Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2024, 04:55

General

  • Target

    injector_3.exe

  • Size

    2.9MB

  • MD5

    46cae523a713b42a2725e391c380ff15

  • SHA1

    fb92db28887b5cdbfdcf5e2200e2a0c61052e03f

  • SHA256

    ddb0cb4678fd74a89202b5a6957b2a175c7b84332014dc524ff3f5e87a0185ae

  • SHA512

    54863687fe0c451f46cf97f095c71022da20abe4ddd8afef2c1b60d632099e8c9fc4d6e7b535844864c02a0a7b1c68a6a5639e376ee68cebc3a1693ca7df02fc

  • SSDEEP

    49152:axmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxWn+O93+xN:axx9NUFkQx753uWuCyyxWnruL

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 8 IoCs
  • Themida packer 20 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\injector_3.exe
    "C:\Users\Admin\AppData\Local\Temp\injector_3.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1904
    • \??\c:\users\admin\appdata\local\temp\injector_3.exe 
      c:\users\admin\appdata\local\temp\injector_3.exe 
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\SoftwareDistribution\Download\9xskv.exe
        "C:\Windows\SoftwareDistribution\Download\9xskv.exe" -map C:\Windows\SoftwareDistribution\Download\9xskv.sys
        3⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:2988
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2472
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2516
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2488
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2536
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetWindowsHookEx
              PID:2396
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:58 /f
              6⤵
              • Creates scheduled task(s)
              PID:888
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:59 /f
              6⤵
              • Creates scheduled task(s)
              PID:2460
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:00 /f
              6⤵
              • Creates scheduled task(s)
              PID:2344
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2340

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe

      Filesize

      2.5MB

      MD5

      fab9af2dc32572d0f51c995b3b43a6af

      SHA1

      5e838e03052e9f32cc1f35af7109b17a290e0f66

      SHA256

      38fde2059272de13d19f9ad2e179172a08f7ce73ed52ec1451e37eb41d9b252a

      SHA512

      ca9e23b2d27644100cd2d376a890729f80dd6c7cfc714217cb81cb025283c5111ddec4b5f7592a3db46d321bfbdb531fb7db226087ff208fa464875e389c15ac

    • C:\Windows\Resources\Themes\icsys.icn.exe

      Filesize

      2.5MB

      MD5

      5685ed42d05d9ff1021eb30e050e932c

      SHA1

      2ab75b8adf05d52fac34ce0aeabfad1f5ba878dc

      SHA256

      670d920feb221e0d623e834b8de2f024884066f321dbe51496bd747d3ca39264

      SHA512

      51b4f5dc0f61e74760b82fff01079d6dbde598ec30bd57705aaf8123f2c0780387ae7951723220f8d8c114442446593afd0fa7de2de8530f4da1512495cb35e3

    • C:\Windows\Resources\svchost.exe

      Filesize

      2.5MB

      MD5

      9514b5b955f2cd19cd6a3b29129679e3

      SHA1

      04a0a2aa0222f868e1c34c193a6cd85d544e5f09

      SHA256

      2af3851633c44e953c049f21ccbe5e48f1a8610fa79d03e84fd0322b3d7c4889

      SHA512

      0d9153a5aec9a7031b9cb0601845fb2efd4ea3d9409099a87fd1f835097f74423f6b4b5d0060f3b708c2b365d1db318c40687e8cbd5fa966f7443b6bbfaee691

    • C:\Windows\SoftwareDistribution\Download\9xskv.exe

      Filesize

      260KB

      MD5

      083c6c05ac5875d0b6e997e894ca07bc

      SHA1

      69d0116998e8a70db5852fccb86d45975ce88a9a

      SHA256

      03aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca

      SHA512

      fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf

    • \Users\Admin\AppData\Local\Temp\injector_3.exe 

      Filesize

      309KB

      MD5

      14de2eca1cb8ec2454d48a37784c3df1

      SHA1

      43877e3c6cf8faf6095e984bc825972d378f1140

      SHA256

      bc026101c9a6975a8adb9aebd374a57a3f7cafc0e6f21e6bd4b52e60fb0fdd14

      SHA512

      b4ee51aa0b89bd461e45ff5fce47dadaa13b81aa8d01514800920b065fa9e7dc08801feae5bfe69b0e2663817a0cda97e087bb49861403e8d4aeee0997530fe7

    • \Windows\Resources\spoolsv.exe

      Filesize

      2.5MB

      MD5

      9db7496daa141463fceb77cc1b77dca4

      SHA1

      d2fe42a5ac17306b2a49ae98160c6cf3c73fa466

      SHA256

      ff4ea460671352ec555997a66a87c95425081ce269fc1186ee392ac743a1e77a

      SHA512

      ebfb7812813753168d8c07acf07af06754b336a5941464ccb8c06f839dbe84571ae34c60b2cbc7d5d71d5d112e59800b96aa3f91946bc85f6f2766df318933fc

    • memory/1904-1-0x0000000077780000-0x0000000077782000-memory.dmp

      Filesize

      8KB

    • memory/1904-75-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/1904-15-0x0000000003400000-0x0000000003A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/1904-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2396-72-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2396-62-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2472-27-0x0000000003840000-0x0000000003E4E000-memory.dmp

      Filesize

      6.1MB

    • memory/2472-16-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2472-76-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2488-73-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2488-51-0x00000000037C0000-0x0000000003DCE000-memory.dmp

      Filesize

      6.1MB

    • memory/2488-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2516-39-0x0000000003830000-0x0000000003E3E000-memory.dmp

      Filesize

      6.1MB

    • memory/2516-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2516-81-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2516-83-0x0000000003830000-0x0000000003E3E000-memory.dmp

      Filesize

      6.1MB

    • memory/2516-92-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2516-98-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2516-104-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2536-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2536-59-0x0000000003360000-0x000000000396E000-memory.dmp

      Filesize

      6.1MB

    • memory/2536-82-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2536-89-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB