Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09-06-2024 07:09

General

  • Target

    b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe

  • Size

    2.5MB

  • MD5

    63ca0c5ebebb808b1f6c75fb1912616c

  • SHA1

    78ee18e27107f8bde55e8f3b8e8d4da563e52b66

  • SHA256

    b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee

  • SHA512

    e8e2be4ddca4c3e07f8f3b82bf2a8c75db18243254f5306d3fe74d5cb4b47d7a26888d8c63b9fba1f28ca64888e278b8a40d98a58bdcd1eb79a9c8451fc99e82

  • SSDEEP

    49152:hxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxH:hxx9NUFkQx753uWuCyyxH

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Detects executables packed with Themida 18 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Themida packer 18 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe
    "C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2368
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2204
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1216
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2152
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2640
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:11 /f
            5⤵
            • Creates scheduled task(s)
            PID:2736
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:12 /f
            5⤵
            • Creates scheduled task(s)
            PID:1932
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:13 /f
            5⤵
            • Creates scheduled task(s)
            PID:852
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2448

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\svchost.exe

      Filesize

      2.5MB

      MD5

      e0773a13cc7c1eec6dcdb71a176623d0

      SHA1

      c9f1d61d7115e51a346ce87677343449cf72b3a9

      SHA256

      8bb0f5910d2b1cdc0e3bf154fa24e5ee957daccd443cc0e095ce116d2913be9a

      SHA512

      4ab1c0e36d91aa0af747b832123bdc5c6c08fdcbd7884bce70f8d12e59a1aa07bf57b65db8c6bf18fcb474870aa1721e8d9f40f5aab6b2b607fb6ecabbcc8fd8

    • \Windows\Resources\Themes\explorer.exe

      Filesize

      2.5MB

      MD5

      484237e764442e5b8017ffc8330f9514

      SHA1

      ece286e38ec31707329991a2685881d9ae1b86b8

      SHA256

      c1eba2910ff0c9e895c92fdbede33ddd623c77ffeb643f82f5dbfdefe94be4fa

      SHA512

      8454553433a1a00b5099727cbef442cbaa00e00b10cb7b818a91db2e2a783cede1213c43f71e438542f0bb37ffe716f063a9a4d32be5d1a2c84d00815dce6686

    • \Windows\Resources\spoolsv.exe

      Filesize

      2.5MB

      MD5

      21836b87711f1dfb58ea8a6ec1468376

      SHA1

      447f751568dcb911858d6bb6c8e348afe0dc62fd

      SHA256

      ee28a3f2c15622192cf12d3566bb965057e5b8f7960ec8b506e80d3fc40f7386

      SHA512

      f8913edaafc707e7a52ed13aa3c4f6d3bcd393d65c41aefffba2404b090aca05f0aae53415aee12af08259ff08e1627315da9436b5e9d118f43af12406bc92c9

    • memory/1216-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/1216-24-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/1216-35-0x0000000003680000-0x0000000003C8E000-memory.dmp

      Filesize

      6.1MB

    • memory/2152-80-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2152-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2152-43-0x0000000003510000-0x0000000003B1E000-memory.dmp

      Filesize

      6.1MB

    • memory/2152-57-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2204-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2204-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2204-22-0x00000000035B0000-0x0000000003BBE000-memory.dmp

      Filesize

      6.1MB

    • memory/2204-67-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2204-63-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2204-58-0x00000000035B0000-0x0000000003BBE000-memory.dmp

      Filesize

      6.1MB

    • memory/2368-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2368-11-0x00000000035B0000-0x0000000003BBE000-memory.dmp

      Filesize

      6.1MB

    • memory/2368-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2368-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2368-1-0x0000000077970000-0x0000000077972000-memory.dmp

      Filesize

      8KB

    • memory/2640-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2640-47-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB