Analysis
-
max time kernel
14s -
max time network
21s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-de -
resource tags
-
submitted
15/03/2024, 20:06
General
-
Target
applecleaner.exe
-
Size
3.3MB
-
MD5
ba268b881bccd2784fe98289eec8ad72
-
SHA1
0c4e7f1473fb7ab22427480c3d784b6e0e404956
-
SHA256
c83921c8dda800ef24ebe873ec175617110dc9deb2629d1107f219ca30caece3
-
SHA512
30c836bb91ef96f5952571bba27d08c32011e619890fae392f882e5c7db7558ed26e6aa1fbdc2ce7d22c0a6aebc580e17ae807de70d99945cb2b438bd8cbbb3b
-
SSDEEP
49152:98jzvhuGMsOTenal2tV594MzhJD3TMgwQiPRxksa2EQUFO0JIbn6/ubWYY725hXQ:9QFXlbnal2XDhZRwRVsE0JDoWYJPXLk
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 7 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 30 IoCs
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\applecleaner.exe"C:\Users\Admin\AppData\Local\Temp\applecleaner.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im Battle.net.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://applecheats.cc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa331c46f8,0x7ffa331c4708,0x7ffa331c47184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2189982398685733533,5888665883124020569,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,2189982398685733533,5888665883124020569,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,2189982398685733533,5888665883124020569,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2189982398685733533,5888665883124020569,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2189982398685733533,5888665883124020569,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2189982398685733533,5888665883124020569,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2189982398685733533,5888665883124020569,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2189982398685733533,5888665883124020569,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:14⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH WINSOCK RESET >nul 2>&12⤵
-
C:\Windows\system32\netsh.exeNETSH WINSOCK RESET3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INT IP RESET >nul 2>&12⤵
-
C:\Windows\system32\netsh.exeNETSH INT IP RESET3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall reset >nul 2>&12⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall reset3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV4 RESET >nul 2>&12⤵
-
C:\Windows\system32\netsh.exeNETSH INTERFACE IPV4 RESET3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV6 RESET >nul 2>&12⤵
-
C:\Windows\system32\netsh.exeNETSH INTERFACE IPV6 RESET3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INTERFACE TCP RESET >nul 2>&12⤵
-
C:\Windows\system32\netsh.exeNETSH INTERFACE TCP RESET3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INT RESET ALL >nul 2>&12⤵
-
C:\Windows\system32\netsh.exeNETSH INT RESET ALL3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&12⤵
-
C:\Windows\system32\ipconfig.exeIPCONFIG /RELEASE3⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&12⤵
-
C:\Windows\system32\ipconfig.exeIPCONFIG /RELEASE3⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IPCONFIG /FLUSHDNS >nul 2>&12⤵
-
C:\Windows\system32\ipconfig.exeIPCONFIG /FLUSHDNS3⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NBTSTAT -R >nul 2>&12⤵
-
C:\Windows\system32\nbtstat.exeNBTSTAT -R3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NBTSTAT -RR >nul 2>&12⤵
-
C:\Windows\system32\nbtstat.exeNBTSTAT -RR3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -a >nul 2>&12⤵
-
C:\Windows\system32\ARP.EXEarp -a3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -d >nul 2>&12⤵
-
C:\Windows\system32\ARP.EXEarp -d3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&12⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
120B
MD505aa4dd8c2622841b3e77fd71170d15e
SHA1042572841b5dbe41eff90afdf5802df281e36d6e
SHA2564c1a39f3dc2cb8cf7b756eb9f1a556fa748fc51effa11e4b4a534b747d181ac6
SHA5123019b374a747b8e80ef404c7461b8a8a9d7e0e68f0e585d66f8643713618257835ecea70e887c1caef3194ba6549132a43ac47c181eb28d9204375d3e2a5dd09
-
Filesize
554B
MD50f4916d1a72620956e2483ae1bd124b5
SHA14e094b5f3504fc1dbe7850cb518434b6b25dbddb
SHA2569df748da6c2d060a6d697ceeee009791e73e8bd0e074f6eac22a134cb115b89e
SHA51286c7c58f89f34875e909f7f2fe8afe442710a5451bad1f367510f64c6682d4a1138594a1288f3b2dbcb9ef2bed8bd77ba60c87f5bcb94828f9ff15233439fd7f
-
Filesize
6KB
MD50574e817fd2a460545c5116c0081f3b8
SHA100d19304d3016febb650aaae228c4a7dce522726
SHA256d805edcc7efd69c2edc3d214f3c8cf0173149f270487663dc96a128816314bef
SHA512af2aaccd9a6c6abd59434950b55f1d4c90664e3ed70d543a9e5b815fb13e6240d0847323bcec20d75f4eb77ce9ddf304b87d5091df0ffe20ceb732d0ff624668
-
Filesize
6KB
MD56107d6f4872ade75da1813f8523ead36
SHA16202c7721e2edc05236b25cc13192b7e9feb78a6
SHA256ab02c1b9eefcdc4b8b44ac81ea787435d4860bc8949c84dfed846db2933c9725
SHA5121f2c9750ee8d3b06b56c338a249647f0fba73f6c1c36919213379bab0f16134c47a921f5ed076a04ed89dcb0bdf9d0e9ebbed647637b73e927b877ec46bfa53c
-
Filesize
11KB
MD5c473e2f033de305e0d462dc066911a72
SHA112a53afeb748dc0f5c6d6bb2d1988bd9e4f2215f
SHA256915b237f6e26b18db2935ff3b0a1e005f9f97596885074c1fba3455baa8f242d
SHA5128894d231f293f1259c8ffa4bf6e8d2fd07c6e2af25d84d145c1e839e4f969b3a34c80c8c945e9f51cd03a9a2731eb6aba27cf3e38f06ca9097298949b62f3e67
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
2.0MB
-
Filesize
9.1MB