Analysis

  • max time kernel
    32s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 12:32

General

  • Target

    Ana.exe

  • Size

    2.1MB

  • MD5

    f571faca510bffe809c76c1828d44523

  • SHA1

    7a3ca1660f0a513316b8cd5496ac7dbe82f0e0c2

  • SHA256

    117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb

  • SHA512

    a08bca2fb1387cc70b737520d566c7117aa3fdb9a52f5dbb0bb7be44630da7977882d8c808cbee843c8a180777b4ac5819e8bafda6b2c883e380dc7fb5358a51

  • SSDEEP

    49152:OwVYlfBUDiZx8Fa/Q0NuB3btlnCItWNSwoy:OxPUDQmso0NuBZlnCItM

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 11 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ana.exe
    "C:\Users\Admin\AppData\Local\Temp\Ana.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Users\Admin\AppData\Local\Temp\AV.EXE
      "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Users\Admin\AppData\Roaming\RtlDriver32.exe
        "C:\Users\Admin\AppData\Roaming\RtlDriver32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2416
    • C:\Users\Admin\AppData\Local\Temp\AV2.EXE
      "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2384
      • C:\pH17766MjGaO17766\pH17766MjGaO17766.exe
        "\pH17766MjGaO17766\pH17766MjGaO17766.exe" "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
        3⤵
        • Executes dropped EXE
        PID:2304
    • C:\Users\Admin\AppData\Local\Temp\DB.EXE
      "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
      • C:\Windows\SysWOW64\cmd.exe
        /c C:\Users\Admin\AppData\Local\Temp\~unins8352.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
        3⤵
          PID:1972
      • C:\Users\Admin\AppData\Local\Temp\EN.EXE
        "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
        2⤵
        • Executes dropped EXE
        PID:2624
      • C:\Users\Admin\AppData\Local\Temp\SB.EXE
        "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
        2⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of AdjustPrivilegeToken
        PID:2740

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AV2
      Filesize

      208B

      MD5

      a22bf3a89a98c7373a035c9310c6a6c1

      SHA1

      10435cdd3a83b66e6ff3fb2b3b7c614c36895e11

      SHA256

      f794e0ff4feb98193a122c1baedca3747a7f9a1a49a692ca6e2e48dcde74ce6e

      SHA512

      ecb1cf1cf9977f2accaff25ce8416d6af06d578bf694f93eb1fd604f548269c763b9376e8aea6d26d9b72170b73083636dc26f0bab46dc0f3aae655497633387

    • C:\Users\Admin\AppData\Local\Temp\AV2.EXE
      Filesize

      368KB

      MD5

      014578edb7da99e5ba8dd84f5d26dfd5

      SHA1

      df56d701165a480e925a153856cbc3ab799c5a04

      SHA256

      4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

      SHA512

      bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

    • C:\Users\Admin\AppData\Local\Temp\DB.EXE
      Filesize

      243KB

      MD5

      c6746a62feafcb4fca301f606f7101fa

      SHA1

      e09cd1382f9ceec027083b40e35f5f3d184e485f

      SHA256

      b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

      SHA512

      ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

    • C:\Users\Admin\AppData\Local\Temp\EN.EXE
      Filesize

      6KB

      MD5

      621f2279f69686e8547e476b642b6c46

      SHA1

      66f486cd566f86ab16015fe74f50d4515decce88

      SHA256

      c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

      SHA512

      068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

    • C:\Users\Admin\AppData\Local\Temp\tsa.crt
      Filesize

      1010B

      MD5

      6e630504be525e953debd0ce831b9aa0

      SHA1

      edfa47b3edf98af94954b5b0850286a324608503

      SHA256

      2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

      SHA512

      bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

    • \Users\Admin\AppData\Local\Temp\AV.EXE
      Filesize

      1.1MB

      MD5

      f284568010505119f479617a2e7dc189

      SHA1

      e23707625cce0035e3c1d2255af1ed326583a1ea

      SHA256

      26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

      SHA512

      ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

    • \Users\Admin\AppData\Local\Temp\SB.EXE
      Filesize

      224KB

      MD5

      9252e1be9776af202d6ad5c093637022

      SHA1

      6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

      SHA256

      ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

      SHA512

      98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

    • \pH17766MjGaO17766\pH17766MjGaO17766.exe
      Filesize

      368KB

      MD5

      09410a8cd88eb66df981caa816588043

      SHA1

      1c398bee1b5d82323a6187c49269b677ddb01378

      SHA256

      669a2d270f73cfe06a45343c82e3f0ba4a6118b90b2332760ffd086a89880872

      SHA512

      48818c3826d46dee7675650ecf7b25971d9ce8ce2876f6b50cd68811a2363bb5481747b516b3eaad35ef3399dce864b139618062d0d3b05d63f14bb62f615d9d

    • memory/1752-56-0x0000000000690000-0x00000000006D0000-memory.dmp
      Filesize

      256KB

    • memory/2012-47-0x0000000000500000-0x000000000050A000-memory.dmp
      Filesize

      40KB

    • memory/2012-44-0x0000000000500000-0x0000000000545000-memory.dmp
      Filesize

      276KB

    • memory/2012-46-0x0000000000500000-0x000000000050A000-memory.dmp
      Filesize

      40KB

    • memory/2384-83-0x00000000003C0000-0x00000000003C1000-memory.dmp
      Filesize

      4KB

    • memory/2384-74-0x0000000000400000-0x00000000004C3000-memory.dmp
      Filesize

      780KB

    • memory/2384-66-0x0000000000400000-0x00000000004C3000-memory.dmp
      Filesize

      780KB

    • memory/2624-48-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

    • memory/2624-68-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

    • memory/2660-29-0x00000000004B0000-0x0000000000543000-memory.dmp
      Filesize

      588KB

    • memory/2660-37-0x00000000004B0000-0x0000000000543000-memory.dmp
      Filesize

      588KB

    • memory/2660-38-0x00000000004B0000-0x0000000000543000-memory.dmp
      Filesize

      588KB

    • memory/2660-45-0x0000000000400000-0x0000000000445000-memory.dmp
      Filesize

      276KB

    • memory/2740-69-0x0000000000400000-0x0000000000464000-memory.dmp
      Filesize

      400KB