Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 23:48

General

  • Target

    8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe

  • Size

    2.5MB

  • MD5

    38b0a3344a4c27382d09d1d2b2488039

  • SHA1

    9884bbeb3e2310f8f17a2d801c63793ee526c8b8

  • SHA256

    8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd

  • SHA512

    937b233dd90600a33de4e1f13ecbbcd30431de5c32445c35da55c4bd9fdba0aadafb9803192114455f3bd74888e9aa885a10dfa3e6b964c15607b10f2331fdf8

  • SSDEEP

    49152:gxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxB:gxx9NUFkQx753uWuCyyxB

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Detects executables packed with Themida 19 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Themida packer 19 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe
    "C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1576
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1144
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2600
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2752
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2936
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:50 /f
            5⤵
            • Creates scheduled task(s)
            PID:2160
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:51 /f
            5⤵
            • Creates scheduled task(s)
            PID:1052
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:52 /f
            5⤵
            • Creates scheduled task(s)
            PID:2456
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Windows\Resources\Themes\explorer.exe

      Filesize

      2.5MB

      MD5

      e80641e491fd0882bbfd7baaaf81e249

      SHA1

      a6ba085de48628abdde89886c65988a6cac39f58

      SHA256

      2d8dc214a051c8eacd7bd3879fc177d1a3c2a55cdaa782c1683339bce9919c85

      SHA512

      8d37f1d87c1ad68fe38bf4ba8c3927fc9dbde568300020478a060919783204cb146af85c008a69f3eaaef5150211066b6af090c58cdf56bfb13dc9497f49a166

    • \Windows\Resources\spoolsv.exe

      Filesize

      2.5MB

      MD5

      a64df44eabb624fd052168842f7d5029

      SHA1

      70bf29220126216e2a6d9b424e325a206614c9bc

      SHA256

      850b2e4d049005f92a9e3e31f1a5e39ac51a602868c39b2f5ef1394e592a786e

      SHA512

      b4298bc4a0f53deb16bb08b1c45da6d3a730b9d452630d6f4d9fb32e5df42d3d2faeef0f1d6e406668ac9a864a10edf8c6e30cb12bdd73b1be011b765a15e64d

    • \Windows\Resources\svchost.exe

      Filesize

      2.5MB

      MD5

      6e28cc56fc81181c8e36bcb3d952d947

      SHA1

      e6bca1de0464a580cf2662f0f9b0be93a59c2beb

      SHA256

      80c1eadd5a2f1c412f14cb67bfd9244303f728dcd065b5fce6e52a4e53d207ae

      SHA512

      c25b323d1999e062032c25c1adb5a4e18d9283c4f617bc6d9cacb83b848319d4a3b1d6d943cef33ca4f7861ed03cbf0012ce778d0ca4a4a68829e1165c6256e1

    • memory/1144-75-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/1144-67-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/1144-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/1144-20-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/1144-17-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/1144-58-0x00000000035F0000-0x0000000003BFE000-memory.dmp

      Filesize

      6.1MB

    • memory/1144-25-0x00000000035F0000-0x0000000003BFE000-memory.dmp

      Filesize

      6.1MB

    • memory/1144-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/1576-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/1576-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/1576-11-0x0000000003760000-0x0000000003D6E000-memory.dmp

      Filesize

      6.1MB

    • memory/1576-6-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2600-38-0x0000000003650000-0x0000000003C5E000-memory.dmp

      Filesize

      6.1MB

    • memory/2600-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2600-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2600-26-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2752-39-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2752-46-0x0000000003390000-0x000000000399E000-memory.dmp

      Filesize

      6.1MB

    • memory/2752-57-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2936-47-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2936-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB