Analysis
-
max time kernel
135s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 07:53
Static task
static1
Behavioral task
behavioral1
Sample
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
Resource
win10v2004-20240508-en
General
-
Target
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
-
Size
3.3MB
-
MD5
51e442e27e653595685490dc7c7855a5
-
SHA1
35106601e646459da88b75c2b8058ebbf745f957
-
SHA256
f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7
-
SHA512
95742561022003be9bfbdaa1e9c15d77d2b75273f9965174d819490d362c54eea358e99c5b94e09f5c41c1399caa893afea2f2e90ce9d6209611248f54cfc27d
-
SSDEEP
98304:NQOH5raw1GoHKqUifIwY/L4a3X62BcFOg/9MRhM6+baj:NH3BHKqUaS/LO2BM9MDMF
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
Runs .reg file with regedit 1 IoCs
pid Process 4928 regedit.exe -
Runs net.exe
-
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
Suspicious use of SendNotifyMessage 9 IoCs
pid Process 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4932 wrote to memory of 2996 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 87 PID 4932 wrote to memory of 2996 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 87 PID 4932 wrote to memory of 2996 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 87 PID 2996 wrote to memory of 3816 2996 cmd.exe 89 PID 2996 wrote to memory of 3816 2996 cmd.exe 89 PID 2996 wrote to memory of 3816 2996 cmd.exe 89 PID 3816 wrote to memory of 2092 3816 net.exe 90 PID 3816 wrote to memory of 2092 3816 net.exe 90 PID 3816 wrote to memory of 2092 3816 net.exe 90 PID 2996 wrote to memory of 1224 2996 cmd.exe 92 PID 2996 wrote to memory of 1224 2996 cmd.exe 92 PID 2996 wrote to memory of 1224 2996 cmd.exe 92 PID 1224 wrote to memory of 1688 1224 net.exe 93 PID 1224 wrote to memory of 1688 1224 net.exe 93 PID 1224 wrote to memory of 1688 1224 net.exe 93 PID 2996 wrote to memory of 1228 2996 cmd.exe 94 PID 2996 wrote to memory of 1228 2996 cmd.exe 94 PID 2996 wrote to memory of 1228 2996 cmd.exe 94 PID 2996 wrote to memory of 3224 2996 cmd.exe 95 PID 2996 wrote to memory of 3224 2996 cmd.exe 95 PID 2996 wrote to memory of 3224 2996 cmd.exe 95 PID 3224 wrote to memory of 1300 3224 net.exe 96 PID 3224 wrote to memory of 1300 3224 net.exe 96 PID 3224 wrote to memory of 1300 3224 net.exe 96 PID 2996 wrote to memory of 2812 2996 cmd.exe 97 PID 2996 wrote to memory of 2812 2996 cmd.exe 97 PID 2996 wrote to memory of 2812 2996 cmd.exe 97 PID 2812 wrote to memory of 2356 2812 net.exe 98 PID 2812 wrote to memory of 2356 2812 net.exe 98 PID 2812 wrote to memory of 2356 2812 net.exe 98 PID 2996 wrote to memory of 4928 2996 cmd.exe 99 PID 2996 wrote to memory of 4928 2996 cmd.exe 99 PID 2996 wrote to memory of 4928 2996 cmd.exe 99 PID 4932 wrote to memory of 3924 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 100 PID 4932 wrote to memory of 3924 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 100 PID 4932 wrote to memory of 3924 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 100 PID 3924 wrote to memory of 4352 3924 net.exe 102 PID 3924 wrote to memory of 4352 3924 net.exe 102 PID 3924 wrote to memory of 4352 3924 net.exe 102 PID 4932 wrote to memory of 932 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 103 PID 4932 wrote to memory of 932 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 103 PID 4932 wrote to memory of 932 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 103 PID 932 wrote to memory of 2524 932 net.exe 105 PID 932 wrote to memory of 2524 932 net.exe 105 PID 932 wrote to memory of 2524 932 net.exe 105 PID 4932 wrote to memory of 3188 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 106 PID 4932 wrote to memory of 3188 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 106 PID 4932 wrote to memory of 3188 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 106 PID 3188 wrote to memory of 3596 3188 net.exe 108 PID 3188 wrote to memory of 3596 3188 net.exe 108 PID 3188 wrote to memory of 3596 3188 net.exe 108 PID 4932 wrote to memory of 3848 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 109 PID 4932 wrote to memory of 3848 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 109 PID 4932 wrote to memory of 3848 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 109 PID 3848 wrote to memory of 3768 3848 net.exe 111 PID 3848 wrote to memory of 3768 3848 net.exe 111 PID 3848 wrote to memory of 3768 3848 net.exe 111 PID 4932 wrote to memory of 2652 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 112 PID 4932 wrote to memory of 2652 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 112 PID 4932 wrote to memory of 2652 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 112 PID 4932 wrote to memory of 3140 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 113 PID 4932 wrote to memory of 3140 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 113 PID 4932 wrote to memory of 3140 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 113 PID 4932 wrote to memory of 5048 4932 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe"C:\Users\Admin\AppData\Local\Temp\f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\¿ªÆô¹²Ïí.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\net.exeNET USER Guest /active:yes3⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 USER Guest /active:yes4⤵PID:2092
-
-
-
C:\Windows\SysWOW64\net.exeNET USER Guest /passwordreq:no3⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 USER Guest /passwordreq:no4⤵PID:1688
-
-
-
C:\Windows\SysWOW64\SecEdit.exeSecedit /configure /cfg "security.inf" /db secsetup.sdb /areas USER_RIGHTS /verbose3⤵PID:1228
-
-
C:\Windows\SysWOW64\net.exenet user guest /active:yes3⤵
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user guest /active:yes4⤵PID:1300
-
-
-
C:\Windows\SysWOW64\net.exenet user guest ""3⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user guest ""4⤵PID:2356
-
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s ┐¬╞⌠╣▓╧φ.reg3⤵
- Runs .reg file with regedit
PID:4928
-
-
-
C:\Windows\SysWOW64\net.exenet start workstation2⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start workstation3⤵PID:4352
-
-
-
C:\Windows\SysWOW64\net.exenet start "Computer Browser"2⤵
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Computer Browser"3⤵PID:2524
-
-
-
C:\Windows\SysWOW64\net.exenet start server2⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start server3⤵PID:3596
-
-
-
C:\Windows\SysWOW64\net.exenet start netbios2⤵
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start netbios3⤵PID:3768
-
-
-
C:\Windows\SysWOW64\net.exenet share ±¾µØ£¨CÅÌ)=C:\2⤵PID:2652
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share ±¾µØ£¨CÅÌ)=C:\3⤵PID:1712
-
-
-
C:\Windows\SysWOW64\net.exenet share ±¾µØ£¨DÅÌ)=D:\2⤵PID:3140
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share ±¾µØ£¨DÅÌ)=D:\3⤵PID:1940
-
-
-
C:\Windows\SysWOW64\net.exenet share ±¾µØ£¨FÅÌ)=F:\2⤵PID:5048
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share ±¾µØ£¨FÅÌ)=F:\3⤵PID:1076
-
-
-
C:\Windows\SysWOW64\net.exenet share ÎïÀíÖ÷»ú×ÀÃæ=C:\Users\Admin\Desktop2⤵PID:1180
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share ÎïÀíÖ÷»ú×ÀÃæ=C:\Users\Admin\Desktop3⤵PID:664
-
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Admin\Desktop /e /t /g everyone:F2⤵PID:1436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
242B
MD580f0e65f938e3259b19f89241858ae23
SHA1f6d463a58007cc20b70988563c49b3410e68e92b
SHA25649b26f11aa955b7db4acc775b09476638525772c1a09e7c31dfdca19f6973dba
SHA512d51279e860cf401cba03c90d4edea4cfe408725b6a8737cfc3c63110f7f13f63f52ed350c2e79d1a287172d8c77d6a7dc658a1ac1d4867504a886aa108501d95