Overview
overview
10Static
static
10sss/Install/Del3.bat
windows7-x64
1sss/Install/Del3.bat
windows10-2004-x64
1sss/Instal...te.bat
windows7-x64
1sss/Instal...te.bat
windows10-2004-x64
1sss/Install/del.bat
windows7-x64
1sss/Install/del.bat
windows10-2004-x64
1sss/Install/smss.exe
windows7-x64
10sss/Install/smss.exe
windows10-2004-x64
10sss/RDPWinst.exe
windows7-x64
1sss/RDPWinst.exe
windows10-2004-x64
1sss/ReaIte...st.exe
windows7-x64
10sss/ReaIte...st.exe
windows10-2004-x64
10sss/ReaIte...tw.exe
windows7-x64
9sss/ReaIte...tw.exe
windows10-2004-x64
9sss/Window...rv.exe
windows7-x64
10sss/Window...rv.exe
windows10-2004-x64
10sss/Window...MD.exe
windows7-x64
1sss/Window...MD.exe
windows10-2004-x64
1sss/Window...le.exe
windows7-x64
1sss/Window...le.exe
windows10-2004-x64
1sss/Window...st.exe
windows7-x64
1sss/Window...st.exe
windows10-2004-x64
1sss/Window...64.sys
windows7-x64
1sss/Window...64.sys
windows10-2004-x64
1sss/Window...dg.exe
windows7-x64
9sss/Window...dg.exe
windows10-2004-x64
9sss/Window...on.bat
windows7-x64
1sss/Window...on.bat
windows10-2004-x64
1Analysis
-
max time kernel
1050s -
max time network
844s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-03-2024 23:04
Behavioral task
behavioral1
Sample
sss/Install/Del3.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
sss/Install/Del3.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
sss/Install/Delete.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
sss/Install/Delete.bat
Resource
win10v2004-20240319-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
sss/Install/del.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
sss/Install/del.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
sss/Install/smss.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
sss/Install/smss.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
sss/RDPWinst.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
sss/RDPWinst.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
sss/ReaItekHD/taskhost.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
sss/ReaItekHD/taskhost.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
sss/ReaItekHD/taskhostw.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
sss/ReaItekHD/taskhostw.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
sss/Windows Tasks Service/winserv.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral16
Sample
sss/Windows Tasks Service/winserv.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
sss/WindowsTask/AMD.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
sss/WindowsTask/AMD.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
sss/WindowsTask/AppModule.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
sss/WindowsTask/AppModule.exe
Resource
win10v2004-20240319-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
sss/WindowsTask/MicrosoftHost.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
sss/WindowsTask/MicrosoftHost.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
sss/WindowsTask/WinRing0x64.sys
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
sss/WindowsTask/WinRing0x64.sys
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
sss/WindowsTask/audiodg.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral26
Sample
sss/WindowsTask/audiodg.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
sss/WindowsTask/winlogon.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
sss/WindowsTask/winlogon.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
sss/ReaItekHD/taskhostw.exe
-
Size
28.1MB
-
MD5
dc1292c7fa973a334934340d6674e376
-
SHA1
82660001eeefec20cdfa4ce78f8db5e6968ce729
-
SHA256
fcc78017b47e6d12fc84a479bce14e27562e746d928ebe30bdb13cbc3cc8c2d1
-
SHA512
7fe20bc6ccd8e78036c5ab7517706f88e8d5ed4ed602515ad702d4db5a2271b44fd76fed5fd7bbf4cd47b5006cfb97772f01f6ead2b35af7ff10d7b9ec2c4a04
-
SSDEEP
786432:5Uv4WjB487BSaxifeu5K/P9D/puKTLAA+ecrJ:5UvbnoX5g/puKTczr
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ taskhostw.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts taskhostw.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion taskhostw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion taskhostw.exe -
resource yara_rule behavioral13/memory/1988-0-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-2-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-3-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-4-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-5-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-6-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-7-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-8-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-9-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-14-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-15-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-16-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-18-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-19-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-20-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-21-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-22-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-23-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-24-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-25-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-26-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-27-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-28-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-29-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-30-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-31-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-32-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-33-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-34-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-35-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-36-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-37-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-38-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-39-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-40-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-41-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-42-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-43-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-44-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-45-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-46-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-47-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-48-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-49-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-50-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-51-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-52-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-53-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-54-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-55-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-56-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-57-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-58-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-59-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-60-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-61-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-62-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-63-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-64-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-65-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-66-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-67-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-68-0x000000013F270000-0x00000001416EE000-memory.dmp themida behavioral13/memory/1988-69-0x000000013F270000-0x00000001416EE000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\ReaItekHD\\taskhostw.exe" taskhostw.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostw.exe -
AutoIT Executable 64 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral13/memory/1988-3-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-4-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-5-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-6-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-7-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-8-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-9-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-14-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-15-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-16-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-18-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-19-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-20-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-21-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-22-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-23-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-24-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-25-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-26-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-27-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-28-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-29-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-30-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-31-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-32-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-33-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-34-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-35-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-36-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-37-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-38-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-39-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-40-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-41-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-42-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-43-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-44-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-45-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-46-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-47-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-48-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-49-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-50-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-51-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-52-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-53-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-54-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-55-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-56-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-57-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-58-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-59-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-60-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-61-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-62-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-63-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-64-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-65-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-66-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-67-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-68-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-69-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-70-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe behavioral13/memory/1988-71-0x000000013F270000-0x00000001416EE000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1988 taskhostw.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe 1988 taskhostw.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1988 taskhostw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sss\ReaItekHD\taskhostw.exe"C:\Users\Admin\AppData\Local\Temp\sss\ReaItekHD\taskhostw.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1988