Analysis

  • max time kernel
    147s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 16:20

General

  • Target

    988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe

  • Size

    14.3MB

  • MD5

    3f05981c960cbf724d8aec6ff2e5a66b

  • SHA1

    d7e9338356e85a1824c76dfb10216bd84becb048

  • SHA256

    988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f

  • SHA512

    e461cf6ba6ecc48d7644054b67157b239a627e1021f4b47ab1da806d941fef2e85321ca537fe6b9caf2c0db19aa03c0adc230da594ac224ac5a019ff73e92ffb

  • SSDEEP

    393216:V9ugEkty7AD0/0kfMEs4nC+bCxxddPN4644jpXdyIuJR8s:VLEcpD0/rTTfCxxmqIIuws

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Creates new service(s) 2 TTPs
  • Stops running service(s) 4 TTPs
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Launches sc.exe 7 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 2 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
    "C:\Users\Admin\AppData\Local\Temp\988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\TigerHwidTool\spiderman.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\sc.exe
        sc stop spidermansrv
        3⤵
        • Launches sc.exe
        PID:3068
      • C:\Windows\SysWOW64\sc.exe
        sc delete spidermansrv
        3⤵
        • Launches sc.exe
        PID:2868
      • C:\Windows\SysWOW64\sc.exe
        sc stop TigerServer
        3⤵
        • Launches sc.exe
        PID:2536
      • C:\Windows\SysWOW64\sc.exe
        sc delete TigerServer
        3⤵
        • Launches sc.exe
        PID:2600
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM mc.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2612
      • C:\Windows\SysWOW64\sc.exe
        sc stop stsrv
        3⤵
        • Launches sc.exe
        PID:2592
      • C:\Windows\SysWOW64\sc.exe
        sc delete stsrv
        3⤵
        • Launches sc.exe
        PID:2644
      • C:\Windows\SysWOW64\sc.exe
        sc create stsrv binPath="C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe" start=auto DisplayName="stsrv"
        3⤵
        • Launches sc.exe
        PID:1748
    • C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe
      "C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:2440
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\Desktop\查看机器码.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\mode.com
        mode con cols=85 lines=90
        3⤵
          PID:1020
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM WmiPrvSE.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1856
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\SysWOW64\reg.exe
            reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"
            4⤵
            • Enumerates system info in registry
            PID:2188
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"
          3⤵
            PID:2348
            • C:\Windows\SysWOW64\reg.exe
              reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"
              4⤵
              • Enumerates system info in registry
              PID:2308
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic csproduct get Name
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1480
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic diskdrive get serialnumber
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2360
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic cpu get serialnumber
            3⤵
              PID:1616
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic bios get serialnumber
              3⤵
                PID:2128
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic baseboard get serialnumber
                3⤵
                  PID:3016
                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                  wmic csproduct get uuid
                  3⤵
                    PID:2140
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ipconfig /all|findstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"
                    3⤵
                      PID:2920
                      • C:\Windows\SysWOW64\ipconfig.exe
                        ipconfig /all
                        4⤵
                        • Gathers network information
                        PID:2944
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"
                        4⤵
                          PID:2928
                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                        wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
                        3⤵
                          PID:3024
                      • C:\Windows\SysWOW64\explorer.exe
                        C:\Windows\system32\explorer.exe
                        2⤵
                        • Deletes itself
                        PID:1036

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files (x86)\TigerHwidTool\spiderman.bat

                      Filesize

                      254B

                      MD5

                      2969a9253db05b47faa53ad2e95ed622

                      SHA1

                      172357e51f81b513769b39d1c92a25a4e2aa415d

                      SHA256

                      4c31e0eadcc1f277cea1124f4e6337665f2d195c781c556453db8a003a6fec7b

                      SHA512

                      1087ffe43314ce73c930538436a6de89339c21fc455d1e9e540ba06f9452d7d41bf843f181a28e6a2e2717a729222ee11325a3c8f6a4e22099c7abee20e94daa

                    • C:\Users\Admin\Desktop\查看机器码.bat

                      Filesize

                      1KB

                      MD5

                      4a027f0c86eb9614e81af680b2475499

                      SHA1

                      ca79f5c7789ffd01af9c00d20f15b1077e55fc15

                      SHA256

                      6c198b42a0c464d602a4e1a46a7ec19cf2f635ae2b2de3c566f2c1bd57e7d050

                      SHA512

                      169190d40a3d177c51bd4033d6dd543c8170fa8d3ee343a61de3f7803afce472473e712f60bacd4f82c51e24fe01e2936eb7309f22b896bd35f985b272200c01

                    • \Program Files (x86)\TigerHwidTool\TigerHwidTool.exe

                      Filesize

                      14.2MB

                      MD5

                      a6244982dfd17611db5aa64be1d140b5

                      SHA1

                      7c1b3d4dd86459857d0e73812276e80ca83b260d

                      SHA256

                      fa0dd508bd819d5a96b8caf7c2ca69033ca74005ce830f432b012a21c37ab5d4

                      SHA512

                      0f5c22eda3da555037016c90f8ca510db9bb9fa405c1dfca8ba31088c461def47c25d12ac55e408f6e8c352f0c01bf65ef158d1d6dc5d3e7c5fcf160c17fb754

                    • \Users\Admin\AppData\Local\Temp\nsdB1E3.tmp\SelfDel.dll

                      Filesize

                      5KB

                      MD5

                      ca8bcdded6b265453cf68bae8bbd0b3a

                      SHA1

                      9dbe872ac53e075c0954c882d034aa009c733092

                      SHA256

                      299ba97dda721cc9216bda218769eb269a239c8bcf09bd6acc774ff935849184

                      SHA512

                      a9b19434c35236a049036f0153a5c7184c95249fdb04ef7605484551d40a8aba37462eb617e96301cd4363a324f0282e26179ce4b78973ca43e0a63b4dffb33c

                    • \Users\Admin\AppData\Local\Temp\nsdB1E3.tmp\rfshdktp.dll

                      Filesize

                      2KB

                      MD5

                      9410591a148871a6d0629cf25b94526f

                      SHA1

                      be1e8b0fe8327f185136a0d2460a68f720484535

                      SHA256

                      acc76e81f71e7f2ba58c36d678bc9ae4705e0187a3cdfa6d0025190467d9c0c7

                      SHA512

                      465d3e418e769b907262e07cbca3d2c5132bf328431d456be09c059821be20a6d30106562d7ef0bfa93ca219b2abe57ee891d937419fc4b8840987b184b45df0

                    • memory/2244-32-0x0000000074A50000-0x0000000074A59000-memory.dmp

                      Filesize

                      36KB

                    • memory/2244-31-0x0000000003170000-0x0000000004CE9000-memory.dmp

                      Filesize

                      27.5MB

                    • memory/2440-51-0x0000000000B40000-0x00000000026B9000-memory.dmp

                      Filesize

                      27.5MB

                    • memory/2440-45-0x0000000000B40000-0x00000000026B9000-memory.dmp

                      Filesize

                      27.5MB

                    • memory/2440-50-0x0000000000B40000-0x00000000026B9000-memory.dmp

                      Filesize

                      27.5MB

                    • memory/2440-52-0x0000000000B40000-0x00000000026B9000-memory.dmp

                      Filesize

                      27.5MB

                    • memory/2440-53-0x0000000000B40000-0x00000000026B9000-memory.dmp

                      Filesize

                      27.5MB

                    • memory/2440-54-0x0000000000B40000-0x00000000026B9000-memory.dmp

                      Filesize

                      27.5MB

                    • memory/2440-55-0x0000000000B40000-0x00000000026B9000-memory.dmp

                      Filesize

                      27.5MB

                    • memory/2440-56-0x0000000000B40000-0x00000000026B9000-memory.dmp

                      Filesize

                      27.5MB

                    • memory/2440-57-0x0000000000B40000-0x00000000026B9000-memory.dmp

                      Filesize

                      27.5MB

                    • memory/2440-58-0x0000000000B40000-0x00000000026B9000-memory.dmp

                      Filesize

                      27.5MB