Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 03:09
Behavioral task
behavioral1
Sample
cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe
Resource
win7-20240508-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe
-
Size
2.5MB
-
MD5
5ca005a9e762448e7f22ac187729be56
-
SHA1
28d031b5ad6412280afbeec70c0fece85d2e86b7
-
SHA256
cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9
-
SHA512
ba3f933b42c14a369b7b9e22906bf56b328c686cfce6709ffaffe05d765a63c78e16d019ad072754b95d3e6ff2922c673b19db4af720981896dee9acec579289
-
SSDEEP
49152:MxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxa:Mxx9NUFkQx753uWuCyyxa
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Detects executables packed with Themida 18 IoCs
resource yara_rule behavioral1/memory/1792-0-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/files/0x00360000000149d0-7.dat INDICATOR_EXE_Packed_Themida behavioral1/memory/2820-11-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/files/0x000800000001538e-17.dat INDICATOR_EXE_Packed_Themida behavioral1/memory/2648-23-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/files/0x00080000000153fd-30.dat INDICATOR_EXE_Packed_Themida behavioral1/memory/2692-35-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1792-43-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1396-44-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1396-49-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2648-51-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1792-53-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2820-54-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2692-57-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2692-60-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2692-64-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2820-69-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2820-75-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe -
Executes dropped EXE 4 IoCs
pid Process 2820 explorer.exe 2648 spoolsv.exe 2692 svchost.exe 1396 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 2820 explorer.exe 2648 spoolsv.exe 2692 svchost.exe -
resource yara_rule behavioral1/memory/1792-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x00360000000149d0-7.dat themida behavioral1/memory/2820-11-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x000800000001538e-17.dat themida behavioral1/memory/2648-23-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x00080000000153fd-30.dat themida behavioral1/memory/2692-35-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1792-43-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1396-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1396-49-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2648-51-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1792-53-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2820-54-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2692-57-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2692-60-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2692-64-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2820-69-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2820-75-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 2820 explorer.exe 2648 spoolsv.exe 2692 svchost.exe 1396 spoolsv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2652 schtasks.exe 1620 schtasks.exe 1532 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2820 explorer.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2820 explorer.exe 2692 svchost.exe 2692 svchost.exe 2820 explorer.exe 2820 explorer.exe 2692 svchost.exe 2820 explorer.exe 2692 svchost.exe 2820 explorer.exe 2820 explorer.exe 2692 svchost.exe 2692 svchost.exe 2820 explorer.exe 2820 explorer.exe 2692 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2820 explorer.exe 2692 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 2820 explorer.exe 2820 explorer.exe 2648 spoolsv.exe 2648 spoolsv.exe 2692 svchost.exe 2692 svchost.exe 1396 spoolsv.exe 1396 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1792 wrote to memory of 2820 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 28 PID 1792 wrote to memory of 2820 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 28 PID 1792 wrote to memory of 2820 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 28 PID 1792 wrote to memory of 2820 1792 cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe 28 PID 2820 wrote to memory of 2648 2820 explorer.exe 29 PID 2820 wrote to memory of 2648 2820 explorer.exe 29 PID 2820 wrote to memory of 2648 2820 explorer.exe 29 PID 2820 wrote to memory of 2648 2820 explorer.exe 29 PID 2648 wrote to memory of 2692 2648 spoolsv.exe 30 PID 2648 wrote to memory of 2692 2648 spoolsv.exe 30 PID 2648 wrote to memory of 2692 2648 spoolsv.exe 30 PID 2648 wrote to memory of 2692 2648 spoolsv.exe 30 PID 2692 wrote to memory of 1396 2692 svchost.exe 31 PID 2692 wrote to memory of 1396 2692 svchost.exe 31 PID 2692 wrote to memory of 1396 2692 svchost.exe 31 PID 2692 wrote to memory of 1396 2692 svchost.exe 31 PID 2820 wrote to memory of 2704 2820 explorer.exe 32 PID 2820 wrote to memory of 2704 2820 explorer.exe 32 PID 2820 wrote to memory of 2704 2820 explorer.exe 32 PID 2820 wrote to memory of 2704 2820 explorer.exe 32 PID 2692 wrote to memory of 2652 2692 svchost.exe 33 PID 2692 wrote to memory of 2652 2692 svchost.exe 33 PID 2692 wrote to memory of 2652 2692 svchost.exe 33 PID 2692 wrote to memory of 2652 2692 svchost.exe 33 PID 2692 wrote to memory of 1620 2692 svchost.exe 38 PID 2692 wrote to memory of 1620 2692 svchost.exe 38 PID 2692 wrote to memory of 1620 2692 svchost.exe 38 PID 2692 wrote to memory of 1620 2692 svchost.exe 38 PID 2692 wrote to memory of 1532 2692 svchost.exe 40 PID 2692 wrote to memory of 1532 2692 svchost.exe 40 PID 2692 wrote to memory of 1532 2692 svchost.exe 40 PID 2692 wrote to memory of 1532 2692 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe"C:\Users\Admin\AppData\Local\Temp\cbcfdd32a836531eedf06b413278288bdd85316fe3c6a148814084823beb09b9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1396
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:11 /f5⤵
- Creates scheduled task(s)
PID:2652
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:12 /f5⤵
- Creates scheduled task(s)
PID:1620
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:13 /f5⤵
- Creates scheduled task(s)
PID:1532
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD562699d50c9f2db18091aee3c48aedadb
SHA1f1c73dd91c0059df0100e88c54b5b27263e38702
SHA25694a4c5953ad3ea319f531f691dea6a379c0f81fc4ab063effd706b794e6b09a2
SHA512dde2724a82379fed0ff1eb7a2f5dd7aeef4285263a0cbb6134e1447c595614b8d45965143fbcc966ea25f4d51d5ce126ca47ddda251f66f951654edf0071a7f6
-
Filesize
2.5MB
MD5985a73a36daf4b1cd44c6459221c6143
SHA104dbc3277d949e2985f9f9696de5dbb0fabcf239
SHA256ffce369d01ced523c54c4e8bd91c42ff83f1bc00b93fcd9ce679e1a2787a36dc
SHA512f34fab4df9984b5c39634295dd97f9b1c4a8221a86223f338cccd53c51bb38f2811372a78eb4516e7c3f4cbae24724ac91e1f1235178f859fe646263a80ba10f
-
Filesize
2.5MB
MD5986c536e72e312854da10fc313c48e2a
SHA14785851459c940cb29578c631c97f3c72b2f8808
SHA256ceec38904b7a77d668aab6c4dd65cbe98a0b76c702d144eb2efbc14312826efb
SHA512bd1c99ab2e1fc194825d2cfd9803f662849196bc9e8d0afeeb59f3cddfe842ae88ac82b5b8a16a5782f80079bba188b08431f0aef0adf65949b05339ed270f05