Analysis
-
max time kernel
25s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 10:30
Static task
static1
Behavioral task
behavioral1
Sample
9d805397173fbb94a867a8bfbdfea660N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9d805397173fbb94a867a8bfbdfea660N.exe
Resource
win10v2004-20240709-en
General
-
Target
9d805397173fbb94a867a8bfbdfea660N.exe
-
Size
494KB
-
MD5
9d805397173fbb94a867a8bfbdfea660
-
SHA1
0d1f08e58856b2a538b623399318545f022b440d
-
SHA256
29183c75f39e2489e27ccb917a198bbeb0e4fb3594f7d23ccc067cdac2fa763a
-
SHA512
342ab7ec48007b3e3bae35564b608154ae6a67d0b0e40b971f98ca9280cbab1a2b771185ce056d9e0b3fe4518ff8eb3761dfbc014415203fef6cb4198e3d9bc4
-
SSDEEP
12288:C3ma4bE/SPQHqkdTvL7Ff456p9HKuJC7D:C3b4bEiFCVMaX4D
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9d805397173fbb94a867a8bfbdfea660N.exe -
Executes dropped EXE 1 IoCs
pid Process 2800 s8948.exe -
Loads dropped DLL 4 IoCs
pid Process 2808 9d805397173fbb94a867a8bfbdfea660N.exe 2808 9d805397173fbb94a867a8bfbdfea660N.exe 2808 9d805397173fbb94a867a8bfbdfea660N.exe 2808 9d805397173fbb94a867a8bfbdfea660N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 9d805397173fbb94a867a8bfbdfea660N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 9d805397173fbb94a867a8bfbdfea660N.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2808 9d805397173fbb94a867a8bfbdfea660N.exe 2808 9d805397173fbb94a867a8bfbdfea660N.exe 2800 s8948.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2800 s8948.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2800 s8948.exe 2800 s8948.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2800 2808 9d805397173fbb94a867a8bfbdfea660N.exe 30 PID 2808 wrote to memory of 2800 2808 9d805397173fbb94a867a8bfbdfea660N.exe 30 PID 2808 wrote to memory of 2800 2808 9d805397173fbb94a867a8bfbdfea660N.exe 30 PID 2808 wrote to memory of 2800 2808 9d805397173fbb94a867a8bfbdfea660N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d805397173fbb94a867a8bfbdfea660N.exe"C:\Users\Admin\AppData\Local\Temp\9d805397173fbb94a867a8bfbdfea660N.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\n8948\s8948.exe"C:\Users\Admin\AppData\Local\Temp\n8948\s8948.exe" ins.exe /e 12348374 /u 51938065-e47c-4b97-bfda-2a105bc06f2f /v "C:\Users\Admin\AppData\Local\Temp\9d805397173fbb94a867a8bfbdfea660N.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284KB
MD59e24fe7dce5a39ec33319909e3e2e9de
SHA1492d86466cd12c98803a262672cb5171f341e8d1
SHA25605cdd536227ac4ebab76770ed3b2bbc364deb8cfdc1f6a6f598ecb86aa3d268f
SHA512155b353506ef81cf0149178f8dc4b75575dbd0a2d2912038dac1278d8db454fb80edfd84958ebfeb6a3ef9c5de19af1284224bf7bb4af7113c863c3b1be1f4e1