0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82

General

Target

0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe
Size

538KB
MD5

9cc7e43b48932058a36bd0e355c4cef5
SHA1

2a6b4a44c2d205e21ba6cf99a9796509af9ddeda
SHA256

0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82
SHA512

a17b3e8e754bc762d9ae76720d849bd628b3125082e23690895f53718a2f6ef3f34f126c428c710c77e1159b080a63fcadf6c10a76db5ec3801bba37f8bf8d77
SSDEEP

12288:yw5GtYhUAXlTu2cTRu7oMe3cfL8YdtntpFUrhV2X8NI:V5Gt8lTQTgMn0LLdtmrs8K

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe

Executes dropped EXE 1 IoCs

pid	Process
952	s9538.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	s9538.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	s9538.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	s9538.exe
File created	C:\Windows\assembly\Desktop.ini	s9538.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	s9538.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4292	3336	WerFault.exe	86

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3336	0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe
3336	0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe
952	s9538.exe
952	s9538.exe
952	s9538.exe
952	s9538.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	s9538.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
952	s9538.exe
952	s9538.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 952	3336	0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe	87
PID 3336 wrote to memory of 952	3336	0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe	87

C:\Users\Admin\AppData\Local\Temp\0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe
"C:\Users\Admin\AppData\Local\Temp\0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\Temp\n9538\s9538.exe
  "C:\Users\Admin\AppData\Local\Temp\n9538\s9538.exe" ins.exe /e 12848797 /u 5280fdf5-b928-4cc4-9510-17bb0a000013 /h 05e0fa.api.socdn.com /v "C:\Users\Admin\AppData\Local\Temp\0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 3844
  2⤵
  - Program crash
  PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3336 -ip 3336
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n9538\s9538.exe

Filesize
343KB

MD5
de5c4ed5ba45abadbcc0861912fe89a1

SHA1
80bd4759952944735e0c82bcc00aa15516e95a90

SHA256
e143ac3ab06b1ffdaaca5f025564a7a7a57ac10ca5cb83fdfcc4527dfdf396a2

SHA512
90f886f9f533d00a4f7c7547bc554dd6b274bccf3ba93eeba9b3351f9bceb0c9c55ebf4af72cc59d422b0e803152986643fa2366691117d48bcc667ce84218a2

Download Submit
memory/952-14-0x00007FFC2C440000-0x00007FFC2CDE1000-memory.dmp

Filesize
9.6MB

Download
memory/952-15-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/952-24-0x000000001BE80000-0x000000001BE8E000-memory.dmp

Filesize
56KB

Download
memory/952-27-0x000000001C710000-0x000000001CBDE000-memory.dmp

Filesize
4.8MB

Download
memory/952-28-0x000000001CC80000-0x000000001CD1C000-memory.dmp

Filesize
624KB

Download
memory/952-29-0x000000001D010000-0x000000001D072000-memory.dmp

Filesize
392KB

Download
memory/952-30-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/952-31-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/952-32-0x000000001C1F0000-0x000000001C1F8000-memory.dmp

Filesize
32KB

Download
memory/952-33-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/952-34-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/952-35-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/952-36-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/952-37-0x000000001EBB0000-0x000000001ECEC000-memory.dmp

Filesize
1.2MB

Download
memory/952-38-0x0000000020D70000-0x000000002127E000-memory.dmp

Filesize
5.1MB

Download
memory/952-39-0x000000001ECF0000-0x000000001EDF0000-memory.dmp

Filesize
1024KB

Download
memory/952-40-0x00007FFC2C440000-0x00007FFC2CDE1000-memory.dmp

Filesize
9.6MB

Download
memory/952-41-0x00007FFC2C440000-0x00007FFC2CDE1000-memory.dmp

Filesize
9.6MB

Download
memory/952-42-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/952-43-0x000000001ECF0000-0x000000001EDF0000-memory.dmp

Filesize
1024KB

Download
memory/952-45-0x00007FFC2C440000-0x00007FFC2CDE1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads