Overview
overview
7Static
static
5599151.301...39.lnk
windows7-x64
5599151.301...39.lnk
windows10-2004-x64
7TUP3298063...ed.dll
windows7-x64
3TUP3298063...ed.dll
windows10-2004-x64
TUP3298063...on.dll
windows7-x64
1TUP3298063...on.dll
windows10-2004-x64
1TUP3298063...on.exe
windows7-x64
3TUP3298063...on.exe
windows10-2004-x64
3TUP3298063...n1.exe
windows7-x64
TUP3298063...n1.exe
windows10-2004-x64
TUP3298063...1_.ps1
windows7-x64
1TUP3298063...1_.ps1
windows10-2004-x64
1TUP3298063...32.dll
windows7-x64
1TUP3298063...32.dll
windows10-2004-x64
1TUP3298063...33.dll
windows7-x64
1TUP3298063...33.dll
windows10-2004-x64
1Analysis
-
max time kernel
16s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 14:22
Static task
static1
Behavioral task
behavioral1
Sample
599151.301.25077.7868139.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
599151.301.25077.7868139.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
TUP32980638916Y/ctfmon-dll-decoded.dll
Resource
win7-20240319-en
Behavioral task
behavioral4
Sample
TUP32980638916Y/ctfmon-dll-decoded.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
TUP32980638916Y/ctfmon.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
TUP32980638916Y/ctfmon.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
TUP32980638916Y/ctfmon.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
TUP32980638916Y/ctfmon.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
TUP32980638916Y/ctfmon1.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
TUP32980638916Y/ctfmon1.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
TUP32980638916Y/ctfmon1_.ps1
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
TUP32980638916Y/ctfmon1_.ps1
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
TUP32980638916Y/log32.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
TUP32980638916Y/log32.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
TUP32980638916Y/log33.dll
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
TUP32980638916Y/log33.dll
Resource
win10v2004-20240226-en
Errors
General
-
Target
TUP32980638916Y/ctfmon1.exe
-
Size
870KB
-
MD5
82d2590bfa019845cbdd670427d31674
-
SHA1
5b96ae15e9d3e0db2ebd4d94c930a39bf1829afe
-
SHA256
7d361e62e333b2ed467505025fd04c75b63c6aca9b15dad6f76adc8bd1deadbd
-
SHA512
8d071e78cf1db6d8391b567e64a04e42fd0b83bab3b2d3af729899b41a92cb7068576914a63fbbd3af3601d74a49e9620bab0a6788c13d4dad6319ce837380ee
-
SSDEEP
24576:FAHnh+eWsN3skA4RV1Hom2KXMmHahM065:0h+ZkldoPK8YahY
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate dllhost.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened for modification \??\VBoxMiniRdrDN dllhost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2576 dllhost.exe 2576 dllhost.exe 2576 dllhost.exe 2576 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 3564 shutdown.exe Token: SeRemoteShutdownPrivilege 3564 shutdown.exe Token: SeShutdownPrivilege 3572 shutdown.exe Token: SeRemoteShutdownPrivilege 3572 shutdown.exe Token: SeShutdownPrivilege 3616 shutdown.exe Token: SeRemoteShutdownPrivilege 3616 shutdown.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2148 ctfmon1.exe 2148 ctfmon1.exe 2148 ctfmon1.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2148 ctfmon1.exe 2148 ctfmon1.exe 2148 ctfmon1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28 PID 2148 wrote to memory of 2576 2148 ctfmon1.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\TUP32980638916Y\ctfmon1.exe"C:\Users\Admin\AppData\Local\Temp\TUP32980638916Y\ctfmon1.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"2⤵
- Checks BIOS information in registry
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
PID:2576 -
C:\Windows\SysWOW64\cmd.execmd /c shutdown -s -t 2 -f3⤵PID:3484
-
C:\Windows\SysWOW64\shutdown.exeshutdown -s -t 2 -f4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c shutdown -s -t 2 -f3⤵PID:3492
-
C:\Windows\SysWOW64\shutdown.exeshutdown -s -t 2 -f4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c shutdown -s -t 1 -f3⤵PID:3512
-
C:\Windows\SysWOW64\shutdown.exeshutdown -s -t 1 -f4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:3668
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:3860