Resubmissions
19-04-2024 11:45
240419-nw88dsag38 1019-04-2024 11:43
240419-nv23pabf2x 319-04-2024 10:25
240419-mf6a5agh7t 10Analysis
-
max time kernel
32s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
19-04-2024 10:25
General
-
Target
Ana.exe
-
Size
2.1MB
-
MD5
f571faca510bffe809c76c1828d44523
-
SHA1
7a3ca1660f0a513316b8cd5496ac7dbe82f0e0c2
-
SHA256
117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb
-
SHA512
a08bca2fb1387cc70b737520d566c7117aa3fdb9a52f5dbb0bb7be44630da7977882d8c808cbee843c8a180777b4ac5819e8bafda6b2c883e380dc7fb5358a51
-
SSDEEP
49152:OwVYlfBUDiZx8Fa/Q0NuB3btlnCItWNSwoy:OxPUDQmso0NuBZlnCItM
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 14 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ana.exe"C:\Users\Admin\AppData\Local\Temp\Ana.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AV.EXE"C:\Users\Admin\AppData\Local\Temp\AV.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RtlDriver32.exe"C:\Users\Admin\AppData\Roaming\RtlDriver32.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\AV2.EXE"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\hP17766BiOlL17766\hP17766BiOlL17766.exe"C:\ProgramData\hP17766BiOlL17766\hP17766BiOlL17766.exe" "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\DB.EXE"C:\Users\Admin\AppData\Local\Temp\DB.EXE"2⤵
- Adds policy Run key to start application
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\scrobjc.exeC:\Windows\SysWOW64\scrobjc.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns4⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\cmd.exe/c C:\Users\Admin\AppData\Local\Temp\~unins8400.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\EN.EXE"C:\Users\Admin\AppData\Local\Temp\EN.EXE"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\SB.EXE"C:\Users\Admin\AppData\Local\Temp\SB.EXE"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368KB
MD58bbe6b3a5436ebdd0eba9f1fd01ee31e
SHA126aac72dbbdbd8492528a6bb95d93dc34276a0be
SHA256f93fe213ba80d46bc76d6ccad18d09bd069fe89187f4a795f4c46b621c935ad6
SHA512f8963c4ff761b50701e1736e36fc8773b402007bad89a0e467a4e1503088de664551290cc58949cdbebfa14844d2643221c32724d89fc75188ad8d6e15fa3697
-
Filesize
208B
MD583073798ba76bd37cd962852c7d46b4e
SHA1e630c7099e182fa1596b4773860c49c994bf1f70
SHA2566e9ed9258930ef5e106983290859d1538560ea7734504af8163c501a1bf9d0aa
SHA5124b84da2e960df9e0deb14e869faa98b6f0544de8e845b8a8186642307dba1e1dc22d9eea321dd298302b0346c7bc9360afc1ee9c9fc7aa0434bce398147672ee
-
Filesize
6KB
MD5621f2279f69686e8547e476b642b6c46
SHA166f486cd566f86ab16015fe74f50d4515decce88
SHA256c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38
SHA512068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e
-
Filesize
1010B
MD56e630504be525e953debd0ce831b9aa0
SHA1edfa47b3edf98af94954b5b0850286a324608503
SHA2562563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5
SHA512bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2
-
Filesize
49B
MD59e0a2f5ab30517809b95a1ff1dd98c53
SHA15c1eefdf10e67d1e9216e2e3f5e92352d583c9ce
SHA25697ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32
SHA512e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42
-
Filesize
1.1MB
MD5f284568010505119f479617a2e7dc189
SHA1e23707625cce0035e3c1d2255af1ed326583a1ea
SHA25626c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1
SHA512ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf
-
Filesize
368KB
MD5014578edb7da99e5ba8dd84f5d26dfd5
SHA1df56d701165a480e925a153856cbc3ab799c5a04
SHA2564ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529
SHA512bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068
-
Filesize
243KB
MD5c6746a62feafcb4fca301f606f7101fa
SHA1e09cd1382f9ceec027083b40e35f5f3d184e485f
SHA256b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6
SHA512ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642
-
Filesize
224KB
MD59252e1be9776af202d6ad5c093637022
SHA16cc686d837cd633d9c2e8bc1eaba5fc364bf71d8
SHA256ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6
SHA51298b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea
-
Filesize
101KB
MD598c149f93eb97198a195fee3a4b6e046
SHA1903e716c56075923ce1b455f387a496df886ddcb
SHA256a278c637e68bac80dd0e19a85a4a588c4345520d9a4d88899936fa435dd80278
SHA51273afd9f7b3e4c0598129b2d747dbe7b048ce3859eeef980480c2b59f51c2d575e8441ac3be8548f88cf872b245045b6554d06bdd6cea2237e158f3225066f6fa
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
276KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
196KB
-
Filesize
588KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
12KB
-
Filesize
780KB
-
Filesize
4KB
-
Filesize
780KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
4KB
-
Filesize
40KB