9fa02f23b5a381b507a923bbd93452c20a3aa12f585ac04095a383f9939a214e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SubzeroFree.exe
Size

16.2MB
MD5

6941b02bd3846caad086353b70264f09
SHA1

e1c7389d804a9ca7d53ad9c1b60718d0e258900e
SHA256

9fa02f23b5a381b507a923bbd93452c20a3aa12f585ac04095a383f9939a214e
SHA512

65554334dfd1c504ee087356b9d58aa55f376276f957070f1f03a27e1b38ae633934a9f726de394c394cb22581f23f8e155a48ff76549e36910a9b3b95b9daa3
SSDEEP

98304:FHMwajbQfcYf2MUzwcGD7eFRGYmm9sb9kHVc5XzVIhGn4+InpYY4cTVw4k1uAn0U:FCj6YMe6AsxkHql3ypBxk1u6f/yKseWi

Score

8^/10

evasion persistence vmprotect

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tlbHZrZIbArMS\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\tlbHZrZIbArMS"	maps.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
1452	maps.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2240-3-0x000000013FDD0000-0x0000000141341000-memory.dmp	vmprotect
behavioral1/memory/2240-12-0x000000013FDD0000-0x0000000141341000-memory.dmp	vmprotect
behavioral1/memory/2240-85-0x000000013FDD0000-0x0000000141341000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2240	SubzeroFree.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2524	sc.exe
2596	sc.exe
2144	sc.exe
1504	sc.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2304	taskkill.exe
2616	taskkill.exe
2704	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	SubzeroFree.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	SubzeroFree.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	SubzeroFree.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2240	SubzeroFree.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1452	maps.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeLoadDriverPrivilege	1452	maps.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2484	2240	SubzeroFree.exe	29
PID 2240 wrote to memory of 2484	2240	SubzeroFree.exe	29
PID 2240 wrote to memory of 2484	2240	SubzeroFree.exe	29
PID 2484 wrote to memory of 2524	2484	cmd.exe	30
PID 2484 wrote to memory of 2524	2484	cmd.exe	30
PID 2484 wrote to memory of 2524	2484	cmd.exe	30
PID 2240 wrote to memory of 2580	2240	SubzeroFree.exe	31
PID 2240 wrote to memory of 2580	2240	SubzeroFree.exe	31
PID 2240 wrote to memory of 2580	2240	SubzeroFree.exe	31
PID 2580 wrote to memory of 2596	2580	cmd.exe	32
PID 2580 wrote to memory of 2596	2580	cmd.exe	32
PID 2580 wrote to memory of 2596	2580	cmd.exe	32
PID 2240 wrote to memory of 2604	2240	SubzeroFree.exe	33
PID 2240 wrote to memory of 2604	2240	SubzeroFree.exe	33
PID 2240 wrote to memory of 2604	2240	SubzeroFree.exe	33
PID 2604 wrote to memory of 2616	2604	cmd.exe	34
PID 2604 wrote to memory of 2616	2604	cmd.exe	34
PID 2604 wrote to memory of 2616	2604	cmd.exe	34
PID 2240 wrote to memory of 2416	2240	SubzeroFree.exe	36
PID 2240 wrote to memory of 2416	2240	SubzeroFree.exe	36
PID 2240 wrote to memory of 2416	2240	SubzeroFree.exe	36
PID 2416 wrote to memory of 2704	2416	cmd.exe	37
PID 2416 wrote to memory of 2704	2416	cmd.exe	37
PID 2416 wrote to memory of 2704	2416	cmd.exe	37
PID 2240 wrote to memory of 2748	2240	SubzeroFree.exe	38
PID 2240 wrote to memory of 2748	2240	SubzeroFree.exe	38
PID 2240 wrote to memory of 2748	2240	SubzeroFree.exe	38
PID 2748 wrote to memory of 2304	2748	cmd.exe	39
PID 2748 wrote to memory of 2304	2748	cmd.exe	39
PID 2748 wrote to memory of 2304	2748	cmd.exe	39
PID 2240 wrote to memory of 1856	2240	SubzeroFree.exe	40
PID 2240 wrote to memory of 1856	2240	SubzeroFree.exe	40
PID 2240 wrote to memory of 1856	2240	SubzeroFree.exe	40
PID 1856 wrote to memory of 2144	1856	cmd.exe	41
PID 1856 wrote to memory of 2144	1856	cmd.exe	41
PID 1856 wrote to memory of 2144	1856	cmd.exe	41
PID 2240 wrote to memory of 340	2240	SubzeroFree.exe	42
PID 2240 wrote to memory of 340	2240	SubzeroFree.exe	42
PID 2240 wrote to memory of 340	2240	SubzeroFree.exe	42
PID 340 wrote to memory of 1504	340	cmd.exe	43
PID 340 wrote to memory of 1504	340	cmd.exe	43
PID 340 wrote to memory of 1504	340	cmd.exe	43
PID 2240 wrote to memory of 1132	2240	SubzeroFree.exe	44
PID 2240 wrote to memory of 1132	2240	SubzeroFree.exe	44
PID 2240 wrote to memory of 1132	2240	SubzeroFree.exe	44
PID 1132 wrote to memory of 1452	1132	cmd.exe	45
PID 1132 wrote to memory of 1452	1132	cmd.exe	45
PID 1132 wrote to memory of 1452	1132	cmd.exe	45
PID 2240 wrote to memory of 2160	2240	SubzeroFree.exe	46
PID 2240 wrote to memory of 2160	2240	SubzeroFree.exe	46
PID 2240 wrote to memory of 2160	2240	SubzeroFree.exe	46

C:\Users\Admin\AppData\Local\Temp\SubzeroFree.exe
"C:\Users\Admin\AppData\Local\Temp\SubzeroFree.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop BEService > nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat > nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM FortniteClient-Win64-Shipping.exe > nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM EpicGamesLauncher.exe > nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM EasyAntiCheat.exe > nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc create SubzFree binPath=C:\amifldrv64.sys type=kernel > nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\system32\sc.exe
    sc create SubzFree binPath=C:\amifldrv64.sys type=kernel
    3⤵
    - Launches sc.exe
    PID:2144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start SubzFree > nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Windows\system32\sc.exe
    sc start SubzFree
    3⤵
    - Launches sc.exe
    PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\maps.exe C:\drvs.sys > nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\maps.exe
    C:\maps.exe C:\drvs.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1665.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\maps.exe

Filesize
133KB

MD5
284396aa4d663e010b4ecee9ddf90269

SHA1
1746d269a0c3f2fb2b75750a732c8339f0cfbfe9

SHA256
2a9e2f0f019399b393354db70af0cfabda83f87251943db7d93e50e716c824fb

SHA512
bd9466f00e71b5787bddaf410b71b04af37a7ca60deff6550df344af8dcae5d3ad138e8371dabd3003e3f6e92b92ce457ffa1d83134bf3f68fb2bd090903f062

Download Submit
memory/2240-6-0x0000000076F30000-0x00000000770D9000-memory.dmp

Filesize
1.7MB

Download
memory/2240-5-0x00000000770E0000-0x00000000770E2000-memory.dmp

Filesize
8KB

Download
memory/2240-7-0x00000000770F0000-0x00000000770F2000-memory.dmp

Filesize
8KB

Download
memory/2240-9-0x00000000770F0000-0x00000000770F2000-memory.dmp

Filesize
8KB

Download
memory/2240-11-0x00000000770F0000-0x00000000770F2000-memory.dmp

Filesize
8KB

Download
memory/2240-12-0x000000013FDD0000-0x0000000141341000-memory.dmp

Filesize
21.4MB

Download
memory/2240-0-0x00000000770E0000-0x00000000770E2000-memory.dmp

Filesize
8KB

Download
memory/2240-2-0x00000000770E0000-0x00000000770E2000-memory.dmp

Filesize
8KB

Download
memory/2240-3-0x000000013FDD0000-0x0000000141341000-memory.dmp

Filesize
21.4MB

Download
memory/2240-85-0x000000013FDD0000-0x0000000141341000-memory.dmp

Filesize
21.4MB

Download
memory/2240-86-0x0000000076F30000-0x00000000770D9000-memory.dmp

Filesize
1.7MB

Download