Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
12-02-2024 20:20
Behavioral task
behavioral1
Sample
hahahahahahahahahahahahah/cheeto.exe
Resource
win10-20231215-en
General
-
Target
hahahahahahahahahahahahah/login.exe
-
Size
429KB
-
MD5
b88444cf2c03ce4efe2a1608a379ee53
-
SHA1
68d9285ee72288656c258cf9db9c564226a48ddb
-
SHA256
d70e292a21ebc5ca1675ca585bcae52a51aad4bcee9bbbaf44b0a2cc635b64c7
-
SHA512
7c9e116a417f2a15d2ca3f70b61697c9e34b6131b12221032cde9d64c41993f6f8cfa34196ed99122aa34d59159955d6362827f0d4eee1688bce465539e8d633
-
SSDEEP
12288:Zt5NpMGK6Ia5Jr4IQAvq3eSKXvVZhuwxHvh:Zt5NGGzIo3QSqOS+VZhT
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
loader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ loader.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion loader.exe -
Executes dropped EXE 1 IoCs
Processes:
loader.exepid process 4148 loader.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe themida behavioral2/memory/4148-4-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp themida behavioral2/memory/4148-6-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp themida behavioral2/memory/4148-7-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp themida behavioral2/memory/4148-8-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp themida behavioral2/memory/4148-10-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp themida behavioral2/memory/4148-9-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp themida behavioral2/memory/4148-11-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp themida behavioral2/memory/4148-12-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp themida behavioral2/memory/4148-13-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp themida behavioral2/memory/4148-16-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp themida behavioral2/memory/4148-18-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp themida -
Processes:
loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
loader.exepid process 4148 loader.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
loader.exepid process 4148 loader.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
loader.exepid process 4148 loader.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
login.execmd.exeloader.execmd.exedescription pid process target process PID 196 wrote to memory of 884 196 login.exe cmd.exe PID 196 wrote to memory of 884 196 login.exe cmd.exe PID 884 wrote to memory of 4148 884 cmd.exe loader.exe PID 884 wrote to memory of 4148 884 cmd.exe loader.exe PID 4148 wrote to memory of 3996 4148 loader.exe cmd.exe PID 4148 wrote to memory of 3996 4148 loader.exe cmd.exe PID 3996 wrote to memory of 4516 3996 cmd.exe certutil.exe PID 3996 wrote to memory of 4516 3996 cmd.exe certutil.exe PID 3996 wrote to memory of 2692 3996 cmd.exe find.exe PID 3996 wrote to memory of 2692 3996 cmd.exe find.exe PID 3996 wrote to memory of 600 3996 cmd.exe find.exe PID 3996 wrote to memory of 600 3996 cmd.exe find.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hahahahahahahahahahahahah\login.exe"C:\Users\Admin\AppData\Local\Temp\hahahahahahahahahahahahah\login.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:196 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe2⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Roaming\celex-v2\loader.exeC:\Users\Admin\AppData\Roaming\celex-v2\loader.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"4⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD55⤵PID:4516
-
C:\Windows\system32\find.exefind /i /v "md5"5⤵PID:2692
-
C:\Windows\system32\find.exefind /i /v "certutil"5⤵PID:600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD59ecdc9ed1bea6c226f92d740d43400b9
SHA1b5b5066cd4284733d8c3f3d7de3ca6653091ae10
SHA25660c57f14c2e0e0df0bda16646b21dddceaee0159dafbbb8daba310d4e1b5be6c
SHA51230bc705a2438288e3647d5adfc6119d751823970972b9c6b39a60384a2b7ac261986026b8d1c0b0ca7ee3d7e95363c97b873fdc5fad4096c903cb4e15bf57e43