Resubmissions
25-04-2024 08:31
240425-kevrwshb37 9Analysis
-
max time kernel
69s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 08:31
General
-
Target
hanzowoofercracked/hanzowoofercracked/hanzopermspoofer.exe
-
Size
31.0MB
-
MD5
3efc3953bf361a6921855261d7db3ebc
-
SHA1
5800977eef27d3334b317857d888aa390095f4c4
-
SHA256
283a8086913fe4355ff9b17d5a0037563f078b09eb4b3b50952a9192a2e974ff
-
SHA512
9152865d4b7bf257675a314b3a6ca9101ba2f3d9b61140b0cb9fa5364a3f436e4e4365f8232bbc86189981d6f540bab3e1501cb0092b3879e58b85e7bccc00b9
-
SSDEEP
786432:4VytLBdFNfkdFpNCWwlInHkhK+2bjEZNokgBEPVj:OytnXkdFpbPktAo4BM5
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
hanzopermspoofer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ hanzopermspoofer.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
hanzopermspoofer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion hanzopermspoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion hanzopermspoofer.exe -
Processes:
resource yara_rule behavioral1/memory/928-1-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp themida behavioral1/memory/928-2-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp themida behavioral1/memory/928-3-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp themida behavioral1/memory/928-4-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp themida behavioral1/memory/928-5-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp themida behavioral1/memory/928-6-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp themida behavioral1/memory/928-7-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp themida behavioral1/memory/928-8-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp themida behavioral1/memory/928-9-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp themida behavioral1/memory/928-10-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp themida -
Processes:
hanzopermspoofer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hanzopermspoofer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
hanzopermspoofer.exepid process 928 hanzopermspoofer.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 1376 sc.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2364 taskkill.exe 1616 taskkill.exe 1400 taskkill.exe 2772 taskkill.exe 5100 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
hanzopermspoofer.exepid process 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe 928 hanzopermspoofer.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1400 taskkill.exe Token: SeDebugPrivilege 2772 taskkill.exe Token: SeDebugPrivilege 5100 taskkill.exe Token: SeDebugPrivilege 2364 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 4984 taskmgr.exe Token: SeSystemProfilePrivilege 4984 taskmgr.exe Token: SeCreateGlobalPrivilege 4984 taskmgr.exe Token: 33 4984 taskmgr.exe Token: SeIncBasePriorityPrivilege 4984 taskmgr.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
taskmgr.exepid process 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe -
Suspicious use of SendNotifyMessage 46 IoCs
Processes:
taskmgr.exepid process 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
hanzopermspoofer.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 928 wrote to memory of 3216 928 hanzopermspoofer.exe cmd.exe PID 928 wrote to memory of 3216 928 hanzopermspoofer.exe cmd.exe PID 928 wrote to memory of 652 928 hanzopermspoofer.exe cmd.exe PID 928 wrote to memory of 652 928 hanzopermspoofer.exe cmd.exe PID 3216 wrote to memory of 1400 3216 cmd.exe taskkill.exe PID 3216 wrote to memory of 1400 3216 cmd.exe taskkill.exe PID 928 wrote to memory of 2660 928 hanzopermspoofer.exe cmd.exe PID 928 wrote to memory of 2660 928 hanzopermspoofer.exe cmd.exe PID 2660 wrote to memory of 2772 2660 cmd.exe taskkill.exe PID 2660 wrote to memory of 2772 2660 cmd.exe taskkill.exe PID 928 wrote to memory of 4084 928 hanzopermspoofer.exe cmd.exe PID 928 wrote to memory of 4084 928 hanzopermspoofer.exe cmd.exe PID 4084 wrote to memory of 1376 4084 cmd.exe sc.exe PID 4084 wrote to memory of 1376 4084 cmd.exe sc.exe PID 928 wrote to memory of 2096 928 hanzopermspoofer.exe cmd.exe PID 928 wrote to memory of 2096 928 hanzopermspoofer.exe cmd.exe PID 2096 wrote to memory of 5100 2096 cmd.exe taskkill.exe PID 2096 wrote to memory of 5100 2096 cmd.exe taskkill.exe PID 928 wrote to memory of 3940 928 hanzopermspoofer.exe cmd.exe PID 928 wrote to memory of 3940 928 hanzopermspoofer.exe cmd.exe PID 3940 wrote to memory of 2364 3940 cmd.exe taskkill.exe PID 3940 wrote to memory of 2364 3940 cmd.exe taskkill.exe PID 928 wrote to memory of 3300 928 hanzopermspoofer.exe cmd.exe PID 928 wrote to memory of 3300 928 hanzopermspoofer.exe cmd.exe PID 3300 wrote to memory of 1616 3300 cmd.exe taskkill.exe PID 3300 wrote to memory of 1616 3300 cmd.exe taskkill.exe PID 928 wrote to memory of 3896 928 hanzopermspoofer.exe cmd.exe PID 928 wrote to memory of 3896 928 hanzopermspoofer.exe cmd.exe PID 3896 wrote to memory of 2560 3896 cmd.exe certutil.exe PID 3896 wrote to memory of 2560 3896 cmd.exe certutil.exe PID 3896 wrote to memory of 1336 3896 cmd.exe find.exe PID 3896 wrote to memory of 1336 3896 cmd.exe find.exe PID 3896 wrote to memory of 1628 3896 cmd.exe find.exe PID 3896 wrote to memory of 1628 3896 cmd.exe find.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hanzowoofercracked\hanzowoofercracked\hanzopermspoofer.exe"C:\Users\Admin\AppData\Local\Temp\hanzowoofercracked\hanzowoofercracked\hanzopermspoofer.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\hanzowoofercracked\hanzowoofercracked\hanzopermspoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\hanzowoofercracked\hanzowoofercracked\hanzopermspoofer.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/928-0-0x00007FFFC8590000-0x00007FFFC8785000-memory.dmpFilesize
2.0MB
-
memory/928-1-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmpFilesize
81.7MB
-
memory/928-2-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmpFilesize
81.7MB
-
memory/928-3-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmpFilesize
81.7MB
-
memory/928-4-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmpFilesize
81.7MB
-
memory/928-5-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmpFilesize
81.7MB
-
memory/928-6-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmpFilesize
81.7MB
-
memory/928-7-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmpFilesize
81.7MB
-
memory/928-8-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmpFilesize
81.7MB
-
memory/928-9-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmpFilesize
81.7MB
-
memory/928-10-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmpFilesize
81.7MB
-
memory/928-11-0x00007FFFC8590000-0x00007FFFC8785000-memory.dmpFilesize
2.0MB
-
memory/4984-12-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmpFilesize
4KB
-
memory/4984-13-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmpFilesize
4KB
-
memory/4984-14-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmpFilesize
4KB
-
memory/4984-18-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmpFilesize
4KB
-
memory/4984-19-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmpFilesize
4KB
-
memory/4984-20-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmpFilesize
4KB
-
memory/4984-21-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmpFilesize
4KB
-
memory/4984-22-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmpFilesize
4KB
-
memory/4984-23-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmpFilesize
4KB
-
memory/4984-24-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmpFilesize
4KB