Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 23:11
Behavioral task
behavioral1
Sample
77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe
Resource
win7-20240221-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe
-
Size
2.5MB
-
MD5
893b240449f6e149204c55423faee5b9
-
SHA1
80428db628f6031cbf05bec0e90069de0f0512ab
-
SHA256
77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4
-
SHA512
ff7b0a05250d61084626a2d648921fd5c8656026c915ed7331f13b72cd744b8ebed6e15bca434704dcadc029f6b4c454d7fa4032f3b1062db06234fd60721670
-
SSDEEP
49152:9xmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxF:9xx9NUFkQx753uWuCyyxF
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Detects executables packed with Themida 16 IoCs
resource yara_rule behavioral1/memory/1704-0-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/files/0x002f000000015364-7.dat INDICATOR_EXE_Packed_Themida behavioral1/memory/2516-12-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/files/0x0009000000015a2d-19.dat INDICATOR_EXE_Packed_Themida behavioral1/memory/2576-29-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/files/0x0008000000015c0d-30.dat INDICATOR_EXE_Packed_Themida behavioral1/memory/1704-34-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2096-35-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2452-43-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2452-48-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2576-49-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1704-51-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2516-52-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2096-54-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2096-58-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2516-67-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe -
Executes dropped EXE 4 IoCs
pid Process 2516 explorer.exe 2576 spoolsv.exe 2096 svchost.exe 2452 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 2516 explorer.exe 2576 spoolsv.exe 2096 svchost.exe -
resource yara_rule behavioral1/memory/1704-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x002f000000015364-7.dat themida behavioral1/memory/2516-12-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0009000000015a2d-19.dat themida behavioral1/memory/2576-29-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0008000000015c0d-30.dat themida behavioral1/memory/1704-34-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2096-35-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2452-43-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2452-48-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2576-49-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1704-51-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2516-52-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2096-54-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2096-58-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2516-67-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 2516 explorer.exe 2576 spoolsv.exe 2096 svchost.exe 2452 spoolsv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2472 schtasks.exe 2744 schtasks.exe 3060 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2096 svchost.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2096 svchost.exe 2096 svchost.exe 2516 explorer.exe 2096 svchost.exe 2516 explorer.exe 2516 explorer.exe 2096 svchost.exe 2516 explorer.exe 2096 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2516 explorer.exe 2096 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 2516 explorer.exe 2516 explorer.exe 2576 spoolsv.exe 2576 spoolsv.exe 2096 svchost.exe 2096 svchost.exe 2452 spoolsv.exe 2452 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2516 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 28 PID 1704 wrote to memory of 2516 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 28 PID 1704 wrote to memory of 2516 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 28 PID 1704 wrote to memory of 2516 1704 77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe 28 PID 2516 wrote to memory of 2576 2516 explorer.exe 29 PID 2516 wrote to memory of 2576 2516 explorer.exe 29 PID 2516 wrote to memory of 2576 2516 explorer.exe 29 PID 2516 wrote to memory of 2576 2516 explorer.exe 29 PID 2576 wrote to memory of 2096 2576 spoolsv.exe 30 PID 2576 wrote to memory of 2096 2576 spoolsv.exe 30 PID 2576 wrote to memory of 2096 2576 spoolsv.exe 30 PID 2576 wrote to memory of 2096 2576 spoolsv.exe 30 PID 2096 wrote to memory of 2452 2096 svchost.exe 31 PID 2096 wrote to memory of 2452 2096 svchost.exe 31 PID 2096 wrote to memory of 2452 2096 svchost.exe 31 PID 2096 wrote to memory of 2452 2096 svchost.exe 31 PID 2516 wrote to memory of 2428 2516 explorer.exe 32 PID 2516 wrote to memory of 2428 2516 explorer.exe 32 PID 2516 wrote to memory of 2428 2516 explorer.exe 32 PID 2516 wrote to memory of 2428 2516 explorer.exe 32 PID 2096 wrote to memory of 2472 2096 svchost.exe 33 PID 2096 wrote to memory of 2472 2096 svchost.exe 33 PID 2096 wrote to memory of 2472 2096 svchost.exe 33 PID 2096 wrote to memory of 2472 2096 svchost.exe 33 PID 2096 wrote to memory of 2744 2096 svchost.exe 38 PID 2096 wrote to memory of 2744 2096 svchost.exe 38 PID 2096 wrote to memory of 2744 2096 svchost.exe 38 PID 2096 wrote to memory of 2744 2096 svchost.exe 38 PID 2096 wrote to memory of 3060 2096 svchost.exe 40 PID 2096 wrote to memory of 3060 2096 svchost.exe 40 PID 2096 wrote to memory of 3060 2096 svchost.exe 40 PID 2096 wrote to memory of 3060 2096 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe"C:\Users\Admin\AppData\Local\Temp\77e6c7a792be005f0e175a2033482a21b976e02eae89d411a5265989b715c1d4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2452
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:13 /f5⤵
- Creates scheduled task(s)
PID:2472
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:14 /f5⤵
- Creates scheduled task(s)
PID:2744
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:15 /f5⤵
- Creates scheduled task(s)
PID:3060
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2428
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5c039e0a65394b75a550c7ed9f7f4770d
SHA1a6cac4dab69626f08d56a447fd727364d39bc556
SHA2564945e7e389a43f9c8a3a03077883401ba848750130654be4bd1fa461cd3da121
SHA512cfd70909c0f53dd63bcd8bc0dc11ba5f0642e8a6b976d031abddf0f32899000b57c36013004d2bbabadb12e44c2674f9815350e3b7667c9a17f10c28a68df2dd
-
Filesize
2.5MB
MD5ce4ac8630e1e7360a123fac0aee2bdb3
SHA10c179ef421ddd21688c259530c1550b8cacb39c7
SHA2564efa138b79b4154b72199f5fd27d712bbb756d3da158c2ed4cdbebef652b1b3c
SHA5124087e8b2a8a5848c0f91eaaab2cea2d723612aa710eedc6ba6ec48afa90465959aa5addaa93749aedc15722d180354f03558a14082879eb627b2cbc90e4615e1
-
Filesize
2.5MB
MD586563fda2077edb6692bfea86cedbfa5
SHA141f2f2750d8c115eefb08f345d4c1472470c9958
SHA256fc51be51ece86c6d9e77dcaba2ff8279cb52ee0efafc0b4a78ea9568b4949add
SHA51279c1bba198a7d323b21b001a7850fb5d84b1cb3f65d807ea1ddca5f3136debc0083163710e2a4e1f095a49ac99c37fa96432a9e47f48ff60fd44b97188797a83