Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 02:49
Behavioral task
behavioral1
Sample
b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe
Resource
win7-20240419-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe
-
Size
2.5MB
-
MD5
696cd93127a61b0aaa93d5c45d2ca6f5
-
SHA1
b5434473eed20cbd7611a4de443e6d724c63a3be
-
SHA256
b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6
-
SHA512
1609e0e835eae923416f491565e5e370cbe95a2de68df5ec4ace48010ae9766e2c53f1f8ffa3fcab2256abd4e25bb4e2150a1a1312bf964bce89c089d714cf75
-
SSDEEP
49152:MxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxn:Mxx9NUFkQx753uWuCyyxn
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Detects executables packed with Themida 17 IoCs
resource yara_rule behavioral1/memory/2444-0-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/files/0x003a000000013362-7.dat INDICATOR_EXE_Packed_Themida behavioral1/memory/2444-11-0x0000000003770000-0x0000000003D7E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/3000-12-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/files/0x0009000000013a15-17.dat INDICATOR_EXE_Packed_Themida behavioral1/memory/2808-24-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/files/0x0009000000013a65-34.dat INDICATOR_EXE_Packed_Themida behavioral1/memory/2652-36-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2708-44-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2708-51-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2808-50-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2444-52-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/3000-53-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2652-54-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/3000-58-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/3000-64-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/3000-66-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3000 explorer.exe 2808 spoolsv.exe 2652 svchost.exe 2708 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 3000 explorer.exe 2808 spoolsv.exe 2652 svchost.exe -
resource yara_rule behavioral1/memory/2444-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x003a000000013362-7.dat themida behavioral1/memory/2444-11-0x0000000003770000-0x0000000003D7E000-memory.dmp themida behavioral1/memory/3000-12-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0009000000013a15-17.dat themida behavioral1/memory/2808-24-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0009000000013a65-34.dat themida behavioral1/memory/2652-36-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2708-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2708-51-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2808-50-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2444-52-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/3000-53-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2652-54-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/3000-58-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/3000-64-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/3000-66-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 3000 explorer.exe 2808 spoolsv.exe 2652 svchost.exe 2708 spoolsv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2524 schtasks.exe 1644 schtasks.exe 1520 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 3000 explorer.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 2652 svchost.exe 3000 explorer.exe 2652 svchost.exe 2652 svchost.exe 3000 explorer.exe 2652 svchost.exe 3000 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2652 svchost.exe 3000 explorer.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 3000 explorer.exe 3000 explorer.exe 2808 spoolsv.exe 2808 spoolsv.exe 2652 svchost.exe 2652 svchost.exe 2708 spoolsv.exe 2708 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2444 wrote to memory of 3000 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 28 PID 2444 wrote to memory of 3000 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 28 PID 2444 wrote to memory of 3000 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 28 PID 2444 wrote to memory of 3000 2444 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 28 PID 3000 wrote to memory of 2808 3000 explorer.exe 29 PID 3000 wrote to memory of 2808 3000 explorer.exe 29 PID 3000 wrote to memory of 2808 3000 explorer.exe 29 PID 3000 wrote to memory of 2808 3000 explorer.exe 29 PID 2808 wrote to memory of 2652 2808 spoolsv.exe 30 PID 2808 wrote to memory of 2652 2808 spoolsv.exe 30 PID 2808 wrote to memory of 2652 2808 spoolsv.exe 30 PID 2808 wrote to memory of 2652 2808 spoolsv.exe 30 PID 2652 wrote to memory of 2708 2652 svchost.exe 31 PID 2652 wrote to memory of 2708 2652 svchost.exe 31 PID 2652 wrote to memory of 2708 2652 svchost.exe 31 PID 2652 wrote to memory of 2708 2652 svchost.exe 31 PID 3000 wrote to memory of 2692 3000 explorer.exe 32 PID 3000 wrote to memory of 2692 3000 explorer.exe 32 PID 3000 wrote to memory of 2692 3000 explorer.exe 32 PID 3000 wrote to memory of 2692 3000 explorer.exe 32 PID 2652 wrote to memory of 2524 2652 svchost.exe 33 PID 2652 wrote to memory of 2524 2652 svchost.exe 33 PID 2652 wrote to memory of 2524 2652 svchost.exe 33 PID 2652 wrote to memory of 2524 2652 svchost.exe 33 PID 2652 wrote to memory of 1644 2652 svchost.exe 38 PID 2652 wrote to memory of 1644 2652 svchost.exe 38 PID 2652 wrote to memory of 1644 2652 svchost.exe 38 PID 2652 wrote to memory of 1644 2652 svchost.exe 38 PID 2652 wrote to memory of 1520 2652 svchost.exe 40 PID 2652 wrote to memory of 1520 2652 svchost.exe 40 PID 2652 wrote to memory of 1520 2652 svchost.exe 40 PID 2652 wrote to memory of 1520 2652 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe"C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:52 /f5⤵
- Creates scheduled task(s)
PID:2524
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:53 /f5⤵
- Creates scheduled task(s)
PID:1644
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:54 /f5⤵
- Creates scheduled task(s)
PID:1520
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2692
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5558da7f5602df12109718183b543070a
SHA1a7ea5997117f1d499468a85ed812abcbc1828545
SHA256531d343279943dc74a3f8d94459c2f576b7dcbebcdcd9b90c65542bd5e6d7229
SHA512e7a34d9893a40167480ee40f58a91366ef3aed3365ddac6f7e2eaf37551c65d1a46ec2f360a64f15df9bd377bd596550b61aebb8c5f92dd9a435248971d4ad28
-
Filesize
2.5MB
MD525fd0919c5f976a7018db1d3d74bf512
SHA1c5636c19231b1b9e469fd5a6d38cc9009a936557
SHA25617bb75b74873a5fa057e13f359dc52b11947943c60064bba8c4e80de40642ee5
SHA51219e3b35a60993351c526bd962be29f6c54fae7a754a56b44e9593b83943af7718f67b01300dfa71cfc92e696f2408320e3b12e77c9b1e37476d3e89707aa26e3
-
Filesize
2.5MB
MD500788ff7a0902e96f8683df5f72d542d
SHA13ef66edde5964b41a0990bd778caf0fb853ccbbb
SHA256cb9927162b1203811170fc22dded663f8da12c911d6c1b119751138402ab1811
SHA5127d838e83901e64042b427b769effb9074a6bde0dec66e94252eb1fe0f9b3e4de2934b903bb738b7eb6929841be1b80e59b75ae71b038b905c5d460fb93e0bacd