Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/02/2024, 08:04
Static task
static1
Behavioral task
behavioral1
Sample
691ef3891d5c155f2689647f2c441617.exe
Resource
win7-20240221-en
General
-
Target
691ef3891d5c155f2689647f2c441617.exe
-
Size
4.1MB
-
MD5
691ef3891d5c155f2689647f2c441617
-
SHA1
03252b08cea28b39026ead3ee95f9d3db3acf3ce
-
SHA256
bfbf60a70d1dbdd452f3b3bc819ce5804b5fc4baa028af084c2e84abaf73bb65
-
SHA512
37f9e6c9ab03ceee528f8eab910d2ddaf8822a6c28bdb8b3129996120d50c4d51358482e14d8d4e90d3ef2e8a08cda5f36cd1109e0129998243e89806dc34960
-
SSDEEP
98304:rJwI8rhd38BxuBCgbL5KWnsdZButFXK/IUCccYZPAxFe:GECwgQYspAF6/IjccYGF
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 691ef3891d5c155f2689647f2c441617.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 691ef3891d5c155f2689647f2c441617.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 691ef3891d5c155f2689647f2c441617.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe 691ef3891d5c155f2689647f2c441617.exe -
Executes dropped EXE 1 IoCs
pid Process 520 qemu-ga.exe -
Loads dropped DLL 1 IoCs
pid Process 2828 691ef3891d5c155f2689647f2c441617.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 691ef3891d5c155f2689647f2c441617.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 691ef3891d5c155f2689647f2c441617.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2828 691ef3891d5c155f2689647f2c441617.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2828 691ef3891d5c155f2689647f2c441617.exe 2828 691ef3891d5c155f2689647f2c441617.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2828 691ef3891d5c155f2689647f2c441617.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2828 wrote to memory of 520 2828 691ef3891d5c155f2689647f2c441617.exe 29 PID 2828 wrote to memory of 520 2828 691ef3891d5c155f2689647f2c441617.exe 29 PID 2828 wrote to memory of 520 2828 691ef3891d5c155f2689647f2c441617.exe 29 PID 2828 wrote to memory of 520 2828 691ef3891d5c155f2689647f2c441617.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe"C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"2⤵
- Executes dropped EXE
PID:520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79