2a45e44be359fba4c85591e7b13d1ec772ed181adc41254d8b00d31b2d15878e

max time kernel
2s
max time network
4s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 18:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-25T18:10:02Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_19-dirty.qcow2\"}"

Report Analysis Logs

General

Target

Ana.exe
Size

2.1MB
MD5

f571faca510bffe809c76c1828d44523
SHA1

7a3ca1660f0a513316b8cd5496ac7dbe82f0e0c2
SHA256

117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb
SHA512

a08bca2fb1387cc70b737520d566c7117aa3fdb9a52f5dbb0bb7be44630da7977882d8c808cbee843c8a180777b4ac5819e8bafda6b2c883e380dc7fb5358a51
SSDEEP

49152:OwVYlfBUDiZx8Fa/Q0NuB3btlnCItWNSwoy:OxPUDQmso0NuBZlnCItM

Score

7^/10

bootkit discovery evasion persistence trojan upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DB.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DB.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ana.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	Ana.exe

Executes dropped EXE 5 IoCs

Processes:

AV.EXEAV2.EXEDB.EXEEN.EXESB.EXE

pid	Process
4396	AV.EXE
1972	AV2.EXE
3564	DB.EXE
1676	EN.EXE
856	SB.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/files/0x000700000002344c-22.dat	upx
behavioral4/files/0x000700000002344d-32.dat	upx
behavioral4/memory/3564-51-0x0000000000580000-0x0000000000613000-memory.dmp	upx
behavioral4/memory/3564-73-0x0000000000580000-0x0000000000613000-memory.dmp	upx
behavioral4/memory/3564-75-0x0000000000580000-0x0000000000613000-memory.dmp	upx
behavioral4/memory/3564-79-0x0000000000580000-0x0000000000613000-memory.dmp	upx
behavioral4/memory/3564-80-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral4/memory/1676-81-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DB.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DB.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

SB.EXE

description	ioc	Process
File opened for modification	\??\physicaldrive0	SB.EXE

Drops file in System32 directory 1 IoCs

Processes:

DB.EXE

description	ioc	Process
File created	C:\Windows\SysWOW64\rdpendpu.exe	DB.EXE

Drops file in Windows directory 1 IoCs

Processes:

DB.EXE

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	DB.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

AV.EXE

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D	AV.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D\Blob = 03000000010000001400000030530a0c86edb1cd5a2a5fe37ef3bf28e69be16d2000000001000000b3020000308202af308202180209009168978ee53f5964300d06092a864886f70d010105050030819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d301e170d3131303931383131313834395a170d3132303931373131313834395a30819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cac8419346518527133fdefd7982ac3919f1d6e2f815ecab0b5d219ccf843885645cfd9c35cae2eff8e7506e690b52c587a59c8d667cb671454030bd370fa334b18afb5ea4f4f819a36685a705a8543f320af913ca680a1d32a402db6d3e42d93228e44ba230fda524d490ddc35b922f23d36d95417136ac50afa567e21359350203010001300d06092a864886f70d0101050500038181003c6a7f43ca2cee1caafee88b04777032a4c9d7794222537e3ebe57953198281bdbe0d3a58f7d3eb358f361848f30ad88a364cd0ae3376e6239dedb01497d52d3dd55e78e49375373419ad7e5e2e036f713bf4d96a552f2aa26b35b66d7a83fb2a9b6e317d162d8342f09ccc71b2a1c7d9474ca7872bfa4acd623d61c4491d740	AV.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DB.EXE

pid	Process
3564	DB.EXE
3564	DB.EXE
3564	DB.EXE
3564	DB.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SB.EXEDB.EXE

description	pid	Process
Token: SeShutdownPrivilege	856	SB.EXE
Token: SeDebugPrivilege	3564	DB.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Ana.exe

description	pid	Process	procid_target
PID 4340 wrote to memory of 4396	4340	Ana.exe	89
PID 4340 wrote to memory of 4396	4340	Ana.exe	89
PID 4340 wrote to memory of 4396	4340	Ana.exe	89
PID 4340 wrote to memory of 1972	4340	Ana.exe	90
PID 4340 wrote to memory of 1972	4340	Ana.exe	90
PID 4340 wrote to memory of 1972	4340	Ana.exe	90
PID 4340 wrote to memory of 3564	4340	Ana.exe	91
PID 4340 wrote to memory of 3564	4340	Ana.exe	91
PID 4340 wrote to memory of 3564	4340	Ana.exe	91
PID 4340 wrote to memory of 1676	4340	Ana.exe	92
PID 4340 wrote to memory of 1676	4340	Ana.exe	92
PID 4340 wrote to memory of 1676	4340	Ana.exe	92
PID 4340 wrote to memory of 856	4340	Ana.exe	93
PID 4340 wrote to memory of 856	4340	Ana.exe	93
PID 4340 wrote to memory of 856	4340	Ana.exe	93

C:\Users\Admin\AppData\Local\Temp\Ana.exe
"C:\Users\Admin\AppData\Local\Temp\Ana.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\AV.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\AV2.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\DB.EXE
  "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    /c C:\Users\Admin\AppData\Local\Temp\~unins6093.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
    3⤵
    PID:2288
- C:\Users\Admin\AppData\Local\Temp\EN.EXE
  "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Users\Admin\AppData\Local\Temp\SB.EXE
  "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
1.1MB

MD5
f284568010505119f479617a2e7dc189

SHA1
e23707625cce0035e3c1d2255af1ed326583a1ea

SHA256
26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

SHA512
ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE

Filesize
368KB

MD5
014578edb7da99e5ba8dd84f5d26dfd5

SHA1
df56d701165a480e925a153856cbc3ab799c5a04

SHA256
4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

SHA512
bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE

Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB.EXE

Filesize
149KB

MD5
fe731b4c6684d643eb5b55613ef9ed31

SHA1
cfafe2a14f5413278304920154eb467f7c103c80

SHA256
e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496

SHA512
f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGID011.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE

Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsa.crt

Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
C:\Windows\INF\setupapi.app.log

Filesize
1KB

MD5
bd0716a6393acf7fa47e583efd5cac78

SHA1
508bc3368e0f8a6215d416affdacb8dd0a05cbd3

SHA256
b12896e01df25b87e2f04ac0efc17bfbc6615f3e0c5d6dd12f24582146400a2d

SHA512
0fa7d051274dcdfb2a9434829fdad329e80ca691ded3f447b97691dddae4418518ac7efc136b22dbb8d8270173fb3a24457461fbbb6c1bcb6ac82138b8003702

Download Submit
C:\Windows\INF\setupapi.app.log

Filesize
1KB

MD5
76a0a3dee08402e0f74d554536ebb33e

SHA1
7127b2a84854543e8eb56d7549ca25fe7fae40ea

SHA256
44aae506534cfa6f53a04cc91c18e65a1757326bae65e9889be87762d51e236e

SHA512
6085af78dbf110005880863097a4095a0037406b5daceb9c2ba50968915886ed17e139b75aa9c6abfb46c499c11ef6c1ff2d75e78d11601b8fbeb0f3b3996be7

Download Submit
C:\Windows\INF\setupapi.app.log

Filesize
2KB

MD5
2bc0ce25667f74f525ef5902b54f96d9

SHA1
ad905d50b49631d3994fb3af9eae293b63e87351

SHA256
dd087fd475e1a180279862e915df3c541ef9bc93087279fadf37b330eacdcbb5

SHA512
0eeae9d61b22d9483569722769b78151bea3579b35d40f91deffefec6476f166682a3c0f67d7d2feca1048d4592d554d3667456430288b1217034dffc783d65f

Download Submit
C:\Windows\INF\setupapi.app.log

Filesize
3KB

MD5
c0cbcc12a6aa344b26fe97efcda3214b

SHA1
0c5797156f9466262989c98e5505c165d7e6aab4

SHA256
957847516c666caaa9943c625897190466fffa2be812153a7b6dac181d1b9df4

SHA512
369fecab223a80e1f09f06277cbd5d549ddb787c897046f3c6c26790e14020ea0fd99289e75c94c4cc9bbb3a2cf3e08fadb88a20ef4ced7d357c81427bb35ece

Download Submit
C:\Windows\INF\setupapi.app.log

Filesize
5KB

MD5
e418331f5bd9161e38605a1cb6776ef5

SHA1
7eca2e25467e3e3f30339585530c5c52126853d5

SHA256
ff411f910f7827df049a7bc3158b9cee3277b0b1e1ed3ddcc0fcf576a6916e16

SHA512
ac66f28f214f675c319ce194ae580cd38cd3c393c82191c763d30e62e0dcd74783c147c1d0d1d09e235d38c6fc5de5a066a23fbfdf5db02d34ee8f2821f2e990

Download Submit
C:\Windows\INF\setupapi.app.log

Filesize
550B

MD5
3776127706479fd4c881e2f9ee68a714

SHA1
ae7108c9b34ec58cf9bdab5d8ca5589d41a7d19f

SHA256
305f35db41efe4acf2a1a90cce8f39eaa4805f8b2a3f8587639a95f9666e4937

SHA512
4036a03a2ffd15ead74ebf5136d0b58c0fd77adf70a4f3c5ca7970eb210528224f3aee6dc0fd49529db4992e4ebeb9a7d72a2b64831254358041d900f2dfe168

Download Submit
memory/856-76-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/856-74-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/856-78-0x00000000020AB000-0x00000000020AC000-memory.dmp

Filesize
4KB

Download
memory/856-77-0x00000000020A0000-0x0000000002104000-memory.dmp

Filesize
400KB

Download
memory/1676-81-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3564-82-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3564-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3564-79-0x0000000000580000-0x0000000000613000-memory.dmp

Filesize
588KB

Download
memory/3564-75-0x0000000000580000-0x0000000000613000-memory.dmp

Filesize
588KB

Download
memory/3564-73-0x0000000000580000-0x0000000000613000-memory.dmp

Filesize
588KB

Download
memory/3564-72-0x00000000001C0000-0x00000000001F1000-memory.dmp

Filesize
196KB

Download
memory/3564-51-0x0000000000580000-0x0000000000613000-memory.dmp

Filesize
588KB

Download
memory/4396-70-0x0000000073F90000-0x0000000074541000-memory.dmp

Filesize
5.7MB

Download
memory/4396-45-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download
memory/4396-33-0x0000000073F90000-0x0000000074541000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads