Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
19/05/2024, 21:53
General
-
Target
585db90698b0674f64892565b28262e6ccdfd4c67a1da2b18f9e26dc7478d4df.exe
-
Size
2.0MB
-
MD5
db5a6228eb9635c9ea16058d9ed17992
-
SHA1
5f30976ec829571eed74b03d3dcce54d3b431eca
-
SHA256
585db90698b0674f64892565b28262e6ccdfd4c67a1da2b18f9e26dc7478d4df
-
SHA512
013155d69cbc26f3552d1d7cebed299c39d22446cf3c2335bf20586c526030e13d8fb182c6ecde3a5bb95afe42a9d66b2ba01067023369f2de4a6ee5e7ba9103
-
SSDEEP
49152:L0V7Su9Msnt6e0EqOh3Ybb6ftMa8fCuzd:LkuExnYEqOheuFMa86ux
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\585db90698b0674f64892565b28262e6ccdfd4c67a1da2b18f9e26dc7478d4df.exe"C:\Users\Admin\AppData\Local\Temp\585db90698b0674f64892565b28262e6ccdfd4c67a1da2b18f9e26dc7478d4df.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Modifies Installed Components in the registry
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Modifies Installed Components in the registry
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 21:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 21:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 21:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD53cf6c0ba1d9b0f14e1997cb2121150ba
SHA18deee7e551bf50b5ec4fbef4ab482541af891483
SHA2564d81b57952d9d22eb6e447a2a0ae0c194ac77b4a5b53074718fd4641170ccf05
SHA512741826d034d18714927bbff22b73450630c77811aee4ec5467f12ff5797cd02975606cc3b1236c97e03ebaaa54b8f6cc75daef465f618c6b9fa294f94299848d
-
Filesize
2.0MB
MD590c1d1d97db231c8da23f2fbbb333a6c
SHA1686aeb0765372602853f08a1d3e897a70dc9950d
SHA25608c815bf957c23e041187cbff4a5abf7ff601496452c4142a53e397311c81c97
SHA5122d46515adc5622a491f3ac6690633f3460f6d40b38fc74d799fcd050db64aa4d856ae88f971707a17f3f2325f14e4eca9bdefdd084d58df6d3b08319743ef31d
-
Filesize
2.0MB
MD5e581f05f2d15e7acd4e3ba37d1580a5d
SHA108f52d5fa12c29d54bd0dbeeffaa421868744c03
SHA25684e4e11961c69625e33adc6e80cde231e9108f0b699d354cf4d54c8ba2a2fdfc
SHA512c382d4fbaf33c2d14b3728648033494734bd71821db79f5f8f9b06bd98fba2b66022b1ff275fcbd0e9040b5bb65ea0ea82ce6e664d8b3becc4d2aa58e3d82df2
-
Filesize
2.0MB
MD5c1c5f1a257719a990fee2a1e9f462fd9
SHA109693fd2d3265f1c83f8283d4d14806b4e3c146e
SHA256e1b5033239332829555b115dfe799e0f0ca6f2d964f460d543329774eeae2da3
SHA512223928c74a879b24b948e90c73607f90d1f4e268976f473f58a5411f044e6ccf93d52997db9e30822d6b53e26b6d56c8c340c22aab6dbfc9dbfe1693141b6dad
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
960KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
960KB