Overview

overview

8

Static

static

7

SubzeroFree.exe

windows7-x64

8

SubzeroFree.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    137s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-04-2024 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SubzeroFree.exe

  • Size

    16.2MB

  • MD5

    6941b02bd3846caad086353b70264f09

  • SHA1

    e1c7389d804a9ca7d53ad9c1b60718d0e258900e

  • SHA256

    9fa02f23b5a381b507a923bbd93452c20a3aa12f585ac04095a383f9939a214e

  • SHA512

    65554334dfd1c504ee087356b9d58aa55f376276f957070f1f03a27e1b38ae633934a9f726de394c394cb22581f23f8e155a48ff76549e36910a9b3b95b9daa3

  • SSDEEP

    98304:FHMwajbQfcYf2MUzwcGD7eFRGYmm9sb9kHVc5XzVIhGn4+InpYY4cTVw4k1uAn0U:FCj6YMe6AsxkHql3ypBxk1u6f/yKseWi

Score
8/10
evasionpersistencevmprotect

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 3 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SubzeroFree.exe
    "C:\Users\Admin\AppData\Local\Temp\SubzeroFree.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop BEService > nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\system32\sc.exe
        sc stop BEService
        3⤵
        • Launches sc.exe
        PID:3128
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat > nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\Windows\system32\sc.exe
        sc stop EasyAntiCheat
        3⤵
        • Launches sc.exe
        PID:4552
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM FortniteClient-Win64-Shipping.exe > nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4188
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM FortniteClient-Win64-Shipping.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4956
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM EpicGamesLauncher.exe > nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM EpicGamesLauncher.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3740
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM EasyAntiCheat.exe > nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:232
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM EasyAntiCheat.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3420
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc create SubzFree binPath=C:\amifldrv64.sys type=kernel > nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\system32\sc.exe
        sc create SubzFree binPath=C:\amifldrv64.sys type=kernel
        3⤵
        • Launches sc.exe
        PID:5016
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start SubzFree > nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3500
      • C:\Windows\system32\sc.exe
        sc start SubzFree
        3⤵
        • Launches sc.exe
        PID:1368
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\maps.exe C:\drvs.sys > nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\maps.exe
        C:\maps.exe C:\drvs.sys
        3⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:2792
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:748
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:5104

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\maps.exe
        Filesize

        133KB

        MD5

        284396aa4d663e010b4ecee9ddf90269

        SHA1

        1746d269a0c3f2fb2b75750a732c8339f0cfbfe9

        SHA256

        2a9e2f0f019399b393354db70af0cfabda83f87251943db7d93e50e716c824fb

        SHA512

        bd9466f00e71b5787bddaf410b71b04af37a7ca60deff6550df344af8dcae5d3ad138e8371dabd3003e3f6e92b92ce457ffa1d83134bf3f68fb2bd090903f062

        Download Submit

      • memory/4028-0-0x00007FF7BE9D0000-0x00007FF7BFF41000-memory.dmp

        Filesize

        21.4MB

        Download

      • memory/4028-1-0x00007FF8B35F0000-0x00007FF8B35F2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4028-2-0x00007FF8B3600000-0x00007FF8B3602000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4028-3-0x00007FF7BE9D0000-0x00007FF7BFF41000-memory.dmp

        Filesize

        21.4MB

        Download

      • memory/4028-27-0x00007FF7BE9D0000-0x00007FF7BFF41000-memory.dmp

        Filesize

        21.4MB

        Download