MD516f5e0c82c09ab5ebbef52d7c3661ad9
SHA12615a0302d9423fd75fcd68bdd6bf80b4c95bec7
SHA25678d12fa91d9af7453d1d7e26ac64a71e7c46b1042aaaeccfc6fabd406bec615f
SHA512e0ff67dff82daf25680caf31e6e35342ca3807377728597bf59b7bc58926db5e61cd93ead195ae17d7380fc9689efb15641ebf85322f242f22cdd70fc51fbbf7
-
Filesize
4KB
-
Filesize
10.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
8KB
-
Filesize
10.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
10.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB