Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 22:17

General

  • Target

    5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe

  • Size

    2.5MB

  • MD5

    8cd04ae4856d169cae59d16a72b587f5

  • SHA1

    3a5e7c94b6d2469ae700a9d58c4c4a4507ea3fd0

  • SHA256

    5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969

  • SHA512

    df5f41ad7de876a28ebb85f1ebed238c2f888a2e5bb15f8058d7158750c34c4b2d0c229cb7a51f9facbad76af95493d6eff8c18f97a3291cd6d6aae589e9adf3

  • SSDEEP

    49152:MxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxU:Mxx9NUFkQx753uWuCyyxU

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Detects executables packed with Themida 18 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Themida packer 18 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe
    "C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1340
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3064
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2144
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2764
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2832
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:19 /f
            5⤵
            • Creates scheduled task(s)
            PID:2540
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:20 /f
            5⤵
            • Creates scheduled task(s)
            PID:1648
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:21 /f
            5⤵
            • Creates scheduled task(s)
            PID:576
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2700

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      2.5MB

      MD5

      8f4c5125431da56365af82a612ed9059

      SHA1

      e3ecb7c3e55f5fad19e293bbdcf3ad1563dc3955

      SHA256

      81521135ee0212156746a5ab7f9e9ab56bf23cd7efcd808f0e286b81d18aa301

      SHA512

      eec0163d2715079ff2be150269dacee08f1df912ca3dbbdfe014323e9b451519e25f7d8b6c422955625f693bb6595d442e15dbbae53634e583109e11c5d611ce

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      2.5MB

      MD5

      97564e26e9c554f6a3a9a9c71adafb99

      SHA1

      9d560a6a5b4e6fcfa4e157b2bdd51d3ef47e3a82

      SHA256

      8ddadd59e5b8979484fabd3c4be72c81b35151b3f5fb2b7adf3d6b184ad377c7

      SHA512

      1e55e5dcc0a9f06063e51d0b3933ddbf0c587429c17aa88d2be17cf17c6839bd362d502c538318e80a1f5540faa504883677040f02b6bf223359e24a3337143d

    • \Windows\Resources\svchost.exe
      Filesize

      2.5MB

      MD5

      b2931571958c9af8b32bb6e9285a4d9c

      SHA1

      5e9802490c94944ad1b8d7b3c1e6eb3d5df09e1c

      SHA256

      dea7f9dae26687ead751b9288a885aa8826514fe3fcee14ee0fa3fc24132f0f6

      SHA512

      b1b21c2d824eb8db4598f9fd34d998fdfe0c36f0394b3bd658b55af213200114ad2e3f779ecf3cfe609b40afed73e2f729756cc74c4da83c6a9f67b7b42f11a2

    • memory/1340-1-0x0000000077D30000-0x0000000077D32000-memory.dmp
      Filesize

      8KB

    • memory/1340-53-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB

    • memory/1340-11-0x0000000003690000-0x0000000003C9E000-memory.dmp
      Filesize

      6.1MB

    • memory/1340-0-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB

    • memory/1340-44-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB

    • memory/2144-51-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB

    • memory/2144-35-0x00000000036D0000-0x0000000003CDE000-memory.dmp
      Filesize

      6.1MB

    • memory/2144-24-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB

    • memory/2764-43-0x0000000003440000-0x0000000003A4E000-memory.dmp
      Filesize

      6.1MB

    • memory/2764-36-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB

    • memory/2764-56-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB

    • memory/2832-45-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB

    • memory/2832-49-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB

    • memory/3064-22-0x00000000037A0000-0x0000000003DAE000-memory.dmp
      Filesize

      6.1MB

    • memory/3064-12-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB

    • memory/3064-54-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB

    • memory/3064-57-0x00000000037A0000-0x0000000003DAE000-memory.dmp
      Filesize

      6.1MB

    • memory/3064-66-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB

    • memory/3064-68-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB

    • memory/3064-74-0x0000000000400000-0x0000000000A0E000-memory.dmp
      Filesize

      6.1MB