Resubmissions
25/04/2024, 18:27
240425-w3zljade29 9Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
25/04/2024, 18:27
General
-
Target
AppleCleaner.exe
-
Size
3.6MB
-
MD5
da2176757b2fead6539243b42057cb3c
-
SHA1
e14195bd4066e90c821caabd6ca63a173c1ca802
-
SHA256
1a62ed192ff4a7bd746fa24c8d7cd96578a4c7e9f0d4a6651a2a3d0baff9c433
-
SHA512
b9d13ecd8679064bc4cd9dbd823ba5367aebe13177c9ed5e6c6c40d70823ed32977bd40cde73ccfaa49f6f32b19b4f06f9396beb145bd774891d4290873c735d
-
SSDEEP
98304:gmQu0iNucsADierKQYRc4sNHOZjKg5tkdv+HR5+a:fQabDieOQ944HOZjp5tkx+x3
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Manipulates Digital Signatures 1 TTPs 1 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 7 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 7 IoCs
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates system info in registry 2 TTPs 19 IoCs
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 42 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AppleCleaner.exe"C:\Users\Admin\AppData\Local\Temp\AppleCleaner.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Manipulates Digital Signatures
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im Battle.net.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://applecheats.cc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://applecheats.cc/3⤵
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH WINSOCK RESET >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNETSH WINSOCK RESET3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INT IP RESET >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNETSH INT IP RESET3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall reset >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall reset3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV4 RESET >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNETSH INTERFACE IPV4 RESET3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV6 RESET >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNETSH INTERFACE IPV6 RESET3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INTERFACE TCP RESET >nul 2>&12⤵
-
C:\Windows\system32\netsh.exeNETSH INTERFACE TCP RESET3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INT RESET ALL >nul 2>&12⤵
-
C:\Windows\system32\netsh.exeNETSH INT RESET ALL3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&12⤵
-
C:\Windows\system32\ipconfig.exeIPCONFIG /RELEASE3⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&12⤵
-
C:\Windows\system32\ipconfig.exeIPCONFIG /RELEASE3⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IPCONFIG /FLUSHDNS >nul 2>&12⤵
-
C:\Windows\system32\ipconfig.exeIPCONFIG /FLUSHDNS3⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NBTSTAT -R >nul 2>&12⤵
-
C:\Windows\system32\nbtstat.exeNBTSTAT -R3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NBTSTAT -RR >nul 2>&12⤵
-
C:\Windows\system32\nbtstat.exeNBTSTAT -RR3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -a >nul 2>&12⤵
-
C:\Windows\system32\ARP.EXEarp -a3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -d >nul 2>&12⤵
-
C:\Windows\system32\ARP.EXEarp -d3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&12⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD5c92ad18063a9c345c3bfdbf0f6e47cbf
SHA1f2bef1a40724f32a9c1812300a56a0999498b598
SHA2569dec33fd7617cd564d85725eec6470aae4fcb1251fa3dee8fa8a61b243b1584c
SHA512a32c85f34e6068f03bb5409a375973a956af86b56cdd8812a616cc713c6b26c0416a9f891dd040b0c8aaf2a297232fce4c0db3149d9e3d9f7e003e237e73d4f5
-
Filesize
344B
MD5fabcde2252036dba727f0bdf0bfb70f9
SHA1db8dc0af6cac13d4af3e60eaf69082d5d0357374
SHA25687b2eb41679f115074041b3f4ec2047dbbc304a3322ce0354a90556f53d2419d
SHA51221208a1b3d68529c42afa5ba74adf7275d00f64eb7588bc5bec0ff1be64327aa7be3c57bc90e7702ca0d848a4bb8fa56f2fe9607c62e63c7b1ced1c39d764887
-
Filesize
344B
MD5d8e1e95a3d7a32266a1f444cb2926ac9
SHA1965aba6ab2e72afc7e6437e0e22ce92b2047ce01
SHA2568d34fd559906ac9ad42fd277df0a9d0374d7da4e76a9c5f7fe0ddc1ec4c508e4
SHA512d1c6c09b37ec82d5a1e2d5f4090f49e9f40bfaf91dd96ad1d951399281eb59d43a2fec5aa644829a008589714ae8943ba87665ac530935e1dc1aa031a95160ec
-
Filesize
344B
MD565cf332efadffc4c7d759c60c73796bc
SHA1b259e5b29ae5379d79de836ac57f5ad5401b4d66
SHA25665fcdf34595e5f79dcdf7623f307e3465f69b30f62d4d936724f6c411d0ddeb3
SHA5129070c2958c44ab5dc30dbfa213824c041d7d827b9b2847b790736be8f06795bf376527c559ae7f6dbd99939c34874344aa502103c3dd7776dfe2bbd4e83e1430
-
Filesize
344B
MD5226cc3f8ac296ae3084e72079997e688
SHA135d124ded840d95bb06ffe0d56e71f7a1f2f7710
SHA2568d5722279c386d0355039ba1782530a356d9a1f3562863da9dbc5d5b76e25784
SHA512a191adf47674010c5b37e1b3748478e3830defe068262d97012c1e877e4ea9eb6724f5e94b997c331f6eaf308a5523d30394687e91849427245648f7e1ad4489
-
Filesize
344B
MD52f97d1349b6807b7de02164f0c80fe74
SHA1d47743a6ed45dcd57b3194e5fa127c422a2f5075
SHA256f2878bdb329658500f0e1e30f8af5e1263f92b49d31b2e0fd105b317f313ac1b
SHA512f1711357f544993a91972142d3195bda136a4d3d6ee4fc12deb2cfc8f5e599c6b6f564bc9f247c7ce087acbff869a3c12fe1e3792645b09c780ccd433e0b7aa4
-
Filesize
344B
MD50a2299cbba947c685ee7ee23a112e2fe
SHA1e1e67e133fa89a5619c1cc87a1c19f503e1ebc96
SHA256011afcc5ba1edcae7d11f36a337aebfa18a4fcb92c75c3310a8c3ad4765c52b7
SHA51266694e5ed8c62220d0dbc1745592bacc6ee5b0b4fbc1689fe622541a6d669938d3d51d5d5ef947574d1153bab75222957d64eb892c2b0968d1023b9cc1ede4d6
-
Filesize
344B
MD53453ea964085f371e6327f7ccff5fcc0
SHA1d949ddd09829dacf4e681ad2eaca482825ba6415
SHA256f562d0a62f6cc56a8ba1e91d9e5f65b8dcc1f6f1b681db88d6f89dec666d882e
SHA5123f0643f92f866e899fc26b5a31c15e083d38aa777d3b095d3c2401032856c458acbf423d9a7d27ff5e9069108c084a3a9bd69df17f888bff903029238863533d
-
Filesize
344B
MD5dcdd20b11ff4b3fb2719910b9af2943b
SHA19caedf5a14519d3af29e2420939cf9ff21a6d9f1
SHA256342db70d61e3e17f93c6feb6c08be24514ec3e516cdebb4272e53d7d72d77262
SHA512d72fe02fee3788482b71185ac40fdf48cdd69f2c5e1cad5d2eb6f7c9260b6819e5aa603ae2e141099de1d37c1b9680ae0b1b8343eea8e20d5460f3fd93a4f5f4
-
Filesize
344B
MD5546beb23c46eed070d734767b0113e7b
SHA189b1faf5e9e6e1f67f06d9afc7ba2648262a6714
SHA2567f70bbe7eb5582baff1154a9b15381f8a8d5b798e802b1955ffdb4a4b12db93a
SHA51241b02735797c34504d87671cb8d822a2ae7008a121cd271583c733bd6be4dc2b7d55cd91dab6c791f4391bae8cef67384c1568611a3ded1dc1d0dbd19166e57f
-
Filesize
304B
MD5671292af77b6d50edc8f1fbbed5afc9b
SHA18e38bf4d9ff844c3eec23d0cbdb353ca627b7e7e
SHA2562bfd430759cfe6e1376d40c6df5ac9f6c90926bb64711f10740af67b4b92040a
SHA512e07f9ec0f232850ac9e67874f162268db617ecfa60aea93e3d85861e485dec3ef63fe0961f811595728048a772d60f09401c21f05f42f6558d68d04654656301
-
Filesize
242B
MD546c4c40d87f261631ffdb0d150e5b18d
SHA16b64de1997326120eed5b959b7ec7a2ffc6d5cd2
SHA256a8c375bbd6911ea9b3edb60b070c452902312247af79f7086479b6df2518f335
SHA512361c44d16bebef21f7dc6cb98fbf31c3a3ea8dd3c24e8385ee83e21f185a456196b310fc83f8950374ab878f92df66b52d6522a2f0c3d1444e1cb58ef22fcd5e
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
1.7MB
-
Filesize
9.6MB