Analysis
-
max time kernel
141s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 19:40
Behavioral task
behavioral1
Sample
56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe
Resource
win10v2004-20240508-en
General
-
Target
56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe
-
Size
4.4MB
-
MD5
5de35bf2a5c775600ee0dda327208977
-
SHA1
437d33a9b8acfa8c579395e280233f837ac37c32
-
SHA256
56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c
-
SHA512
c7b088cd3972a07de92db055b55474a623ed0ab3e7282024da5d82481c201f5c0eaad258d83ac7ae01d90e175cee37aeb64989117e83ee7c7a59ca525723bb9e
-
SSDEEP
98304:fE/JUhJQj4nKE/oe6im51pRUzXnzc7YArZ4JBAUZLvfi3:M2oOJoVZU7zyYxJV7fi3
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
MmOQSUYaac.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Mm Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ OQSUYaac.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MmOQSUYaac.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Mm Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Mm Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OQSUYaac.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OQSUYaac.exe -
Executes dropped EXE 2 IoCs
Processes:
MmOQSUYaac.exepid process 2640 Mm 2760 OQSUYaac.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
MmOQSUYaac.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine Mm Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine OQSUYaac.exe -
Loads dropped DLL 1 IoCs
Processes:
Mmpid process 2640 Mm -
Processes:
resource yara_rule behavioral1/memory/2412-0-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-9-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-2-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-1-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-3-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-5-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-31-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-45-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-49-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-48-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-43-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-42-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-38-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-36-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-33-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-29-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-24-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-25-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-22-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-20-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-16-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-14-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-12-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-10-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2412-69-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Mmdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OQSUYaac = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\MSINFO\\OQSUYaac.exe\"" Mm -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
MmOQSUYaac.exepid process 2640 Mm 2760 OQSUYaac.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Mmdescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\OQSUYaac.exe Mm File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\OQSUYaac.exe Mm -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MmOQSUYaac.exepid process 2640 Mm 2760 OQSUYaac.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
OQSUYaac.exedescription pid process Token: SeIncBasePriorityPrivilege 2760 OQSUYaac.exe Token: SeIncBasePriorityPrivilege 2760 OQSUYaac.exe Token: SeIncBasePriorityPrivilege 2760 OQSUYaac.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exepid process 2412 56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe 2412 56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe 2412 56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exeMmdescription pid process target process PID 2412 wrote to memory of 2640 2412 56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe Mm PID 2412 wrote to memory of 2640 2412 56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe Mm PID 2412 wrote to memory of 2640 2412 56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe Mm PID 2412 wrote to memory of 2640 2412 56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe Mm PID 2640 wrote to memory of 2760 2640 Mm OQSUYaac.exe PID 2640 wrote to memory of 2760 2640 Mm OQSUYaac.exe PID 2640 wrote to memory of 2760 2640 Mm OQSUYaac.exe PID 2640 wrote to memory of 2760 2640 Mm OQSUYaac.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe"C:\Users\Admin\AppData\Local\Temp\56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\MmC:\Mm2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\OQSUYaac.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\OQSUYaac.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD57eb15beea11d9f922a4976a05eaaba4e
SHA10208b5382a07d38c6f6fcbaf2ee153831818976a
SHA256e94c74a889e1930f486d2f9992ccbab9689e40914fc95b1c0d4af71a45f48aa4
SHA51241b2aac85053310f3bf313456cb2ed3c5a025ca3f2222653916022b05893e311cc2a2fced822e205c51e346c580c1a5d6fca36f7c9d9b47a15a604123863565a